More details on Sober worm



There’s a bit more detail in this betanews article on the sober worm. They basically say that the next expected “release” is January 8th, that f-secure has cracked the “code” of the worm. You see it appears that the URL’s that new versions of the worm are downloaded from are not hardcoded, but “psuedorandom” and they’ve cracked the algorithm the worm uses.


They say they’ve had it cracked since about May of this year, but had kept things close to the vest, only notifying German authorites located where the url’s were to be hosted. They say 99% of the url’s are currently non-existent, but all the virus writer must do is activate one and then all the currently infected sober systems start updating. After the January 5/6 check, the virus will check every two weeks for updates.

It is a quite clever “distributed” model that they seem to have employed to evade getting it snuffed out up until now. Most of the url’s seem to be pointing to accounts that would be hosted at free sites.

It sounds as though this will require continued monitoring and attention until the machines infected by sober are eliminated.

   Send article as PDF   

Similar Posts