Sober worm cracked
by Nikola Strahija on December 11th, 2005 F-Secure, a Finnish security firm, has cracked the Sober worm code, and is now theoretically able to block the worm from receiving updates.
Sober has mutated more than 20 times since October 2003, when the first variant was discovered. One of the features that has made Sober so dangerous is its ability to download new variants, instantly infecting large numbers of machines, say security experts. -Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria," said Mikko Hypponen, F-Secure's manager of anti-virus research.
F-Secure said that it has cracked that algorithm, allowing it to figure out the URLs the worm variants will attempt to download from. This should allow the hosting providers involved to block the sites, as well as giving system administrators a list of sites they should block at the corporate firewall, Hypponen said.
The worm uses a list of 15 sites with names that are merely character strings, registered with free website providers. Every 14 days the list will change to a different 15 sites, with the first change on 6 January, the Hypponen said.
He said F-Secure first cracked the algorithm in May 2005, but didn't publicise the fact until now in order to keep the virus writer in the dark.