Tech Shout!

F-Secure, the Helsinki-based security firm has reportedly cracked 2005’s most inexhaustible worm – Sober and un-earthed URLs that the worm will make use of in January 2006 to update itself to a new variant. Sober’s latest-known variant had created mayhem, by masking itself as email from the FBI and CIA.

F-Secure announced that it has cracked the algorithm used by Sober, and is now in a position to calculate the exact URLs to be checked by the worm on a given day.

Another security company, iDefense, had earlier announced that the next planned attack of Sober is planned to begin on January 5, 2006; co-inciding with the 87th anniversary of the founding of the Nazi party.

However F-Secure has recognised the Web sites that Sober will use, to draw updates to already-compromised PCs, which in turn will spew spam containing the new variant.

Mikko Hypponen, chief research officer, F-Secure, said that most of the Sober variants contain a routine that activates the virus at a later date. After this, the worm tries to periodically download and run a file from several sites; this is the way most new Sober variants are distributed.

Hypponen explained that the Sober author has created an algorithm, which uses the current date to generate a number of pseudo-random URLs, the vast majority of which don’t currently exist, but that is not a problem for the hacker.

F-Secure has alerted Internet service providers and the German police, of some of the upcoming attacks and the URLs used to update earlier versions of Sober.

According to F-Secure, beginning Jan 5, 2006, all computers infected with the latest variant of Sober will look for an updated file located in domains such as:

http://people.freenet.de/gixcihnm/
http://scifi.pages.at/agzytvfbybn/
http://home.pages.at/bdalczxpctcb/
http://free.pages.at/ftvuefbumebug/
http://home.arcor.de/ijdsqkkxuwp/

As a precautionary measure, Hypponen has advised administrators to block access to the above mentioned domains.