News.com Mobile
for PDA or phone
Login: Forgot password? | Sign up

Sober code cracked

By Munir Kotadia
Special to CNET News.com
Published: December 9, 2005, 9:48 AM PST
Tell us what you think about this storyTalkBack E-mail this story to a friendE-mail View this story formatted for printingPrint See links from elsewhere to this story (TrackBacks/Pingbacks)TrackBack

Antivirus companies say they have cracked an algorithm that was being used by the Sober worm to "communicate" with its author.

The latest variant of the Sober worm caused havoc in November by duping users into executing it by masking itself as e-mails from the FBI and CIA. Antivirus companies were aware that the worm somehow knew how to update itself via the Web. The worm's author programmed this functionality to control infected machines and, if required, change their behavior.

On Thursday, Finnish antivirus firm F-Secure revealed that it had cracked the algorithm used by the worm and could now calculate the exact URLs the worm would check on a particular day.

Mikko Hypponen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it.

"Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety-nine percent of the URLs simply don't exist...However, the virus author can pre-calculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hypponen wrote in his blog.

According to F-Secure's calculations, on Jan. 5, 2006, all computers infected with the latest variant of Sober will look for an updated file located in a list of domains, including:

http://people.freenet.de/gixcihnm/

http://scifi.pages.at/agzytvfbybn/

http://home.pages.at/bdalczxpctcb/

http://free.pages.at/ftvuefbumebug/

http://home.arcor.de/ijdsqkkxuwp/

Hypponen advised administrators to ensure any infected PCs can't upgrade automatically by blocking access to the domains.

Adam Biviano, premium services manager at Trend Micro, said that blocking the URLs could be beneficial, but the safest bet would be to ensure that PCs are safe.

"Blocking those URLs is not a bad idea but administrators need to make sure their machines are not infected in the first place," Biviano said.

Munir Kotadia of ZDNet Australia reported from Sydney.

 10 comments
Post a comment

TalkBack

Isn't that a violation of the DCMA?

Leppard Gamer   Dec 9, 2005, 12:20 PM PST

So can they catch the guy who did it?

Ru Sirius   Dec 9, 2005, 11:01 AM PST

 Read more comments >

Did you know?

Select a tab below to set your default view.

Scan the 15 newest and most read stories on News.com right now. Learn more

Updated: 4:09 AM PST
View as:
Power could cost more than servers, Google warns Intel calls MIT's $100 laptop a 'gadget' Sober code cracked Creative wants to make Apple pay Prize in Indian talent search: A year on Bill Gates' team Police blotter: Nude 'profile' yields Yahoo suit Garages hold mythic power in Silicon Valley Gartner: IT managers should use Xbox Clogger of P2P networks to shut down Former software chief admits stealing trade secrets NTP says payment would end RIM dispute How to say 'sick as a parrot' in German Photos: Legendary HP garage gets makeover  Scientific quests: Better bananas, nicer mosquitoes BET promotes ring tone sales with video pop-ups
Legend:
Older
Newer
Larger boxes indicate hotter stories.

Resource center from News.com sponsors

Concerned About Computer Security?

Education is the best defense

Computer security threats are part of daily life. But today's malware techniques present unprecedented challenges for businesses of all sizes. Learn how to protect yourself.

Learn from the experts>>

Daily spotlight

Video: A video slam-dunk

Here's a look at the tech behind those TV and online highlights of pro basketball games, in a narrated video produced by the NBA and Silicon Graphics Inc.

Photos: Gizmos made in Japan

Japan is still a leader in product design and innovation. Here are some new and notable gadgets.

Video: "The power to organize" online

Meetup.com founder and CEO Scott Heiferman says Meetup is spreading beyond America. The service, Heiferman says, is helping "make the world a friendlier place."

Innovations battle natural calamities

Scientists hope integrating cutting-edge technology projects will help predict and mitigate natural disasters.

Debating Wikipedia's open-source label

High Impact The online encyclopedia is a broadly communal effort, but it's not run the same way as open-source software.

Police blotter: Nude 'profile' yields Yahoo suit

Woman says ex-boyfriend posted nude photos and her phone number in a Yahoo Personals profile. She sued for $3 million.

High-tech animation in indies' grasp

Competing with digital toon powerhouses like Pixar isn't easy. But cheaper tech, outsourcing are making it possible.

Ogre to slay? Outsource it to China

Affluent online gamers are paying workers at Chinese game-playing factories to play games' early rounds for them.

Video: The incredible, shrinking glaciers

This NASA-produced video is a dramatic and colorful look at our planet from high above, and the changes that are taking place.

Image: AOL searches for the stars

TMZ.com, AOL's new online magazine promises inside scoops on Hollywood's hottest stars.

Clock's ticking on new Sober onslaught

Mass-mailing worm is programmed to download new instructions in January, which could indicate a new outbreak.

Photos: New animal discovered in Borneo

A creature that looks like a cross between a cat and a fox is photographed in the rainforest.


CNET.com
Copyright ©2005 CNET Networks, Inc. All Rights Reserved. Privacy Policy | About CNET Networks | Jobs | Terms of Use