Users login

Create an account »


Users login

Home » Hacking News » Sober worm cracked

Sober worm cracked

by Nikola Strahija on December 11th, 2005 F-Secure, a Finnish security firm, has cracked the Sober worm code, and is now theoretically able to block the worm from receiving updates.

Sober has mutated more than 20 times since October 2003, when the first variant was discovered. One of the features that has made Sober so dangerous is its ability to download new variants, instantly infecting large numbers of machines, say security experts. -Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria," said Mikko Hypponen, F-Secure's manager of anti-virus research.

F-Secure said that it has cracked that algorithm, allowing it to figure out the URLs the worm variants will attempt to download from. This should allow the hosting providers involved to block the sites, as well as giving system administrators a list of sites they should block at the corporate firewall, Hypponen said.

The worm uses a list of 15 sites with names that are merely character strings, registered with free website providers. Every 14 days the list will change to a different 15 sites, with the first change on 6 January, the Hypponen said.

He said F-Secure first cracked the algorithm in May 2005, but didn't publicise the fact until now in order to keep the virus writer in the dark.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »