Sober Code Cracked

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

code cracked, communication revealed

It said "lol no it's not a worm"

Re:code cracked, communication revealed

Anyone can crack sober code. The challenge is to crack code written when drunk.

Re:code cracked, communication revealed

She looks kinda skanky to me.

Re:code cracked, communication revealed

Actually, that's easier. Drunk people always tell you what they're going to do just before they do it. Therefore theyd actually document something for once.

Re:code cracked, communication revealed

[M4N14C]

The dreaded Daniels-Beam encryption algorithm?

Re:code cracked, communication revealed

[punkass]

This is probably the single most brilliant thing I've ever read on Slashdot.

Re:code cracked, communication revealed

[Crayon+Kid]

// hey, watch this!

Hard to admit, but that is quite clever

Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?

Re:Hard to admit, but that is quite clever

[buro9]

"why do talented people waste their abilities on viruses?"

Money?
Acclaim (within a small community)?
Politics?

I would guess money. Spam pays very well, and a lot of viruses and worms have had monetary ulterior motives, as always, follow the money.

Re:Hard to admit, but that is quite clever

uh- its fun too?

Re:Hard to admit, but that is quite clever

[bioteq]

I was actually thinking the same as I read the article, but I was thinking more along the lines of, "Wow, that is quite clever. Innovative, too. Wonder why I couldn't think of something like that."

It is quite true though that the talent these days seems to be going to those who like to do something malicious with their talent. It saddens me to no end, but I do believe this is a common road that those with actual talent and insight seem to be wanting to follow these days; it's a trend.

But, alas, I digress. Maybe this guy (or kid) will see the grey or perhaps even the white in his days and come on over and give us a hand.

Re:Hard to admit, but that is quite clever

How else would you do this? It sounds like the algorithm is nothing more than a one-time pad codebook. The author has a compromised onte-time pad and will now generate a new one. The fact that the code was broken merely means that the time-frame between agent distribution and activiation will become shorter.

Re:Hard to admit, but that is quite clever

[killjoe]

As people at slashdot are fond of pointing out. Businesses are not moral, they are not supposed to be moral. This guy is doing his best to increase shareholder value. Presumably he is majority shareholder but really that's not so relevant is it?

Re:Hard to admit, but that is quite clever

[raehl]

why do talented people waste their abilities on viruses?

Because it's perceived as more profitable than dealing with a manager?

Re:Hard to admit, but that is quite clever

why do talented people waste their abilities on viruses?

"Bob" made them do it.

Re:Hard to admit, but that is quite clever

[koi88]

It is quite true though that the talent these days seems to be going to those who like to do something malicious with their talent.
We all remember the good old days when talent was only used for the benefit of mankind...

Re:Hard to admit, but that is quite clever

[bioteq]

Shhh!

No one is supposed to know that it has been this way forever! It is part of the Super Secret(tm) that us Cool Club Kids (tm) have had for ages.

Don't let it out.

Re:Hard to admit, but that is quite clever

[Antony-Kyre]

My guess it's boredom. Some talented people do stupid stuff because they have nothing better to do.

Re:Hard to admit, but that is quite clever

[Silizium]

I disagree that writing worms and virus is clever. Not only from moral point of view even from a technical point of view its not that hard. Its really for kids "my first program", something like that before they learn real programming. There had been a teacher (I do not recall the link now) that proved with his computer science class that writing an exploit/worm needs less than 30 days for computer newbies. Fact. In the early 90's I did some virus programming, too. And I should therefor know what I say. Before anyone stands up now to get the morality firehose, I did it at university in a special labratory under supervision by our prof for computer security. And every line from that code lies since that time cool and quiet locked up deep in a safe. It was a result from a roleplay "virus/worm attacker vs defending programs". I was in the attacker party and we did not only win that battle, we smashed them, we nihilated them. Why? I's sooo easy to write this sort of code and defending is practical impossible. Today antivirus software is really crap, even if they have no chance when it comes to high noon between good and evil. And I think not one of the actual worms or virus is nearly as sophisticated as our "gaming" ones were in that time. There are certain very dangerous vectors of attack actual antivirus software has never had to deal with, I promise. And every of that yet unused vectors are still deadly. And if any of those newbie junkprogrammers out there that has no better to do than to destroy the medium they live in really become smart, than the internet will stop in its actual existance. Thats fact as I see. So I hope the smart programmers will do in real software and in security and the kids and unscrupulous criminals will play with something different in future. Its really enough that people are so dumb to answer letters from nigeria. I think we cant hope that we can finally fight that state of mind. (In german words: "Gegen Dummheit kämpfen Götter selbst vergebens" which means that even gods cant fight foolery) But in the war of machines there is only one hope for us: that the bad guys stay that dumb and bone-lazy as they are and that they stay playing games or taking drugs in there sparetime instead doing their homework. Or else we all would be doomed. The fight is not to win against a serious attacker. Not with our current computer architecture, not with programs that are thrown on market the first second its possible, because a competitior might be faster or because it maximizes the corp profit to shorten the developers time of work for security. And the real dangers are yet undiscoverd or I should better say "too heavy for kids". Good luck everyone. But never *never* tell me again that a virus programmer is "quite smart". He's not. Not in any sense. I have seen smart virus code. And I'm glad its locked up. Still...

Re:Hard to admit, but that is quite clever

[PerlDudeXL]

Or they don't have the schooling, degrees and certifications for getting a top-notch IT job.

Re:Hard to admit, but that is quite clever

Thunderous Thor, man... use some white space

Re:Hard to admit, but that is quite clever

[Silizium]

Yeah. I did. But strangely slashdot nihilated all. Sorry for that, but it was not that big block text-heap when I posted. ;-) Eh, my return key works well... Shift seems okay... no. Don't know what happend, sorry.

Re:Hard to admit, but that is quite clever

[Xarius]

I bet he's smart enough to know what a god damned paragraph is though...

Re:Hard to admit, but that is quite clever

Wonder how long it takes for computer newbies like yourself to learn how to use a web page?

Hint: You most likely didn't select Plain Old Text when submitting.

Re:Hard to admit, but that is quite clever

[baadger]

Actually i've noticed this heap transformation too. Set to 'Plain old text' paragraph formatting should be maintained, but a few of my posts recently have seen the whitespace 'nihilated'

Re:Hard to admit, but that is quite clever

[golgotha007]

why do talented people waste their abilities on viruses?

The ability to control several hundred thousand zombie computers.. are you kidding?

money, man, money.

You can do lots of things with that, but the most lucritive might be to blackmail gambling sites. If they don't pay, you DOS their IP block.

Re:Hard to admit, but that is quite clever

[Silizium]

Thanks.

Hope its better now.

Re:Hard to admit, but that is quite clever

[Baddas]

Even though their skills are well up to snuff

Not that I'm bitter or anything.

Re:Hard to admit, but that is quite clever

[Silizium]

Yes. Newbies like me are used plaintext ascii based boards like on usenet or modem based bbs boards in the 80s. I know, that kind of communication style is a bit out of date, shure, shure. But if I enter a forum today I really expect plaintext as the default, not that I'll be shocked by the existance of

*p* *p style="text-align:justify"*

and shit like that. I shure think thats quite useful - on a website. But in a forum everything but plaintext normally hits me by surprise. What does not hit me by surprise is the style of certain answers. They are always kind of the same.

But I wonder if we can avoid the with mathematical precision upcoming SUPERGAU of virus and worm attacks, if we arent able to change our attitudes.

Best example HTML-Code in a forum - okay, okay. Im shure a newbie here and I don't want to change anything. But just consider this: there is no way to insert any harming code through plain ascii, but I'm damn shure, that even these few allowed html-codes in this forum have the potential to insert harmful code sequences in the average windows-pc. Or maybe the webserver itself. Just look at this wonderful things you can do with css. Yeah right. Complexability, I sniff the smell of it when my face is pushed in that kind. I just wrote a trojan horse back in the mid-90s in a very simple script-language called pilot. And that one worked so good as a proof-of-concept, that the sysadmin (a friend of mine) banned me for a month. And this here is very much more complex than pilot.

But we still like this gamepad-style communications. And thats why worms and viruswriters have so easy time.

Re:Hard to admit, but that is quite clever

Talented people want their work to have an effect. It's almost impossible for a good programmer to do that, in the days when companies won't hire them and consumers only buy what the TV tells them to. So some of us find another way.

Re:Hard to admit, but that is quite clever

[m50d]

If they've discovered how it's stored, a new pad won't help any, unless it's done only minutes from the attack - as soon as they have one copy with the new pad, symantec et al can find the new URLs.

Re:Hard to admit, but that is quite clever

[databyss]

Dude, grammar, spelling and just about anything that involves text communcation evades you.

WTF?!?: "Complexability, I sniff the smell of it when my face is pushed in that kind."

WTF?!?: "I just wrote a trojan horse back in the mid-90s in a very simple script-language called pilot."

So you just wrote it? Or you wrote it in the mid-90's.

WTF?!?: "And that one worked so good as a proof-of-concept, that the sysadmin (a friend of mine) banned me for a month."

Earlier you said that people can't attack you for berrating virus writers when you yourself wrote a virus because you only wrote it as part of a college experiment. Now you say you wrote a malicious program as a "proof-of-concept" and were banned by your friend?

Why would your friend ban you if it was just a proof-of-concept. That means it was never deployed. Also, why would your friend ban you?

When push comes to shove, Sober is indeed a clever program. Deal with it. Is it a good program to write? No.

Your lies and bullshittery are blatant my friend.

Does you mom know you say stuff like this on the interwebs? She might ground you!

Re:Hard to admit, but that is quite clever

[justinchudgar]

I question that. After years of classroom instruction in programming and working in the IT industry, though not as a developer, I haven't the faintest idea how to write "quality malware". I am consistently impressed by the quality of the programming that goes into trojans, spyware, etc. And, I often wish that the "real software", MAS90, Medial Manager, would put the same effort into their products. Malware will run stably and reliably despite all efforts to kill it. Those gazillion dollar products that people really want to run and depend on will only be stable if installed whilst standing on one's head at 1:13PM february 29.

Re:Hard to admit, but that is quite clever

[sydb]

Quit whining and use the &ltb&gt Preview button &lt/&gt you damned newbie.

Re:Hard to admit, but that is quite clever

[ronanbear]

Their organised crime bosses pay better and give better conditions than so called legitimate software companies. You may as well be writing worms as some of the stuff that big corporations like Sony are sending out.

Re:Hard to admit, but that is quite clever

[ZiakII]

why do talented people waste their abilities on viruses?

They get paid by anti-virus companies too! (its a joke laugh)

Re:Hard to admit, but that is quite clever

[Slick_Snake]

I'd like to start by saying grow up. Your rant sounded like a school kid that was mad that the other kids were getting the attention. As for you "virus" we have no proof that you even made such a thing and I personally doubt it because of how much you over played the cloak and dagger theme. Locked up in a safe, yeah right. While I agree that the script kiddies don't know squat the "crackers" that made new worms and virii can be quite clever. There is a difference between people who just use someone else's exploit and those who find their own exploits and lumping them all together just shows how little you know.

Re:Hard to admit, but that is quite clever

[DaEMoN128]

" And if any of those newbie junkprogrammers out there that has no better to do than to destroy the medium they live in really become smart, than the internet will stop in its actual existance,"

I am rather suprized that you believe that the virus writers would even want to destroy their own enviroment. A clever virus would not destroy its own method of survival, that would be stupid. Instead, a clever virus will use as little resources as it can so it isn't caught because of performance hit.

Secondly, the internet uses redundant systems. For the internet to come to a grinding halt, you would either have to attack ports, hardware, or bandwith. You can stop a computer for accessing the net by attacking port 80 and shutting down the redirector service. That wouldn't work for all because of the many different OS's and levels of security on them. The net exists still. Hardware, the easiest way would be to infect the core level routers... would have to overwrite the OS to do that. Too bad they dont use a single brand which again means you would have to write many different versions. The virus would also have to shutdown the router after, and only after, it had replicated itself to all redundant systems, including the ones that dont come online till the active ones drop. Net would still stand, but be crippled like before. You could write a virus for the surfers computers, but you cant flash the bios from the OS on many mother boards. You could try to just flood the net... you would need a huge zombie network. The traffic would be analyzed. A definition would be put out in reaction. To stop that, you would have to block all virus scanners from being able to update. Net still stands.

To drop the net is an almost impossible feat. Besides, why would you bulldoze your playground.

Thirdly, virus writers can have the exact same education as you. They could have even taken the same classes as you at the same time. Don't assume they are only capable of writing idiotic code and you are the only one capable of writing clever code.

Fourthly, you are correct in saying that security is reactionary. It will most likely be nothing more than that. Virus writers already have the upper hand, they always have, and they always will.

Re:Hard to admit, but that is quite clever

Look, it's not that difficult. You can't just press enter in the text field. You have to use the html tags. I mean at least put in a $lt br &gt twice and that will break it up. Unfortunately, that won't solve all of your problems. Your post was poorly spelled, and worse, poorly written. An attempt at writing a word isn't good enough. At least make it readable. This is for intelligent communication. Take a second to paste it into a word processing program and for all that is holy CLICK PREVIEW!

Re:Hard to admit, but that is quite clever

[Hal_Porter]

Hmm, remember teh Lordz Prayer. I've marked the relevant line.

Our Father, who Pwnz heaven 0f da 1337z , j00 r0ck!
May all 0ur base someday be belong to you!
May j00 0wn earth just like j00 0wn heaven.
Give us this day our warez, mp3z, and pr0n through a phat pipe.
And cut us some slack when we act like n00b lamerz, just as we teach n00bz when they act lame on us.
Please don't give us root access on some poor d00d'z box when we're too pissed off to think about what's right and wrong, and if you could keep the fbi off our backs, we'd appreciate it.
For j00 0wn r00t on all our b0x3s 4ever and ever,

3N74H .

Eloquent words, eh?

Re:Hard to admit, but that is quite clever

[muffen]

How many people have been mentioned in almost every newspapaper in the entire world on the same day, I doubt the president reached the levels that de Gusman did after writing the loveletter worm, and this is a guy in the phillpines who will probably not be able to afford a trip outside his country ever.

The feeling of power for this individual must be enormous... not saying its right, but you were asking why people write these things, and the feeling of power is something I believe is a big reason.

Then ofcourse we have the fact that a lot of these threats steal information etc, so as you say, money would be another reason...

Re:Hard to admit, but that is quite clever

[Guppy06]

"why do talented people waste their abilities on viruses?"

Sex. It's all about the groupies, man!

Re:Hard to admit, but that is quite clever

[daniel_mcl]

First, I have a hard time believing that a professor took students from being "computer newbies" to being able to print out "hello world" ten times in thirty days, much less write some sort of working virus; trying to teach students anything outside of their major is roughly equivalent to pushing dead whales uphill in terms of efficiency. I've been in a lot of classes and taught a few, and I know that the average student will not do any work if it's at all plausible that a significant number of other students won't do it either -- school these days has become a generalized prisoner's dilemma situation, in which the teacher can only fail so many students before being reassigned.

In the larger scope, I'll just say that it's very tempting to think that one's computer programs just scale automatically, but this is simply not the case. Chances are that you were working on a very homogeneous network at that point, which most machines running rollout-synchronized versions of the same software. I've written "worms" that work under such an environment myself -- unlocking the parental protection on the middle-school computers made lunch-time in the library a lot more interesting. In such a situation, a worm either doesn't spread at all or immediately takes over the entire network, so any success is an impressive one.

On the real internet, on the other hand, we have a very complicated mesh of various systems with different sorts of protections, some explicitly designed as such but most just due to random variations that prevent a given buffer overflow from working on more than one system. Even if someone is running a vulnerable system somewhere out there, there's a good chance that getting at it may involve going past some other system that is simply going to eat it alive. We're not talking just about computers, but also about routers, switches, and all that Cisco equipment that's silently running a good deal of the net without anyone ever thinking about it.

That's why there hasn't been a real worm on the internet in quite a while; essentially every major virus in recent memory has relied on social-engineering to trick the user into manually installing the virus onto his own computer. In fact, I'd seriously doubt that it's even feasible to create a self-distributing worm on the internet at this point, unless Microsoft is dumb enough to build remote-execution capability into their application software again.

Of course, if you were actually working on a diverse, real-world type network, and you managed to devise cross-platform vectors, that's quite different and it'd be interesting to hear about. But if you're like the majority of people who make claims like these, I'm gonna have to say that your eyes are probably a little bigger than your mouth on this one.

Re:Hard to admit, but that is quite clever

[jpostel]

I think you are comparing malware to the wrong "real software". I think a more appropriate comparison might be shareware/freeware apps. There are some very well written apps and some really crappy crash-your-box apps.

As far as writing malware goes, I've got a book (with a 5.25 disk of code samples) of MS-DOS viruses. It was written for educational purposes I'm sure, but when I looked at it for the first time, my reaction was pretty much, "Is that it?" You might want to take a look at the proof of concept code that gets sent out on the bugtraq mailing lists. Some of them are not at all complex, rather they simply pull on doorknobs until they find one open.

Re:Hard to admit, but that is quite clever

"Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?"

Maybe they couldn't find a boyfriend on their own, and were hoping to get caught.

Re:Hard to admit, but that is quite clever

[Provocateur]

DAMM and here I am, struggling to fit my comments in that small box slashdot gives me...

Re:Hard to admit, but that is quite clever

[Dare+nMc]

> "why do talented people waste their abilities on viruses?"

  "why do talented people waste their abilities on posting to slashdot?"

Money?
Acclaim (within a small community)?
Politics?

I would guess money. Spam pays very well, and a lot of companies have had monetary ulterior motives, as always, follow the money.

Re:Hard to admit, but that is quite clever

[TheLink]

While it's cleverer than the normal stuff, I'm not really that impressed.

I guess the next step would be a trojan/worm that used search engines to search for instructions.

There are a fair number of search engines it can use ;).

It could even use google groups ;). Then some "random spam" in a mailing list could tell it what to do.

Do it in perl and/or some other scripting language and it'll be interesting to see how AV engines can keep up with the many possible versions (perl, python, ruby, lisp etc do run on windows). It could be fairly innocuous code, that just did: eval "downloaded stuff here" in some situations;

And that could remove the old version (that would be vulnerable to AV stuff).

I figure that one can rapidly create very many different versions in perl that do different things (spread via newly discovered security problems). Or even do the same thing. After all perl = "There's more than one way to do it".

While the AV software has significant performance considerations for real time detection- it has to detect the many different perl, python, ruby etc versions that could automatically spring into existence, without too many false positives.

In contrast each individual malware copy doesn't have as difficult limitations.

In fact, one could create an experiment in "genetic algorithms". Parasites that burden the host too much would not survive.

The only issue is how do you infect a user. But there appears to be tons of ways to do that, including stupid people ;).

Also Microsoft and Sony have already "helped a lot". I believe Microsoft has in fact signed at least one insecure activex control, so all you need to do is get targets to download that _signed_ control and exploit it. Sony? Need I say more?

If that happens, you might really need multicore CPUs to get stuff done.

Re:Hard to admit, but that is quite clever

[miller701]

Well, Germans have that funny way of compounding words. Apparently they're compounding sentences together now.

Re:Hard to admit, but that is quite clever

[sglane81]

They get paid by anti-virus companies too! (its a joke laugh)

This happens more frequently than you think. Consider this: without a constant threat, these companies would have no business.

Re:Hard to admit, but that is quite clever

[Silizium]

Dude. There are other languages than english and other coutrys than the u.s.a. around the world. So sorry that I do talk native german. Maybe you have a better grammar and spelling if we talk in german?

So if not, please stop that. I do my best to be understandable, if you dont like to read my commentary then skip it. Gna. That shit makes me angry. I never ever criticised anyone who talks german with a foreign accent. I never tried to bawl somebody out because he was not a native speaker. This is really bullshit, lets stop it before it begins. I try my best, is that okay for you? Skip it please. Its loss of bandwidth.

To your questions.

I did a lot of research for computer security issues. Including worms, virus and trojan horses, but Im no specialist that has completely focused on that thing. I never stopped to be interested, I specialised on university for a while on that theme and I grew up in the 80s where there was no "cybercrime" at all. Not here. Not in germany. We had no laws. So we did what was possible. But in that time nobody was destructive. Everyone was just damn curious. When the damn NASA hack was hitting the news at '86 (I think) I was damn near that. From the scene just an inch away.

In that time nobody thought a computer system was really vulnerable - but us - the hackers. So I grew up not in the mind of destruction but in a mind of conciousness that security is only in the hand of those who care for it. And who test it. And who spend time and energy in it.

Yes, I was a hacker and Im proud to say I am today. I dont hack into systems. Im not destructive. I write code, I test security, I play with system. Playing, yes that would be the right word for ist. Just for fun. And I did it in the 80s and I still do it. And, yes, I think its a good way to live with computers. I have fun at work.

In the early 90s I first and last put a thing you'll call a trojan horse into the "wild". There was no "internet" in that time. It was no big deal, but that progamm managed to trick a database and send me usernames and passwords. (Certainly never used the data, I have no interest in that sort of thing.) I just wanted to show my friend a big security hole in his system, but he instead of fixing it ran almost amok.

Stupid.

After a month he spoke to me again and with my help we fixed that thing. A whole month his system was unfixed and vunerable. "But it was only such a harmless feature", he declared. It was not. There is no such thing like a harmless new feature.

Please search google for "pilot script language" for more info about how harmless the feature really was and that even such a dumb little scripting language can be used to trick systems or users. It was a cool hack. No big one, shure. I have done better things after that but that one is a good lesson. New features mean new security holes. Thats it.

At that time I reverse engeneered viruscode and the first wormcodes on the new rising internet. Most of the code is really poor, poor, poor. Its bad tested, poorly written and only one of 20, 30 or even 100 virus/worms are what I call "interesting". Yes, I really was not keen on sacrificing my whole life in reverse engeneering shitty code. That is very, very boresome to reverse engeneer the tenth shitty little script-kiddie worm that was only altered enough that the antivirus software does not recognize it. Even the bugs are in it.

In the mid 90s I quit that after years of studing. So, no, I have not reverse engeneered bloody sober. Its really not worth it. It should just be destroyed. It has no really new features in it, it is not even on the same level of that worms of the mid 90s. Its just actual and uses some nice features that are not new, are not well programmed, are not innovative and is short to say boring.

Its not easy to write a worm like that. Really. This is not that what I say. But its no big deal. There are tools out there, there are people with code who invented ways for intrusion, this thing is just a rughly hammered toget

Re:Hard to admit, but that is quite clever

You really are full of yourself aren't you?

Re:Hard to admit, but that is quite clever

Exactly. I hated the guys\gals original post and I hated that one too. From what I gather from his\her posts:

* Likes to brag. Big headed. Egotistical. However you want to say it. Probably one of those bloggers who tells everyone about their "amazing" stories, like when they went to buy a loaf of bread and saw a stray dog that had FUR on it!!!!!1!!!1one!! Nobody actually ever reads their blog except themselves, who constant hit F5 to see if anyone has left them a comment telling them they are 1 awesum d00d!
* Likes to bullshit. Oh boy does he like to bullshit. Unfortunately his lies are as trasparent as a window.
* Has the grammar and spelling of a six year old. But according to him he has been around posting in BBS from the 80s. That means he has such a high IQ that for almost 30 years he hasn't learned how to spell or type coherent sentences. Oh.. but that doesn't affect his ability to write top-of-the-range viruses, clearly much better than Sober, despite not even knowing what a proof-of-concept is.

Ah I can't be bothered wasting more time on him, just mod all his posts funny or troll and be done with it.

Re:Hard to admit, but that is quite clever

Gegen Dummheit kämpfen Götter selbst vergebens

Schiller's line is also well known in English. It's usually translated as:

Against stupidity the gods themselves contend in vain

Re:Hard to admit, but that is quite clever

[databyss]

Wow dude. That was a whole lot of not much. I apologize for criticizing your language. You do a pretty good job in English as a second language. Apparantly German people speak in contradictions. Some other facts, there was indeed an "internet" in the early 90's. Aside from the AOL/CompuServ crap and aside from BBS's, although they were still chillin in those days some places. By saying that there was no "cybercrime" in the 80's I assume you mean that people weren't getting arrested for computer related activities. The activities that today are considered cybercrime were most definately taking place back then. It just wasn't understood by the media and most people so it wasn't reported on very often. Let me express my disbelief that a computer system was disabled for a month by a trojan that tricked a server into sending you information. There, it's been expressed. I've done a bit of reverse engineering (RevEnging?) in my day and I agree that many malicious programs are not very unique, but they do sometimes have neat little tricks in them. I also agree that writing malicious programs is lame and ethically reprehesible when their outcome is to be released into the wild. Well that was fun. Guten Tag.

Re:Hard to admit, but that is quite clever

[vettemph]

>>>why do talented people waste their abilities on viruses?

  Your government has teamed up with microsoft to create the worlds largest botnet. Microsoft supplies the vulnerable OS that seems accidentaly insecure. You government allows MS to block all competition and maintain a monopoly in order to host this botnet on "free"* hardware.

*free to the government because You paid for the hardware and bandwidth.

Of course there is another article here on slashdot noting that the airforce will become the chairforce in order to address cyberwar and shit. Our government will find a way to spend a billion dollars to do what a few hackers do in thier spare time.

Re:Hard to admit, but that is quite clever

Dear user 937457, welcome to Slashdot! Here we are quite full of ourselves, and only rarely have even the faintest idea of what we're talking about, so you'll fit right in. It's customary for noobs to be the most arrogant and clueless of all, so it makes perfect sense that you should go ahead and post something like that.

But never *never* tell me again that a virus programmer is "quite smart". He's not. Not in any sense.

I don't know what your idea of a virus is, but several viruses employ techniques beyond the reach of many competent programmers. Cryptographically signed updated, handoptimized assembly, kernel function hooking, polymorphic and metamorphic stealth routines, etc. If you think any of this is anything like the little toy contest you had in school, that only demonstrates your complete lack of knowledge about the subject. Some of the most competent programmers in the world (Peter Szor, for example) routinely marvel at the ingenuity of malware authors, while for that reason not in any way condoning their actions. Somehow I have my doubts that you know more about this subject than he does.

Now go away, troll. There are too many of your kind here already.

Re:Hard to admit, but that is quite clever

I did it at university in a special labratory under supervision by our prof for computer security. And every line from that code lies since that time cool and quiet locked up deep in a safe.
I call bullshit. Seriously, WTF?

we nihilated them
You made them doubt their existences?

Fuckwad.

Re:Hard to admit, but that is quite clever

It's amazing that the cognitive dissonance you're likely to experience for first rambling about no virus authors being any clever and then bragging about your own pathetic accomplishments within the scene doesn't make your head explode.

As for your English, yeah, it does indeed suck. It's not my first language either, but you can't even formulate your thoughts in a semi-coherent manner. Actually, I wonder if it's really the fault of the language. I doubt you make more sense in German.

Re:Hard to admit, but that is quite clever

[mslinux]

How do you get into it? I can hack-up code with the best of them. And, I'd like to be paid a lot too. I'm not willing to do anything illegal (hack into vulnerable Windows PCs), but I am willing to send out emails and to devise methods to get more messages into more inboxes (spam filters are so dumb)... where do I apply for a job such as this and how much does it pay?

Re:Hard to admit, but that is quite clever

[sconeu]

Got it right on the first try. Money.

1. Write worm that pwnz millions of machines.
2. Sell access to the botnet.
3. PROFIT!!!

Re:Hard to admit, but that is quite clever

I believe what we have here is not a page-widening troll, but a page-thickening troll. /just sayin'

Re:Hard to admit, but that is quite clever

[Silizium]

Thank you for your compliment for my english. But really, I know I suck. It's nice that you accept my language then.
Tja, sorry that you are not satisfied with my little article. If it interests you, I tell some rows more.

But yes, you are right. There was a internet. But not that what today everyone is calling the "internet". I know it, you know it. But most of the users of the today internet have no memory in the pre-webage. In the early time we had even no AOL or CompuServ. We -in germany- had datex-p. The datex service from former "Die Deutsche Post" (mail and telephone agency) brought our self-build 300 baud acoustic copplers into the world-wide datanet. That was another time. There was no personal internet like today and to call it one -hm- seems a bit strange if we see what we have today.

And really nobody expected us to be there. Every system was quite open to everyone. And shure there were people doing things that were illegal - but not here in germany. Because there were no laws against hacking into forein computersystems or to use satelite connections to USA forging account data. And even in forein countrys we were free to do what we liked to. No laws means no legal/illegal means no police no judge could harm us for what we did. But I do not recall any destructive crimes that were commited in that time - by us.

It worked. We used new york outdial to telephone to BBS systems or corporation all over the country. T'was quite cool for a teenager to do such things.

Up to that thing with the NASA hack. After that there were cyberlaws in germany. It changed everything. Hacking was illegal now. But most of us of the early days knew what we wanted. The net was there - it was only waiting for us. We build an own net of linked private BBS systems - the z-netz or zerberus-system, communicated and waited for the first systems to connect really online. Internet? No man. Not in those days, not in germany if you were not working for big company or university. Computer science at university? Was not invented yet.

Internet as a teenager? If you were a hacker, yes. Other ways? No. Not here. Not in that time. The "Deutsche Post" even forbid to use a modem. But they couldnt control us, stop our curiousity. We really drove to telephone-cells to dial in anonymous. And the computer hardware of that time was really crap. C64 and such stuff -40 columns- we had to write our own terminal programs and dial-in software and the lot. But it shows better what a computer is and can and can not than our much more sophisticated systems today. And the people today dont get it anymore - the cyber frontier. The point of what you can do and what you cant. Of what you should do and what not.

And we were "legal" everywhere. Nobody could harm us. So I once stepped in a little (or big) company in new york (I think) around just for to find out, where I was. It was a damn bank system, yes. I really don't know how I got there that was some software failure of my own programs I guess. After a while I simply asked a system admin where I was. Silly? No. It was our right to be there. It was not easy to communicate with him because I had no 80 column "talk". But I got it. Was funny. He couldnt understand where I came from. How I got there from damn *germany* - with a *what* computer?! But-but-but that's a multimilliondollarcomputer and you have just a few hundred Deutschmark Homecomputer! Where the fuck is germany anyway? Octoberfest? Autobahn? Really funny. But after a while chatting and playing games with the admin I logged off. Daring? Hm. Fun I think. Today you would land in jail if you do that trick. But we knew we wouldn't.

That was the time. And I say there was no internet. Not what it is today, not nearly. How many were we? A hundert? Two hundred? Nah. No we didnt know each other but we heard of.

Then NASA hack came, doors were smashed in here in germany and every hacker was shocked. Shure. Everyone was released because there was no law against this (and there was no evidence at all, because com

Re:Hard to admit, but that is quite clever

[jbl26]

> In fact, I'd seriously doubt that it's even feasible to create a self-distributing worm on
> the internet at this point, unless Microsoft is dumb enough to build remote-execution
> capability into their application software again.

You must be kidding. There are definitely still self-propagating worms. For instance, Zotob wreaked havoc in August of this year.

http://www.microsoft.com/security/incident/zotob.m spx

Re:Hard to admit, but that is quite clever

[Silizium]

Yes, interesting. In trusting networks there is no problem to propagate a worm. As you I build one at university that checked the load of every machine in my subnet and started the c-compiler for to compile my project on every lazy or very powerful an not fully used computer. I never called it a "worm" because if I would have named it like it was, they would have thrown me out. But with that fine little script I compiled my project not in an hour but in few minutes. Nobody was harmed everything went all right and I think it was right to do it. It spared my university much time and money (that I would have earned, gash).

Yes. But there are self propagating worms. On my homepage -a little while ago- I did some homework about security of passwords and -really good- attacks over the net. More statistical rules of thumb then real math but I think I'll work. And that says ordinary ssh ports can be penetrated quite efficently - through the front door. The mass of systems out there and the mass of users is the problem. You can easily crash that. And even its much more interesting to get control of one true router then of thousand dumb zombie pcs. I recall now that Bruce Schneier told on his blog about the possibility of ssh worms. And I simply worked that idea a bit out.

But interesting is it when it comes to cross-plattform attacks. I think we will see the next big attacks as java worms. Did you catch the last known bug of java 1.4.2_08 und below? And all 5.0 Versions of that date below? First catastrophic break of the sandbox that I know of. And where there is one there is always one more.

And java code is damn small and damn fast (on JIT), flexible and everything a worm/viruswriter wants.

How to build multiplatform java networks on "trusted" computers is quite easy - the code can even be downloaded ready for use from the net. But when somebody begins to combine this an some other features I know of, then -hm- you better look for a helping god, because thats everything that will help.

And even the self-referencing capabilities of java are perfect prey for worm-writers. You can easily recompile the whole construct even trough the net itself. You can import complex codes and so on. But I dont like it to bring people on bad ideas. I like java. And its misusing is not often. I think this is because only very few java programmers are schoolkids.

Maybe there are easier ways to do this stuff. But for me its looking dangerously easy enough.

I ask myself, by the way, isn't it always the same old story how programms are attacked by heap overflows? What would happen if a mutating worm is not attacking only one specific port but ports at random and tries so long for working code (working length of codesequences) up to somewhere a program crashes, starts the code and propagates working childs that themself slowly mutate? Would this sort of worm ever stop?

So much about interesting ideas...

Re:Hard to admit, but that is quite clever

[Silizium]

Hm. Talking of destroying the own environment. Do you remember the first big worm that hit the internet? It was 1988 the morris worm that used a sendmail bug. It was exakt the time I worked in that anti virus/worm project and we, along other people worldwide worked in reverse engineering that worm. More like "understand" it because it was new - even some of us had had theories about this sort of attack we had never really "seen" it before.

This worm stopped over 6000 Computers (I do not recall the exact number now and had to consult wikipedia for this) working and crashed big hunks of edu-net. Why? Just because morris underestimated the selfpropagating rate of his worm. Even without a payload it used all computingpower of all infected machines. And by that killed his own host-network. By reading the sourcecode we found that the worm was obviously not intentionally released. Maybe it was just a testrun that was run out of control.

Such worms are quite often - worms that are miscalculated and consume much more resources then planed. So the shutdown of whole networks is maybe not the intentional goal of a worm but often enough it ends up like this.

Another thing is that may be the net is not down but your computer says good bye in the moment you connect. Last seen with the msblaster worm, that attacked every connected computer two times a minute.

And at last the internet is not not that stable and "nuclear prove" then you may think. 9.11.2001 in the moment the first (or was it the second, no it was the first) twin tower collapsed - the whole nation I think say it life on TV, in exact that moment also the german internet was gone. For how long? Half an hour? Okay. That was just one building (okay, with DNS root servers in) but it was just one building that knocked the internet out.

Some worms have the same effect. On such wormdays the internet becomes feelable slow. Up to date there was -between the morris worm- no big internet crash caused by any worm. But we are far fewer away from that moment then we think. And that may be the day on which all windows pcs have to shut down to restore the net. Up to date the relative slow modem/dsl cables are not able to really shut down the net with traffic. But in the next years glasfibre will be common and that will be the day that personal computers will overload internet connection.

To overload a transcontinental connection is even easier. The bandwith is far smaller than the continental lines. Wasn't that the case when the first cyber-skirmishes between china and usa hackers occured? I'm not shure with this but you know that these things happen even without worm attacks. And in the end there are simple certain messing around's with low-level protocol packets that fill a line with huge amount of cybertrash.

I wish I have your trust in the reliability of the internet. Certainly the internet is highly adaptive, redundant and all this. But as a few examples show - not invincible. And the last big power failure of nearly whole USA I have not mentioned yet. Read what the reason was? Ok, you know it.

No internet is not nuke proof. Its not even storm proof. Or water proof. Or worm proof. Its really a very complex and very vulnerable system and i doupt that will change in the next years - au contraire.

And last to come to the education level of worm writers. Yes, there may be people out there at my education level that do it - but if, than we would suffer more badly from worms I guess. You dont have to be a genius to write a thing like a worm or a virus. Its not right easy but its no diffult task. Mostly you communicate over ports, copy data, start programs and things like that. That are easy tasks. If you want it a bit more sophisticated you build in something like a "random" generator. Man, I write this shit with a bottle of johnny walker down in five minutes like any other programmer that even halve understands what he's doing. Its a bit of work, yes. You'll need some day, maybe some weeks. But its not difficult. If you cant

Re:Hard to admit, but that is quite clever

[daniel_mcl]

Perhaps "havoc" isn't an entirely appropriate term. According to your link, Zotob only affects computers running unpatched versions of Windows 2000. According to most usage statistics, Windows 2000 only has about 10 - 15% of the operating system market, and that's patched and unpatched systems. Further, while I haven't checked this I'll bet that Microsoft uses Windows 2000 to run their spiders for MSN search, meaning that the actual number is probably even lower. Now, while having 7% of desktops infected by a worm is annoying, the only way that this would count as "havoc" is if you were managing a corporate network full of identical W2K boxes, and in any case that's nowhere near the sort of damage that is routinely unleashed by social-engineering bots.

Re:Hard to admit, but that is quite clever

[XXIstCenturyBoy]

Because the same talented people waste their time working for antivirus software maker.

/has is thin foil hat

Re:Hard to admit, but that is quite clever

[Crayon+Kid]

Fourthly, you are correct in saying that security is reactionary. It will most likely be nothing more than that. Virus writers already have the upper hand, they always have, and they always will.

You know, that's one of the things that bothers me the most about security. It doesn't have to be reaction-only.

Re:Hard to admit, but that is quite clever

Why do some intelligent people do evil? Intelligence != Morality. Nuff said.

Re:Hard to admit, but that is quite clever

Yes, the internet can be "dropped", but it will also recover very quickly.
The reason we don't see viruses that drop the net now is because they are being tested more throughly than before, resulting in better success rates of viruses. Your example of msblaster may have hit every connected computer every two minutes, but it did not infect every computer, why, becuase of the diversity that is the net. I would love to see the big ISP's start using proper Intrusion detection systems with up to date definitions. That would cut down majorly on propigation.

I agree that overloading a transcontinential line is easy, for now. Most of those use singlemode fiber(or will be going that way in the relative future)...which we are still discovering how fast it will really go. The limitation there is the equipment. The net is still up, just not full functioning. For many home users, not being able to icmp echo any computer in England from the USA would probably not be a big deal. For corporations, that is another matter all together.

Yes the actions and function calls of virii are very simple. That doesn't mean it isn't clever. According to urban legend, the US spent hundreds of dollars developing a pen that would write upside down in a vaccume. That is not very clever. The smart and resourceful "clever" russians just used pencils.

Yes, I do think able programmers are writing virii. You will always have people that would rather make money selling a program that took them a week to write that creates a spambot network than actually work for a living. Never underestimate lazy people with talent. But I also agree that most virii are written by script kiddies and no talent hacks.

You say there is not innovation or new stunning features in virus. Why would there need to be. I dont need a Hilte 2200 when a screw driver will work. It's about effect/effort. You use the least amount of work (keeps it really simple because of this) to get what you want done.

Enjoy and Loving the conversation

What should happen

[gbulmash]

Now does this mean a race for everyone to try to grab the URL and place their favorite code there? I think rather than random zombie crap, someone should put up code that makes infected systems flash a simulated Blue Screen of Death telling users their PCs won't ever work again until they wipe Windows and install BeOS or Plan9 (I'd say Linux, but that's such a /. cliche now).

- Greg

Re:What should happen

[Rigrig]

So how difficult would it be to write some code that removes Sober from any infected pc that tries to update itself? Seems like F-Secure has had the time for this since May already.

Re:What should happen

[zopf]

Interesting... in fact, prior knowledge on F-Secure's part of this algorithm implies that perhaps they could end the spread of the Sober worm. If they were to design a piece of code that would remove or incapacitate the Sober worm from infected computers and then distribute that code through the generated URL to every Sober worm that is downloading, couldn't they end the spread of this virus?

So why didn't they do this? Oh yeah, that's right - they're in the business of selling anti-virus software. Their survival relies on the continuous existence of major computer viruses. Their incentive suggests that they should only _fight_ viruses, not eliminate them.

Virus writer is a Free Software fanatic

[ReformedExCon]

Why else would he choose a date that coincides with the 21st anniversary of Richard Stallman's starting the GNU project?

http://en.wikipedia.org/wiki/January_5

Re:Virus writer is a Free Software fanatic

[Hinhule]

I think we have stumbled over who wrote the virus.

Richard Stallman is the only Free software fanatic.

Re:Virus writer is a Free Software fanatic

Or that could just be apohenia.

Re:Virus writer is a Free Software fanatic

[TapeCutter]

Everyone check under the bed tonight, it's those damn commies.

Relevant quote from above link:

"However, the capitalists, many of whom had up to then held Hitler at arms length, took fright at the upsurge in votes for the workers' parties. Consequently, on January 5 1933, Hitler was invited to address a meeting of industrialists and bankers organised by vice-president Baron von Papen, at the home of the aforementioned Baron von Schroeder. At the meeting, Hitler promised to bring an end to democracy in Germany and to smash the labour movement so the capitalists would be free to make their profits in peace. Within ten days, the financial problems of the Nazi party had disappeared."

Re:Virus writer is a Free Software fanatic

[Segway+Ninja]

Or prehaps 26 years after "Hewlett-Packard announces release of its first personal computer."
Or maybe the writer intends to make bigger news than when "Warner Brothers [showed] the first color newsreel" (1948)
Or maybe it's the writers birthday.
Or maybe it's the first day they intend to be awake after the New Year celebrations
Or maybe it's to bring down IT infastructure just as we're getting back to work just after the Holiday Celebrations end.

The possibilites are endless, and there are far more logical explanations than "Sober was written by a free software fanatic, it's true it's true!"

Re:Virus writer is a Free Software fanatic

[Folmer]

Or maybe it's the writers birthday.
Well.. then it MUST be Marilyn Manson who wrote it...
Anyway.. he will surely be blamed for it...

Re:Virus writer is a Free Software fanatic

It all makes sense! Marilyn Manson writes the Sober worm, gets it to download a HTTP server and a copy of his latest album, then gets the PC to phone home every time it goes online, which issues an automatic DMCA takedown order on the PC that it came from! Ohh boy, wait till the boys at the RIAA get wind of this one... They'll be screaming "Why didn't we think of that!"

Re:Virus writer is a Free Software fanatic

[tokul]

No, Sober is pro Nazi virus. Jan 05 is "1919 - Free Committee for a German Workers' Peace founded." Check virus descriptions on any antivirus vendor site.

If you think, that is about free software, then you haven't got bunch of text emails about dresden bombings and other propaganda.

Re:Virus writer is a Free Software fanatic

No, he's an Iron Chef fan... it's Chen Kenichi's birthday!

Re:Virus writer is a Free Software fanatic

[tom8658]

parent is modded funny for a reason...

Patent

[digid]

Let's award the Sober Virus writer a patent. I think he'd qualify.

Re:Patent

[moro_666]

actually i think that according to the united states patent system, he may infact HAVE the patent on the algorithm that generates the URL's from where to download "updates" to his worms.

using this algorithm without his permission is illegal and also capturing him after using this algorithm in the illegal way is not legal and he must be released from custody ... like in the movies :)

and since you can't be charged for 1 crime twice, he will be off the hook ... aint life just fun ?

Re:Patent

[ArcticCelt]

Plus those nasty "pirates" at F-Secure have violated the DMCA by circumventing the security algorithm in Sober and should be prosecuted as soon as possible!

My Question...

[Shihar]

Why on earth did they release this information? I can see telling the date of the next attack, but explaining how the author communicates with the virus just seems dumb. It doesn't help anyone except for the guy who knows that his methods have been spotted. Now you know that if he decides to upload to one of his websites he is going to assume that he is going to be tracked. This just means that he is going to make sure he is covert in doing it. If they had withheld this information, they might have been able to catch him in the act without him knowing and busted the little fascist shit head.

Re:My Question...

[Jussi+K.+Kojootti]

Sure, but this way F-Secure can put out a press release...

Re:My Question...

I think the best use of this information is uploading a disabling and/or revealing program ("your computer is infected with sober, click next to reactivate it") via one of the sites.

Re:My Question...

They probably concluded that the virus writer is smart enough to hide his tracks anyway. After all, anyone could find out where the worm is loading new code from simply by tracing the connections as they are happening, and from there it would be easy to check out who has registered the domain and where.

Re:My Question...

Umm... maybe they made this discovery a long time ago and he's already OwNEd...
And I think that you have misused the term fascist.

Re:My Question...

[The+Amazing+Fish+Boy]

I think the best use of this information is uploading a disabling and/or revealing program ("your computer is infected with sober, click next to reactivate it") via one of the sites.

Yeah, because when I get a mysterious popup telling me my computer may be infected I always click "Next."

Re:My Question...

[penguinoid]

I think that would be more like taking the website, and when the Sober worm goes to check for instructions, send it a self-delete code.

PS: When can we expect the Drunk worm?

Re:My Question...

[TapeCutter]

OTOH: If F-Secure have (knowingly or otherwise) sabotaged a major international criminal investigation they won't be making press releases for much longer. If (as is likely) the cops (via F-Secure) have known this information for a while then the timing of the press relaese is part of extracting as much as they can from a clue.

Either way, the public is a mushroom farm until they haul the toadstool into court.

Re:My Question...

[m50d]

And that's why you're not infected. We're targeting the people who are.

Re:My Question...

[The+Amazing+Fish+Boy]

And that's why you're not infected. We're targeting the people who are.

Clicking "Next" at a random popup is a bad habit to encourage. Not to mention they may think they are ads.

Re:My Question...

[m50d]

So people know things to look for when analysing other viruses?

Re:My Question...

Only on slashdot would sarcasm be moded +5 Insightful.

Re:My Question...

[ShaneThePain]

This is annoying, he is a Nazi, not a fascist. know the difference, its very insulting to real fascists like myself.

Re:My Question...

That line was targetted to "this is my computer dammit!" crowd, people that would let a worm be hosted at their computer but react strongly against remote security.

Re:My Question...

[Hal_Porter]

You could should first ask Gator^WClaria for a MEEELION DOLLARS just to not write the code. And then write it anyway, and shop 'em to the German computer police.

uhh...

[sl8r]

why would they publicize this? Wouldn't it be prudent to wait for the 5th January, run the same algorithms and check the URLs, and nab the perpetrator?

Re:uhh...

[PhreakOfTime]

Close.

The actual prudent thing to do would be to use said algorithm and see what domain is generated on the 5th of January 2006, before the date even arrives. Alert ICANN registrars of the situation. Monitor that domain name, and watch for the second it gets assigned an IP. When the particular domain begins to point to a global IP address, then you can nab the perp.

As a bonus, in the above scenario, you dont have to wait for all the compromised machines to bog down yet another unsuspecting network on the 5th of January 2006. win-win. well, that dude that gets caught doesnt win...

Re:uhh...

[nihaopaul]

or maybe they dont really know how it generates it and are playing the bullshit game since they are scared of what awaits on january 5th. this author must have a real large e-penis now knowing that his code is being worked on by some l337 people, or if he gets caught he's planing to sue everyone that reverse enginnered his code.

- paul

Re:uhh...

[Nogami_Saeko]

It doesn't look like the program is generating completely random domains, it looks like it's using domains that can be created on one of the free hosting services (ie: like the european version of geocities or whatever) that are mentioned on the page.

So all you'd need to do is register the account name on the free hosting service that's utilized for that day and away you go. Not a problem to register an account using a hacked email account and keep it anonymous.

N.

Disinfection

[ivan+kk]

So they've figured out the algo, and while I haven't RTFA, i assume the domains don't exist yet either.

If that's true, what's to stop say symantec predicting a domain for a particular date, taking the domain, and putting a disinfection program up.

Re:Disinfection

[Sinus0idal]

Because even though they might be doing something they deem to be nice, running code on someone elses computer without permission is still illegal.

Re:Disinfection

[HappyMeal]

Actually, TFA points out the domains (and they do exist):

http://people.freenet.de/

http://scifi.pages.at/

http://home.pages.at/

http://free.pages.at/

http://home.arcor.de/

I do wish they hadn't publicized it... might have scared off the guy or convinced him to really hide identity when registering.

Also some risk that sites around the world might indiscriminately block traffic to/from these sites, rather than specific URLs there. :(

Though, I guess, your point regarding disinfection is well taken. :)

Re:Disinfection

[1u3hr]

Actually, TFA points out the domains (and they do exist):

The domains do, but not the URLs. These look like free hosts, anyone can register and put up a simple page without having to supply any ID.

Re:Disinfection

[Hellasboy]

Not everything unlawful is unethical and in this instance, I side with the ethical thing to do.

Re:Disinfection

[m50d]

They didn't run anything. They served up a file in the normal way in response to a normal http request. No trickery, no buffer overflows or anything like that. If someone chooses to download and execute the file that's their business.

Re:Disinfection

[ivan+kk]

Suppose someone does this in a country where it's not illegal, just taking a stab, Russia, or somewhere in South America. It's not illegal then.

Re:Disinfection

[TeraCo]

Not everything unlawful is unethical and in this instance, I side with the ethical thing to do.

Unless they fuck it up. Sorry no, Symantec can run code on my PC once they pry it from my warm moist hands.

Re:Disinfection

Yeah, I thought that too until I contacted my State's AG about Sony installing a rootkit on my PC. They told me to sue Sony in small claims court.

Re:Disinfection

[Hellasboy]

If a person has sober on their computer, I think they have bigger problems.

Re:Ok Great

[J0nne]

And after that, the feds can install their own rootkit to spy on you...

Calculate the exact URLs

[jannic]

"According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day." - wouldn't that be possible by just running the worm in a sandboxed computer, with the computer's clock set to some future date? Of course, understanding the code may reveal other hidden features, but if you only want to know what the worm will do tomorrow, you can just try it out.

Re:Calculate the exact URLs

[HeadDown]

With the algorithm revealed, it'd be possible to "predict" the future domains for a year or so forward in an automated fashion. Then you monitor the registrars for registration requests for those domains, and you have a fairly decent idea when the next wave is going to hit, and it might even provide a lead to the domain owner. Or you could "just" have those domains blocked from registration, for example.

Re:Calculate the exact URLs

[h3rmanni]

The worm uses NTP servers to check the date. Can't fool it by just resetting the clock on the computer.

Re:Calculate the exact URLs

[pe1chl]

The URLs are not domain names registered in DNS, but page names on "free homepage" services.
So they would have to get in contact with the providers of those services instead (arcor.de, pages.at)

Re:Calculate the exact URLs

But you can set up a fake NTP source, which is (or ought to be) a piece of cake for any security company.

Re:Calculate the exact URLs

[mallumax]

For once RTFA

The virus even synchronizes the machines via atom clocks so the activation will not happen before January 5th, even if the clock of the computer is incorrect.

If the virus writer is smart enough to generate pseudo random urls of which 90% are false, he is smart enough not to trust the computer clock.

Re:Calculate the exact URLs

Uh, spoof the time server check too? Duh.

Re:Calculate the exact URLs

[corpsiclex]

or you could oh shit i forgot. uhh fuck i'm so high oh yeah point those domains to local mirrors yeah.

Re:Calculate the exact URLs

[prionic6]

Exactly what I was thinking. Pretty obvious. Can be automated. NTP can be spoofed. Piece of cake. The communication with the NTP can not be encrypted, the virus author would need to have control over that NTP for this.

Re:Calculate the exact URLs

[TiredGamer]

I'm confused as to why folks think fooling a virus with NTP is any harder than fooling it on the internal clock. It just requires a little more work, but unless the virus was going to check a private, authenticated NTP server it's trivial to rig.

Re:Calculate the exact URLs

[MrNougat]

That makes sense, and is probably the case. For speculation's sake, what if the virus didn't use the computer time to find out what day it was, but checked a Stratum 2 Time Server instead?

Re:Calculate the exact URLs

Stoppen das Clocken!
Was?!
Stoppen das Clocken!
Ah, das Clocken! Jawohl!
Its der Wurm geb0rken?
Nein, er hast die Atomclocken gecheckt!
Gott in Himmel!

Re:Calculate the exact URLs

[LWATCDR]

You just us a host file or your DNS server to route all requests for an NTP server to your local NTP server and spoof it there.

Re:Calculate the exact URLs

[jo2y]

From the F-Secure blog:

The virus even synchronizes the machines via atom clocks so the activation will not happen before January 5th, even if the clock of the computer is incorrect.

The alternative

[Shihar]

My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea. Thinking on it now, this very well could be an excellent method of trapping more then one shit head at a time.

Publicize the information so that other people can also figure out the algorithm. Don't give it away, just let out of enough so that a dedicated person can reach the same conclusion. Now just wait and nab every single bastard dumb enough to try and post code for Sober to get. While you are at it, switch off every website in question when its time to upload comes up. Not only do you cripple the virus's ability to upload, but you catch everyone stupid enough to try and abuse it.

Granted, catching someone based off domain registration probably is not trivial, but I wouldn't be surprised if the feds have something up their sleeve.

Re:The alternative

[Lesrahpem]

Maybe the people who released this publicly are in opposition to full-disclosure practices and are trying to prove their point?

Re:The alternative

[Gordonjcp]

Granted, catching someone based off domain registration probably is not trivial, but I wouldn't be surprised if the feds have something up their sleeve.

It's unlikely that the URL would be any "easily found" string of characters. I would suspect it's probably alphabet soup with a TLD suffix, but you would be able to catch "likely looking" Sober URLs.

.
Now what you want is for domain registration companies to watch out for said "likely looking" URL and flag it up as suspicious somehow.

Re:The alternative

[g-san]

Domain registration? That is no good... "It" compromises your web server, then installs a listener where it wants to bloom, it goes on and on. Wait until we get multi-headed viruses (the "lame" hydra concept from swordfish or the network of 13 viruses/worms from that W. Gibson X-Files episode.) It not only infects pcs, but has them connect back to backdoored webservers or pick-a-vulnerable-service to tell the third coordinator proc/worm which PC to infect next, that looks up a list of vulnerable backdoored PCs infected by sober and virus-of-the-week. I just hope it doesn't seach the web with a smart algorythm that can interpret human text and read open source software source code to search for more software flaws in networked software and the fed#^%G#%D

Wintermute Syntax Error: What are you doing, Dave?

Re:The alternative

It could be dictionary based and still generate a lot of very normal looking urls

My dictionary file has 96274 words. Just using 3 word combinations that you have almost 90 trillion possible urls.

Re:The alternative

[blazzy]

Replying to myself here: If it's one url per day as the article implies, and if we know how to calculate the url for a given day, it should be trivial for law enforcement/registrars to track.

Re:The alternative

Naah - just find the first 2006 sites, register them and set them to upload Sober removal code.

Re:The alternative

[Kadin2048]

Yeah I thought the same thing, but apparently they did sit on it for a while.

I'd like to know more about what's been going on since they discovered this back in May, and the present time. They knew the websites that the operator would have to register in order to send commands to the virus, although I'm sure it wouldn't have been 'simple,' it seems pretty straightforward to then monitor those websites and try to trace the IP of whoever registers it. I'm not familiar with the registration procedures of these sites, but maybe by staking one out you'd even get some more information than just an IP when a person goes to register.

Then you'd need to keep a lid on everything while you hunted down the person at the other end of the connection, through their country's authorites / a Predator drone / "unfortunate accident" / etc.

Unless the operator is dead or in jail, I'm not sure why this is being publicized. I mean sure, I find it interesting, but I don't really need to know this. I would have been a lot happier if they had kept it under wraps if it had made catching the person responsible any easier.

Re:The alternative

[jcr]

I would suspect it's probably alphabet soup with a TLD suffix, but you would be able to catch "likely looking" Sober URLs.

The sober algorithm is cracked. That means, you can go right ahead and generate the whole set of Sober URLS if you want, for any date/time you like. Sober will *try* to talk to an NTP server, so you run it on a machine that's isotalated from the internet, and feed it bogus time.

-jcr

Re:The alternative

[Gordonjcp]

Mmm yeah, I see what you mean. You could generate a batch of valid Sober URLs, and compare them against domain registrations. If you were extra extra sneaky, you'd let the culprit, who is probably reading this whole /. article avidly and thus won't be fooled by it, let them register the domain they want so it looks plausible, return the ip address it's supposed to for a few minutes, but then once more than a couple of requests come in point them in the direction of a honeypot. Or 127.0.0.1 even.

What if it's not "AN" author?

[core+plexus]

With foil hat firmly on, I think what if it's not an author, but something more insidious?

Call me paranoid, and this may just be a press release to drive traffic to a company, but I see the day coming when small packages pack a big punch.

I'm actually a bit suprised it hasn't happened yet.

Caption This

Simple

[Placido]

Register one of the URLs and post some code which, when executed, stops the worm executing. Rinse. Repeat.

Applications?

[FhnuZoag]

Can we use this discovery to distribute a cure?

I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction.

Problem solved.

Re:Applications?

[Skapare]

Better yet, have it install Ubuntu and solve the longer term problem, too. :-)

Re:Applications?

Linux ist for girly men. Us beefcakes use Windows

Re:Applications?

sorry, I made a few typos. It should read:
Linux isn't for girly men. Us fruitcakes use Windows

Re:Applications?

Obvious, and illegal. If even one computer is messed up by the fix, F-Secure would be liable for that.

Re:Applications?

[spiki]

I did see a few good point's against this (like, it's would be illegall to do it, and stuff). What surprises me, is that I HAVEN'T seen anyone mention that it's AGAINST f-secure and other antivirus companies interest to clean it this way. You know the drill. Step 1: Spread FxD. Step 2: Sell antivirus products. Step 3: Profit and do it again.

Re:Applications?

[lahi]

And us real hard nuts use NutBSD...aeh, NetBSD...

-Lasse

He's missing some requirements...

[hug_the_penguin]

...namely that he isn't a multinational corporation and that the patent wouldn't fuck over everyone, er I mean wouldn't protect innovation...

roflcopter

Hay guys I have a gr8 idea, why dont they just put a prog at the urls the virus checks, which an infected coputer can run and it will delete the virus!!

+5 informative

This is why worm/virus makers...

...should be forced to use open source.

Re:This is why worm/virus makers...

[CriminalNerd]

Sony did the same thing and look what good it did them!

I don't see why they need to post their discoveries. They could have done that AFTER the writer is caught...

Re:This is why worm/virus makers...

Maybe because it's not their job to catch virus writers? their job is to catch viruses. Shouldn't all information be available.

Well known URLs

[g-san]

one is supposedly http://it.slashdot.org/comments.pl?sid=170643&thre shold=1&mode=thread&commentsort=0&op=Reply

It posts trollish looking messages and chats to you in IM. :)

Personally, I usually just chill while connected with ethereal running, then connect back to the PCs backdoored by the viruses that are trying to infect my honeypot on tcp/135. Then a simple netstat will show you an established tcp connection back to the IRC server the virus is using to announce itself to the author (not to mention about 500 connections SYN-SENT or ESTABLISHED to PCs being infected/probed, also a good source for other infected, backdoored PCs. You do know what is attacking you and what tcp backdoor it runs, right?) You can usually spot that connection, it has a high TCP destination port, whereas the normal vector port is 135/137/139. It's really sad to see thousands of PCs aleady announcing themselves to the author on that IRC channel as, "Hey come on over, I am running W2k|2XP. I am XP200453." And there is no one there to give me +OP privs!!! Batrastards!!! I could echo 'you are hacked please visit windowsupdate.com'> the startup folder all I want for days to each one of them to no avail... or echo ''you are a moron, too stupid to own a computer, put it back in the box and yadayadayada....

I wonder what I would do with a beowulf cluster of networks of hacked (i.e. unpatched windows) PCs. probably echo the same message in the same fashion as above, yet, alas, I am seriously lacking in motivation and spare time. (q.q.v 4. Pr0F1T!!!)

so little time, so many IP addresses, so many ignorant users.... so many clever, clever coders...

Re:Well known URLs

[ScottKin]

Any chance you could reveal to us what IRC Networks you are seeing when the worm/virus does it's callback-notification to the user/author/abuser/scum-of-the-earth?

Maybe some IRC admins might be lurking and by advising them that their network is being used as the communications channel could help in the further sleuthing of this activity?

--ScottKin

Re:Well known URLs

[g-san]

Unlikely, most I have seen seem to be a hacked servers. I saw a log file on an infected PC, I connected to the same server and issued the same commands, but by the time I got there the jig must have been up, not the same PCs/output in the channel. Meaning, I issued the same commands but did not see the pages and pages (and pages and pages and pages, literally thousands) of entries as in the log file of IP addresses and entries like 2K10234 and XP11442. Strange thing is the "IRC" server was still running. I say that cause the commands were IRC like but not full blown RFC 1459. I sent a note to abuse@isp.com. Maybe the author got his list and was covering his tracks, but the goods were already in a log file on the PC. Again, just noticed out of the 500-700 connections open connections (netstat -an |find "ESTAB") on the infected PC one was not to the viruse's vector port, thought I would check it out... took several tries to even get to the same channel. I had to join one channel and then issue a command to join the second channel to even try. Can't remember which worm it was (not sober), but this was a few days after it was announced and thought I would sniff to see how prevalent it was. Odd. The virus descriptions say, "opens a backdoor on port xxx," and I would just try to connect to port xxx after I got connections, sometimes you just get a c:\windows prompt. Very scary, glad I know how to keep my win pc up to date, and run linux otherwise. And I consider that to be an invitation of sorts, as in, "I'm sorry, were you trying to tell me something? Were YOU trying to hack ME? YOU connected to ME. I am only looking out for my own security here."

I really do the echo something > notice.txt into startup folder, hoping the person will take action and realize they are infected... who knows what good that does. I am also a staunch privacy advocate, so nothing malicious (flame-suit on) from my end. mostly dir c:\windows\system32 |find "" to look for recently installed malware. I could care less about your files. That was how I found the log file that had what looked like a complete connection log to the IRC server. Too bad there are not more good commands in windows command shells (usually a virus opens a socket to cmd.exe) or I would kill and clean up and reboot, or even ftp down the patch, not like MS supports that though. (God the good old days of pre-retirement) This happens in internet time, not human time. If someone was really malicious, there is really no way even hundreds of humans could stop it. I take that back, a good hacker (in the MIT sense...) could reconnect back to the machine and issue some commands to shutdown the proc and stop the scanning, but again you are limited to what is at the ms-dos command shell, and we all know how well the anti-blaster worm worked with it's ICMP DOS. But given that a goofball scriptkiddie could connect like I did, maybe that is a good thing (good luck kiddies). Careful what you wish for and all that.

Disclaimer: Really, if I was black hat, would I post with my own account? (laughs hysterically as g-san gets investigated by the FBI the next day). Anyways come get me, I would love to work for you FBI and you could use my help. ;) /disclaimer

Here goes... submit...

Re:Well known URLs

[geschild]

"I wonder what I would do with a beowulf cluster of networks of hacked (i.e. unpatched windows) PCs."

Make all the phones in the world ring at once? ;P

Re:Well known URLs

[ScottKin]

Thanks for the excellent info on what you saw. It's a real shame that ISPs can't keep on-top of what's happening with their customer's systems or at least implement a process where they monitor and have the ability to identify and trap "suspicious" activity on their network. It might be an administrative headache to implement something like an inline-snort solution for their border or gateway routers for something like a single class-c (or /24 for our CIDR fans) block and then set-off alarms when heavy traffic and connects are seen on known ports for customer's systems; It's given that:

1) Most compromised boxes are end-user boxes on broadband connections

2) Most ISPs that offer broadband have specific terms of service that virtually forbid any kind of "server" activity on the end-user's system, so they could actually enforce that if they really wanted to by just having something like an inline-snort to do the monitoring and flagging of suspicious activity.

Another wrinkle in this whole scenario is that many of these compromised boxes are in nations where "sufficiently effective" IT Staff are in very short supply, and end-users are not provided the needed info to secure their systems from being compromised in the first place; many "developing" and quite a few Asian nations ("developing" in relation to IT and Computing Infrastructure) have a huge population of users who are absolutely clueless in regards to the possible dangers of being on such an open network as the Internet; take into account the number of reported "cyber-attacks" targeted at US Government systems eminating from obviously compromized systems in China, South Korea (and in a lesser extent, North Korea), Malaysia and Thailand. I've spoken to many Malaysian and Thai users who go to cyber-cafes to get on the Internet, and I'm astonished at the level of infection and it's spread across these systems: 90% of the systems at these cyber-cafes in the aformentioned Asian countries are infected with everything from backdoor-trojans to key-loggers.

So, where do we go from here?

--ScottKin

Recognition

[hug_the_penguin]

They do it so they can stick a finger up to the cops and say `I'm better than you`, such is the mentality of the virus writer or cracker. They also get recognition within the blackhat community as the person who reaped havoc worldwide. Then there's that smug satisfaction that they haven't been caught. Scientifically, the risk of getting caught topped off with not actually having been caught triggers a dopamine release which makes people feel good. Such is the way virus writers get their thrills.

The only way they can make money is from a rival company wanting the worm to take down their competition, or a rival country in some cases, wanting to take down a lot of a country's infrastructure based on the net. We're all familiar with the hackers the russian government hired to try and rip down the internet, but it is often attempted with worms too

Re:Recognition

WROUGHT havoc. viruses don't reap havoc. they WREAK havoc.

Re:Recognition

[hug_the_penguin]

Yeah, but it was fairly obvious what was meant. I'll go get my caffeine now

Re:Recognition

[Breakfast+Pants]

Wow, that is some interesting bad grammar; it is particularly interesting coming from someone who is so concerned with spelling.

Re:Recognition

[Knuckles]

I take it you have never heard of spam?

Re:Recognition

[Hal_Porter]

The SOBER worm wreaks havok, but if you uploaded some spyware to one of the pseudorandom domains, you could profit from it, hence reaping havok.

You mispelled ' too, it's 'I'm better than you'

Re:Recognition

[John+Hurliman]

All the money coming in from shady companies wanting to sell V14GR4 and C14L1S by spamming through botnets doesn't hurt their dopamine flow either. Once you have all these computers looking for software to download you can start negotiating a price, then setup the next URL with a spam bot or DDOS zombie preconfigured for your client.

Re:Recognition

[EternityInterface]

Scientifically, the risk of getting caught topped off with not actually having been caught triggers a dopamine release which makes people feel good.

Which almost rivals getting laid. (dun dun dun dun dun dun dun dun dun dun...)

the easy answer is...

to not use software that is so easy to get foreign code to execute on. I feel a warm Slackware moment coming...ahhhhhhh.

What's meant by "authorities"?

[raehl]

Isn't the authorities being able to block a URL a problem? If authority means "Software I've willingly installed on my computer to block malicious URLs", then good, fine and dandy. If authorities means the government, I'm not so keen about that possibility.

Re:What's meant by "authorities"?

[Shimbo]

Isn't the authorities being able to block a URL a problem?

I see no harm in the police going to the relevant ISP and asking them either not to register the username 'dfgdfbvbb', or to provide them information on the registrant. If the ISP wants a warrant for the latter, that's fine too.

Re:What's meant by "authorities"?

i know why you are concerned... but the government actually should do stuff like that, the entire purpose of a government is to creat solutions for a society

the problem where i agree with you, is that they overstep that limited bounds.

its a power grab. they always wnat more power... and want to generalize so they can step in under many conditions instead of just a limited period

in theory they could and should do something, in reality. its a new "power" that can be used later for not such a good circumstance/

Now work backwards?

[BoldAndBusted]

Hmm... If they can predict forward in time what sites Sober will seek, can not they also look backward in time to see what sites the worm sought in the past ? If so, could they not then check the registration records for each of those sites and... find the author?

Re:Now work backwards?

[LuckyStarr]

Do you really believe the author used real names and real IP-Addresses to register the sites?

Re:Now work backwards?

[BoldAndBusted]

Do you really believe the author used real names and real IP-Addresses to register the sites?

Nope. But, it might provide a trail to try to follow, no?

Re:Now work backwards?

[mrogers]

Police today announced that they have arrested the author of the Sober internet worm. The suspect was named as Mr. Qwert Y. Asdfasdf123 of 456 Hjklhjkl Street, Mnbvmnbv, Alabama. He was caught after using his real name and address to register a website used by the worm.

Re:Now work backwards?

[cpuffer_hammer]

The author could also use a shared domain dynamic DNS sites that let users hang sub domains off other users real domains domains. This way he would not have to register a doman just add a sub domain to one of the shared domain sites and point the sub domain to the IP address of choice.
A web mail service (Yahoo or Google) address could work also as you could put the IP of the real server in an email and have each copy of the virus read but not delete the email (leaving it for other copies to read)
Even a posting on Slashdot could work though it would take a bit of code for the virus to search though all the Anonymous Coward posts to find the one with the hidden IP address dasjf;ladsjf;alsdjf;aldsjf to the system with the code on it.

Charles Puffer

Re:Now work backwards?

[Alsee]

Heay!
I live in Mnbvmnbv Alabama, you insensitive clod!

-

Sophistication

[squoozer]

I have often wondered why we haven't seen the emergence of worms with truly spectacular levels of sophistication. Nearly every worm / virus is small presumably so that it can spread quickly in limited bandwidth situations. The limited size means limited sophistication and sometimes flaws in the design or operation.

To the best of my knowledge no one has developed a worm with fully pluggable attack verctors and pay loads and automatic updating. An attack from such a worm would be all but unstoppable because there would always be a huge user base from which to start an attack. The attack would go like this:

1. Author writes the first version of the virus and deliberately infects machines. This version doesn't spread on it's own. This version doesn't need to be terribly good it just needs to infect 1000 machines or so, be upgradeable and form the initial core of the virus P2P system (maybe that should be V2V?).
2. Author refines virus and releases a new version. Some of the 1000 initial infections are still infected and upgrade themselves. They go on to infect other boxes automatically. Each box will try and upgrade and infect new boxes.
3. Hole exploited by the stage two virus is closed. Many are lost.
4. Author writes new exploit module and uploads it to virus network which them re-infects lost boxes and new boxes.
5. Virus scanners get to understand core virus and destroy numerous infections.
6. Author releases new version into the virus network which upgrades currect installs. And so it goes on.
7. ???
8. Profit!

Perhaps someone is already doing this, I don't know. It seems like a natural evolution for viruses though. A sort of virus P2P system so that the virus network can respond to attacks. You could even build viruses that knew the network was under attack and hid or destroyed themselves.

BTW I'm not a virus writter.

Re:Sophistication

[andersa]

In any case this version of Sober is truely the nastiest I have seen hitting my server as of yet. First recognized by ClamAV on the 21st of november. I havent got a precise count but it's got to be at least 400 emails in quaranteene up to now, and they just keep coming in. Excluding phishing emails that are also blocked by ClamAV it probably at least a 400% increase in average amount of quaranteened mails per day.

Re:Sophistication

[alpha713]

I'm sure plenty of people have the knowledge and ability to implement this and other sophisticated viruses. Thankfully most anyone with that kind of ability has better things to do with their time.

Re:Sophistication

[cspring007]

Microsoft is.
Its called Windows.

Re:Sophistication

[TorKlingberg]

I think this would expose the virus writer to a big risk of getting exposed. If I wrote a virus, I would write it so that I can take it will me to a public computer, infect a few others machines from there, go away and let the virus do it's work without any more contact with me.

Re:Sophistication

[squoozer]

May the V2V network use some form of anonymizing network technology then - it's slow but what would the virus author care. Digitally sign the updates, as well, so the virus only accepts updates from the real author. The technology is there and just waiting to be exploited.

Re:Sophistication

[m50d]

I have the basics of such a virus stashed somewhere secure. Once you're good enough to do something like you're suggesting you've usually grown out of wanting to release it.

Re:Sophistication

[squoozer]

Yeah, kind of lucky the world works that way for the most part. Touble is it only takes one person to let the cat out of the bag. The virus design in my initial post would be easy enough to stop on individual machines but, like type 1 herpes simplex (the virus that causes cold sores in humans), there would always be an unreachable portion of machines that can't be disinfected so the virus can re-emerge from these (the herpes virus lies dormant in the nerves where there is no immune response). It's an interesting problem to try and solve. I certainly can't think of a good solution.

Re:Sophistication

Part of this is the small size of the hole that the virus must fit through. Too large and instead of an infection the program will actually crash. Other times randomization requires a large NOP sled. Additionally, once a binary is infected the virus must run in a reduced environment, particularly if it already corrupted memory through an exploit.

Re:Sophistication

[Tom]

Nearly every worm / virus is small presumably so that it can spread quickly in limited bandwidth situations.

Nonsense. Size is a negliegable factor, unless you go into MB sizes. There's almost no difference between a 2k and a 10k worm. I already proved that more than two years ago (see my worm paper, this is on p. 15).

Your initial stage is also covered there.

The whole plugin stuff is something I've looked at after writing the paper, and talked about it in a speech called "The Future of Malware" at two conferences.
There's lots of stuff possible here, but the main point is: It ain't necessary. Why spend hours upon hours on a smart worm or virus, if you can hack up a passable one in 30 minutes and it's good enough?

Re:Sophistication

[squoozer]

Well you have the drop on me there. I'm not, and never claimed to be, a virus researcher so I'm hardly likely to be up on the "latest thing" or even nearly the latest. thing. Interesting looking paper though I'll have a proper read later.

Perhaps a hacked together virus is good enough but why stop at good enough. These people want to own 10000 machines. That requires some management. Why not make that management simple by writting a decent worm? AFAIK there isn't a virus that forms it's own (distributed) network to ward against counter attacks by, for instance, going quiet for a while.

Re:Sophistication

[m50d]

Reject packets from machines which have attempted an attack known to be one used by this virus. But then you possibly knock out too many legit users. Allow them if they didn't attempt the most recent attack, I suppose.

Re:Sophistication

[marcosdumay]

I can see where you are going into. A virus swarm, capable of communiocating within itself and evolving. For that to become the nightmare of any security person we need the virus to not be a monoculture and be capable of recombination.

Add some random mutations (without excluding the not random upgrades) and we have a swarm of evolved creatures that want just to infect computers. The virus writter will need a way to force them to actualy attack anything, I guess it could be a social way.

There is nothing preventing a population of small viruses from developping a very complex social behaviour. If they are not equal, we can see several complex social behaviours. That would be unstopable.

"BTW I'm not a virus writter."

If you where, you wouldn't be writting about it on ./ :)

Re:Sophistication

[Tom]

why stop at good enough. These people want to own 10000 machines.

And 10k machines doesn't even require a "good enough" virus/worm. A crappy one will do.

Well-managed botnets by large players are on the 200k size. I think the largest I've ever heard of being for sale was 400k.

And yes, there have been worms that formed distributed networks, but for other purposes. A network defending itself has been in research for a couple of years, and many ideas have been created. However, it probably isn't cost-effective. Which means that it's cheaper to lose 10k machines and root another 10k than add protection code.

Re:Sophistication

[AnotherBlackHat]

I have often wondered why we haven't seen the emergence of worms with truly spectacular levels of sophistication

Maybe when it's sophisticated enough, you don't see it. I.e. they're out there, they just haven't been detected.

Re:Sophistication

[glesga_kiss]

I have often wondered why we haven't seen the emergence of worms with truly spectacular levels of sophistication.

If a worm is truely sophisticated, no one will have seen it! In theory, you could write one so well hidden that the only way to detect it would be the chance discovery via a packet scanner. Also, remember the adage: the tall weeds get chopped first. A sophisticated worm might even take steps to restrict it's numbers to attempt to avoid detection due to obscurity.

Anti-virus writers will have their work cut out over the next 10 years and beyond. The problem may ever require some (user controlled!) trusted-computing techniques, although the simple idea of putting the OS on read-only media might go a long way, given an OS designed/tweaked to operate that way.

Re:Sophistication

I see what you're saying. Any sufficiently advanced virus is indistinguishable from Windows.

Re:Sophistication

[beholder]

Boring,

I am not a virus writer, but some 5 years ago there were ideas much more advanced than this (except for P2P bit). If in doubt, search for polymorphic multi-partite self-encrypting virus engines.

What really happened to all that was Outlook email and Visual Basic. It suddenly became so easy to write a basic virus that the next stage of the evolution got lost in all the noise.

Think the September that never ended for the advanced virus writers.

Of course now with the lure of money from phishing and like, this may all be coming back. That would suck.

This is a new one...

[Slashcrap]

I find myself in the unusual and possibly unique situation of agreeing with other people on Slashdot.

It would have been better not to release this information. Now the author knows the game is up. Unless they have already traced him from some of the previous URLs, which I doubt.

So why release it then? The AV company just couldn't resist jumping up and down and showing everybody how clever they are. AV is more about marketing than technology anyway.

The thing is, I bet this algorithm wasn't even that hard to reverse engineer. I mean, I'm not saying that I could have done it and I'm sure most of you couldn't either. But to someone skilled in the black arts of disassembly and debuggery (if that isn't a word it should be), it would probably have been fairly trivial. At the end of the day, Virus authors usually aren't that bright. You can obfuscate and encrypt your code as much as you want but at some point it still has to executed. Most of the techniques are well known and I doubt this idiot invented any new ones.

Re:This is a new one...

[Alex+Zepeda]

I'm curious if you bothered to read F-Secure's blog:

So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

Something to think about.

Re:This is a new one...

It makes no difference, the evidence is out there on millions of infected computers. Other virus writers have been caught and prosecuted long after the virus died out.

Re:This is a new one...

[Tom]

AV is more about marketing than technology anyway.

No, it isn't. Not about either of those. It's about hard work. AV means having honeynets to catch the malware, then take it apart, create a signature, plug that into your file and send out an update. All as quickly as possible, pretty much around the clock.

Re:This is a new one...

[Havokmon]

The thing is, I bet this algorithm wasn't even that hard to reverse engineer. I mean, I'm not saying that I could have done it and I'm sure most of you couldn't either. But to someone skilled in the black arts of disassembly and debuggery (if that isn't a word it should be), it would probably have been fairly trivial.

Or maybe they just watched the DNS lookups from an infected machine for a week and just figured out what the next day would be....

Re:This is a new one...

debuggery (if that isn't a word it should be)
Well, you know what buggery is... right?

Re:This is a new one...

[Slashcrap]

No, it isn't. Not about either of those. It's about hard work. AV means having honeynets to catch the malware, then take it apart, create a signature, plug that into your file and send out an update.

There may be tens of thousands of viruses, but there aren't that many different types or new techniques. The fact that they are making such a song and dance about this particular novelty is proof of that. This isn't the work of some genius hacker. It's the work of somebody who thought, "Hmm. I need my virus to download updates but I don't want to put the list of URLs in the code because then I'll get busted easily" and then took the most logical and obvious step - using an algorithm to generate them.

If you think that people in the security industry, especially the AV industry slave around the clock over a hot keyboard with only your happiness and security in mind, you need your head examined. Especially if you actually work in the industry.

All as quickly as possible, pretty much around the clock.

And usually far, far too late. But never mind, it's another one to add to the list of 90,000 viruses that your product detects. Buy our product and feel secure! Your PC hasn't slowed down - you are imagining things! Don't hit that uninstall button or we'll rape your PC so hard it won't be able to sit down for a week. And don't you dare ignore any of the popup messages our product shits out of your system tray even if they interrupt your work and drive you insane. How else will you know how fucking great our product is?

uh..

[nexcomlink]

How do they or anyone of us know it's going to be expected on that date? Nobody can predict an outbreak because there is never a set time for one. If the virus author can change the date he would. Like they say always expect the unexpected and what was expected is deemed to be better or worse than it was intended to be.

Next headline - F-Secure in violation of DRM

[Knightlymuse]

Gets sued by virus writer. :)

Re:Next headline - F-Secure in violation of DRM

[emptycorp]

Did you mean DMCA?

Re:Next headline - F-Secure in violation of DRM

that's an interesting problem actually

Say this algorithm was copyrighted, and used in a legitimate product.

The virus was written by someone else, who licensed this code legitimately.

Can the non-virus-writing owner now sue the antivirus companies for DMCA violations?

Re:Next headline - F-Secure in violation of DRM

[plj]

Did you mean DMCA?

F-Secure is Finnish company; it does not apply (unless they would be sued in United States). Finnish implementation of European Copyright Directive would, but it is not effective until 1.1.2006.

Re:Next headline - F-Secure in violation of DRM

[Ryosen]

That "whooshing" sound you hear is the joke flying right over your head.

Re:Next headline - F-Secure in violation of DRM

[plj]

I do realise that grandparent was a joke – after all, it currently scores at "+5, Funny". My parent that currently scores at 0, however, was not, but rather had the attitude that DMCA applies worldwide. So I decided to write a correction.

Re:Next headline - F-Secure in violation of DRM

As unlikely as that may be, it's exactly what we need to rid the world of DMCA like bullshit.

Re:Next headline - F-Secure in violation of DRM

Wait, let me guess. You were the 2005 poster child for Asperger's?

Many viruses come from very talented people...

[blorg]

...living in countries where employment opportunities may be limited (I'm thinking former Soviet Bloc, Pakistan, India - countries with strong traditions in mathematics/sciences.) There is also potential for a similar thing to happen with nuclear weapons in some of these countries, which is a good bit scarier (as indeed did happen with Pakistan, although not in that case due to a lack of employment.)

Re:Many viruses come from very talented people...

[AkaXakA]

Thing is, the guy (original one anyway) lives in Germany.

Re:Many viruses come from very talented people...

[arose]

Believe it or not but part of Germany is also part of the former Soviet Block...

Re:Many viruses come from very talented people...

WeST or EaST?

Re:Many viruses come from very talented people...

Yeah, when I get unemployed I always launch some ICBMs to vent off stress. :)

At least Viruses dont spontaneously mutate

[voss]

If you think upgradeable viruses are bad...wait until you see computer
viruses self-mutate and evolve. Laugh if you want...it will come one of these
days.

Re:At least Viruses dont spontaneously mutate

Polymorphism, metamorphism and entry point obscuring which could be considered "mutation" on a par with biological viruses have been around for ages, the problem is that even very good ones can always be detected via heuristics or static bytes in the decryptor. A virus can't just start rewriting itself with whacky random code because programs have to conform to very strict rules to still work, whereas biological mutations have more leeway as a result of extremely large populations and significant amounts of 'junk' RNA that doesn't do anything.

It's reasonable to expect that we will see weak AI viruses eventually, but it's not happening anytime soon.

Re:At least Viruses dont spontaneously mutate

[marcosdumay]

"A virus can't just start rewriting itself with whacky random code because programs have to conform to very strict rules to still work, whereas biological mutations..."

That statment is naive. Biological organisms also have very strict rules that they need to conform, even stricter than computer programs. That is why most mutations are lethal.

Biological virus don't have anything like junk-DNA to mutate into something usefull. This happens because bilogical virus are also constrained into a small size, just like the computer's ones.

The biological virus can spread while mutating because each virus creates milions of descendents with hundreds of different mutations. Just out of luck, some are can spread well. We can do this with computer virus too.

Re:At least Viruses dont spontaneously mutate

[Ch*mp]

"Biological virus don't have anything like junk-DNA to mutate into something usefull. This happens because bilogical virus are also constrained into a small size, just like the computer's ones."

Not true. Get yourself a degree in genetics and come back later.

Re:At least Viruses dont spontaneously mutate

[CCFreak2K]

That would make for an unusual a-life experiment: Design a program with some function, put in self-replicating capabilities, then give it some time in a sandbox to replicate and mutate. Depending on how fast it could replicate, it wouldn't have to mutate very fast; just change bits and peices of code. On a long enough time scale, you could engineer and grow a perfect program.

New life form

[La+Gris]

As the get 'smarter', someday, computer virus and worms may become life forms. It's no magic these have been called lifre formes already.

Tis is an unreported, unknown new life form Sir. We should not destroy or interfere with itx existance due to The Prime Directive.

Re:New life form

Viruses lifeforms? Who says the viruses weren't written by internet connected artificial lifeforms? Every virus that doesn't have a named author could be this. There is no way to prove a human wrote a virus.

Next weeks article:

[Kuvter]

"Drunk's code cracked."

unless they don't actually know

[FlippyTheSkillsaw]

nothing to see

Hopefully

[beast6228]

Hopefully Sober gets drunk on New Years Eve and doesn't become Sober Until after the 5th. Even better yet, maybe Sober will get alcohol poisoning and die.

RTFA

[igb]

The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

Re:RTFA

[taursir]

But he must know this by now. He probably reads Slashdot.

Re:RTFA

He probably reads Slashdot.

I do not. I do all of my reading and posting at http://home.pages.at/erj4uso3lnmj2isodp82j/

Mod the parent down

[Alex+Zepeda]

Read the F-Secure blog.

Or read my previous comment.

F-Secure didn't simply crack the algorithm yesterday.

Re:Mod the parent down

[stixman]

Since when do you mod people down for NOT RTFM?

RTFA

Seriously, the article's not that long. And if you read it, you'd know why the worm won't reveal future dates. Hint: it has to do with atomic clocks, and time synchronization.

(Yes, yes, it could still, technically, be sandboxed. But doing it this way makes determining URLs that much easier.)

To expand...

[interactive_civilian]

They know the activation date (January 5, 2006), and they know the URLs that Sober will try to connect to on that date, right? From this, I see a few things:

1.) Assuming the author(s) is(are) paying attention to happenings on the internet, he would be an idiot to actually try to put anything on those domains for that date (assuming there isn't anything there yet). If he does, I would guess that he would be as good as caught...well...maybe...I guess it depends on how well he covers his tracks when uploading his intended payload.

2.) Both of the linked articles urge SysAdmins to block the URLs they have listed, but I HIGHLY doubt that most of the infected home users will do so, or even know how to, so that will leave a lot of machines trying to connect. Can the URLs be blocked at the ISP level?

3.) Going with the parent post's idea, might it not be a good idea for the authorities to set up those URLs now, and put removal tools on them (assuming they can be automated and it can happen in the background)? It seems to me that any machines still infected when that date hits would be automatically cleaned and the problem would be solved on the first day...

4.) Or, if it is even possible, have the ISPs monitor for requests to those URLs (while blocking them), and if they receive requests for those URLs on that date, automatically send an email to the account holders of the IPs that are trying to access the URLs informing them that their machines are infected with Sober and provide instructions (and software) on how to remove it? Of course, this requires cooperation from a LOT of ISPs, but it doesn't seem completely impossible. Of course, this idea also depends on the users to take action to clean their systems and we all know how well personal responsibility is doing these days...

5.) However, perhaps the ISPs can monitor requests for the URLs that Sober will request, and then perhaps start disconnecting users who don't clean their systems after being warned.

Anyway, just some thoughts...but I see no reason for the net to be rid of Sober after the first day (or first month going by 4 and 5 above) of activation...

Of course, I don't know a lot of details about how these things could be implemented, so take it with a grain of salt...

Re:To expand...

Instead of trying to block the url's at many ISPs, just have the ISP of the worm payload site do it.

I want to make a difference .... because I can

[Gopal.V]

Hackers and virus writers - They both do things which will let them sit back and be proud of what they've done.

Some people do constructive things for that, others do very destructive things.

It's the rush of having made a difference in this world that drives both categories of people. Some sadly seem to like hiding and laughing, some others prefer to do creative things.

Once you're into adult hood, being a puppet master online starts to lose it's charm and you want more bragging rights - which is one of the thing that drives some h4x0rs back into the straight and narrow path of goodness.

Re:I want to make a difference .... because I can

[baadger]

Once you're into adult hood, being a puppet master online starts to lose it's charm and you want more bragging rights - which is one of the thing that drives some h4x0rs back into the straight and narrow path of goodness.

So the Sober worm author's destiny is to become a mild mannered hard working citizen in the IT work place. Who'd have thunk it.

BZZZZT!!! Talking out of you a** ...

[hummassa]

Ok, so, it's /., we don't usually RTFA, but those are the domains:
http://people.freenet.de/
http://scifi.pages.at/
http://home.pages.at/
http://free.pages.at/
http://home.arcor.de/
not really "alphabet soup with a TLD suffix", uh?

Re:BZZZZT!!! Talking out of you a** ...

[mrogers]

Those are all domains that host websites for their users, so the complete domain name will be something like username.people.freenet.de (or 20a39387c9b9d97693827e98bf17190123.people.freenet. de).

Re:BZZZZT!!! Talking out of you a** ...

[Gordonjcp]

TFA was hosed by the time I posted. Thanks for the heads-up. As another poster has said, these require a user registration. Should be fairly easy to detect, particularly if you notice hundreds of hits to a "funny" username.

Re:BZZZZT!!! Talking out of you a** ...

[Phisbut]

not really "alphabet soup with a TLD suffix", uh?

My alphabet soup just showed me "home.arcor"... add .de at the end and you get alphabet soup with a TLD suffix

Will the author use the DMCA to sue F-Secure?

[lightweave]

Apparently F-Secure reverse engineered this virus. So now the author can sue them, based on the DMCA, and MAKE MONEY FAST. :)
What a wonderful new "Get Rich" scheme this provides.

They cracked it in May!

[kyz]

My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea.

As it clearly says in F-Secure's blog, they cracked this in May. They're only going public now. They've informed both the ISPs affected and the police. It is very unlikely that anyone will be able to register those accounts - if they do, they'll probably be talking to the police.

The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

Re:They cracked it in May!

Thank you very much, F-secure. If they DID crack it in May then a lot of good they did by letting it spawn all of that crap in November. Sounds like Britain and Enigma during World War II.

Re:They cracked it in May!

[griffjon]

Hold on, if they cracked this in May and disclosed to the relevant authorities, WTF happened in NOVEMBER when its hundereds of bounces slowed the mail server at my webhost to a grind?

Are they going public now because the authorities haven't done anything?

Re:They cracked it in May!

[kyz]

They can't stop the virus spreading. That's the fault of the poor saps who get fooled into starting it up.

They can, however, stop the virus calling home and downloading the secret payload that the virus author intended to launch on 5th January 2006.

Re:They cracked it in May!

[keith.gillum]

What about a less obvious scenario. The author put the algorithm in, knowing it would eventually be cracked. Once it's cracked, everyone is misdirected to setting up elaborate traps to snare said author. But! The laugh is on them, because buried deeper is the real URL that will used. I doubt anyone, F-Secure included can rule out what the methodology for the author's madness is...

isn't that illegal

[god64]

under what license was the virus published? as a company they have to respect copyright. what would f-secure say if someone would have done this to the viruses they have developed... er, sorry, i ment anti virus software... ofcourse...

conspiracy theory

Well... in my paranoid conspiracy theory, I think it may be one of this:

- The worm author is hired by the AV company (as I think a big part of virus coders are...)
So, the AV company told publicly and then he knows "he should stop registering urls..."

or ...

- The AV company didn't break the algorithm, but lied. Them they make the virus unefficient...

well I dunno, just paranoid stupid thoughts after a non-slept night.

Strange scoring system on /.

Why are these two postings - which are even located *together* - so differently scored?

#1

Simple(Score:2) by Placido (209939) on Friday December 09, @04:04AM (#14217614) Register one of the URLs and post some code which, when executed, stops the worm executing. Rinse. Repeat.

#2

Applications?(Score:5, Insightful) by FhnuZoag (875558) on Friday December 09, @04:05AM (#14217617) Can we use this discovery to distribute a cure? I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction. Problem solved.

Please explain why the second posting, stating the obvious content of the previous posting, seems to get the credit for the idea?

--Anon--

Re:Strange scoring system on /.

Who do you want to explain, Placido? The moderators who read the comments newest to oldest at -1?

Why did they have to crypto'ally crack the code?

[ArsenneLupin]

Why did F-Secure (and other AV researchers) have to cryptographically crack the code? Couldn't they simply have advanced the clock on their PC, and empirically snoop which URLs the virus would check?

Dead drops

[mrogers]

I just hope it doesn't seach the web with a smart algorythm that can interpret human text and read open source software source code to search for more software flaws in networked software

Or the worm carries a public key and monitors Usenet for new exploits signed with the corresponding private key, then distributes them to any other copies of the worm it knows about using a gossip algorithm - only a few copies need Usenet access and the attacker can post updates from anywhere.

Or each copy of the worm scans the local browser history for domain names, concatenates each domain with the date and its own IP address, hashes it, and requests the root web page from the domain if the first byte of the hash is zero. This means each copy scans a different part of the namespace, the area scanned changes each day, and the area scanned matches local usage (less suspicious and harder to block). If one of the copies finds a signed update, it propagates it to the other copies using a gossip algorithm. The attacker doesn't need to choose a domain in advance - when he wants to distribute an update he just cracks a random website, inserts an HTML comment containing the update into the root page, and waits for the worm to pick it up.

The URL

The Jan 5 URL is said to be www.windowsupdate.com

New Open Source Project Idea

[Fazed]

A Service that pre calculates/derives urls from a sandbox these urls and then optionally :

• Updates the access lists on my cisco router preventing connections to all affected domains
• Updates the rules on my linux firewal to prevent connection to these domains
• Updates a central hosts file that is compatible with win32/linux and osx which maps all affected domains to some safe value, to be used during logon scripting

Viruses are bad, but...

[homofaber]

Viruses are bad. Nobody can argue that. And I'm against writing them. But viruses have done something good: people started to think about security of their systems and their data. What would happend if there are not so many viruses? Most people wouldn't even know that their computers are vulnerable, and that would mean a lot of secret data goes to black hats. This way even my father knows that he must be protected. http://www.aids.org/

Nice but...

[Viper+Daimao]

Im still going to stick to my old protection

MOD PARENT DOWN SHAMELESS MARKETING

see topic

Re:Why did they have to crypto'ally crack the code

"Why did F-Secure (and other AV researchers) have to cryptographically crack the code? Couldn't they simply have advanced the clock on their PC, and empirically snoop which URLs the virus would check?"

Well, if the guy used a good pseudo-random hash (i.e., based on the timestamp), we don't know (yet) how to predict what a random day will create. If this weren't the case then you could easily predict what a password was based on the hash value. What the researchers are doing is the other way around -- knowing an input value (i.e., the date), they can now know what the output value (the URL) is going to be.

Reminds me of a song.....

[Theovon]

Sober cracked code, and I don't care. Sober cracked code, and I don't care. Sober cracked code, and I don't caaaaaaaaare. And the hacker's gone away.

(Note: I apologize to anyone who is aware of the origins of the song I'm parodying.)

Re:Reminds me of a song.....

Jimmy cracked corn?

Re:Ok Great

The problem is an inability to block all potential URL registartions a worm might generate. By utilizing the system clock as a seed, there could be google-zillions of URLs. http://www.67539474c54ff91620.com/ anyone?

Clean and Sober

[Ritz_Just_Ritz]

Why not use this information to post disinfection code on the next sober trigger date? That seems like the best use of this information since the author has probably already been tipped that he/she can't post their own code anymore. I wonder how many sober infected PC's are still in the wild? Cheers,

Re:Why did they have to crypto'ally crack the code

[sholden]

And the point is that they could already do that, with this simple algorithm:

get url (date):
        set computer date (date)
        run Sober worm
        see what URL it uses
        return that URL

Of course you could probably extract the portion of the code that does the generation and just jump to it.

Re:Why did they have to crypto'ally crack the code

[Butterspoon]

This wouldn't work because the worm syncs with an a timeserver, so you get the activation on the target date even if your system clock's wrong.

Yeah you could spoof the response from the timesever, but simply cracking the code is far more elegant.

DMCA

[watermark]

The sober author should have included a Eula. "By using your computer, you accept the terms and conditions located at C:\eula.txt"

Re:Hard to admit, but North Korea...

[BoRegardless]

& China & India groups might be using surepticious quiet entries to gather up all sorts of intellectual property secrets so they don't have to invent them "in-house".

sober worm = good idea

[digitallysick]

i think its great, if your smart enough to create something like that, not worth jail, but, would look good on your resume

Re:Why did they have to crypto'ally crack the code

[Shimbo]

Why did F-Secure (and other AV researchers) have to cryptographically crack the code?

I didn't see any mention of cryptography in the article: it just sounded like plain old reverse engineering.

Snigger

[ncurtain]

program

Stupid colonists! (Give it back and apologise, I say.)

Viruses are bad, mkay?

Kids viruses are bad. So are jewish people. Heil Sober!

Hmmm

[TheSpoom]

Now that they've revealed how to do this... Could someone now register said URLs before the virus author does and thus wrest control of this massive botnet? Or, on the other hand, could a company like F-Secure register one of the URLs to point to an autocleaning Sober scan program?

I guess it's a race!

About the hosting companies...

[JTorres176]

Reading this article, I see that sober will update itself from the following sites,

• http://people.freenet.de/gixcihnm/
• http://scifi.pages.at/agzytvfbybn/
• http://home.pages.at/bdalczxpctcb/
• http://free.pages.at/ftvuefbumebug/
• http://home.arcor.de/ijdsqkkxuwp/

Can these companies be held to any type of punishment for allowing this to happen over their domain? Is there some type of regulation that applies for allowing your site/service to be used to replicate and/or update malware and viruses?

Re:About the hosting companies...

[Sancho]

Why would they? They aren't working with the author, they just happen to be (presumably free) webpage hosting sites.

Now that the algorithm is known, they could block registration for those names, but that's getting into some potential DoS problems.

Took You Long Enough

[Nom+du+Keyboard]

Took you long enough. I'll bet DVD-Jon could have done it over the weekend.

Why crack?Just set your clock to any date you need

...and see what URLs the thing will try to communicate to "on the particular date in the future"...

Headlines: Sober worm writter discover

The unique method of using a random URL was too tempting for the author of the Sober worm. An international patent search reveils the method is patented by a Mr. ....

Malware Monitoring

[cyberscan]

I use a Linux machine for a firewall. It monitors and filters all incoming and outgoing IP packets. If I deliberately infect a windows machine, I can tell what packets are going to where. I can even redirect some of these packets to a computer I control. That way. I can control malware and what actions it takes.

Once this is done, I can block, unblock, or redirect ip packets as I see fit. I run a network which has about 20 Windows based computers, and only one computer on the network has antivirus protection, yet there has been no malware infections. The reasons for this is simple.

1. I set firewall policies that blocks idiot users from all outside sites and unblock sites only for specifically requested site (if appropriate).

2. My email filter defangs all attachments unless the file extension is specifically exempted from the policy.

3. I also have disabled the Windows Autorun feature, and I have also restricted privileges on Win XP and 2k computers so that people on my network also do not have admin access to their computers by default.

4. I give each user an instruction manual on computer security and why they should follow certain security practices. I assume that people will read this manual and follow absolutely none of the instructions. In other words, I assume that every user is a clueby until proven otherwise. I have been known to send people fake mail in order to get them to attempt to do things that go against the instructions in tha manual. If users fall for the s.e. and do these things, they remain in the idiots catagory until I have the inclination to test them again.

5. Software applications that are not specifically needed on each computer are removed.

6. Firefox is used as the default browser and Thunderbird is used as the default email client. The Outlook Express email client is removed from any computer that contains it.

7. The Internet zone setting in Internet Explorer is set to the highest level with just about everything forbidden.

8 Internet Explorer may only be used to display essential work related websites that will not run under any other browser.

These rules keep my network at work secure.

Re:Malware Monitoring

okay so you go to lunch while user's son plugs in an operating system on usb stick, browses to his own nasty server and downloads all the free porn, viruses and exploits available and infects your clean little network.... Taking away admin rights is not an issue if you have physical contact with the machine.... I guess you could hotglue ports, cut cables, and remove cd drives at that point....

I have way to many programs where the users have to have admin rights to use such a heavy handed approach. I can image a machine back to new in 10 minutes, I use password locked antispyware and virus protection, hardware firewalls, automatic updates and patches, and for my problem children that consistently browse to bad sites I block the sites... I too have no problems, but my users don't feel like they are in kindergarten again.

Re:Malware Monitoring

"If I deliberately infect a windows machine..." Don't you mean infect a machine with Windows? =)

Re:Malware Monitoring

[knghtrider]

Locking down mahcines as you have done is all well and good; and it is something I would *love* to be able to do at the list of clients I support. Sadly, too many programs require Administrator access to the desktop.

We have been fighting the ever-increasing amount of malware for most of the past decade. In that length of time one would think that software developers would long ago have abandoned the concept of writing software that needed root access by the end user, but noooooooooooooooo.I really wish this would stop.

Working for a support company that handles networks for numerous and varied small businesses, I still find bad behavior commonplace; no matter how often we warn them about their bad habits. Not only that, but try to get some of them to buy the software/hardware needed for protection. I once spent four hours trying to convince a client to buy a $300 firewall. They just wanted to hook all of the computers into the DSL line and browse away!

Ah...what a great life this would be without the USERS...

A horse is a horse, of course, of course

[jimcooncat]

January 5, 1961: Mr. Ed debuts
    -- source: Wikipedia

Also on January 5th:
1781 - American Revolutionary War: Richmond, Virginia is burned by British naval forces led by Benedict Arnold.

1900 - Irish leader John Edward Redmond calls for a revolt against British rule.

1914 - Ford Motor Company announces an eight-hour workday and a minimum wage of $5 for a day's labor.

See more:
http://en.wikipedia.org/wiki/January_5

Fit the Crime to the Punishment

[LeeMeador]

Perhaps they should just figure out who the author is and then let the virus upload code to all those computers to spam him (or her) with an assortment of valuable offers.

Won't get caught

[Bahwoot]

He could route the upload packets around the globe a dozen of times before the last system finally uploads it to the web site.

Why?

I'd rather all Windows computers in the world stopped working. Wipe the harddisk of those imbeciles and take over the net. It was built by geeks, it belongs to geeks. Windows shitheads? Who cares about them?

Is that legal?

I doubt that this code was cracked for 'interoperability'. So, is this legal under the DMCA?

Patching/removing the virus

[gknoy]

why dont they just put a prog at the urls the virus checks, which an infected coputer can run and it will delete the virus!!

Why not, indeed? Disregarding the possible ethical issues of whether it's OK to run code on someone else's computer, [b]many[/b] people did exactly this when the Code Red worm was making its rounds. I remember seeing code that would let Apache "strike back" at the attacker, remove the worm, and patch the vulnerability.

I'm not sure why the parent was modded funny; I almost modded it insightful, but then decided I'd rather remind people of relatively recent history.

MOD PARENT FUNNY

Snicker....

Good Intelligence Data

This seems like just the kind of intelligence information the authorities could have used to find this twerp. Now that the cat's out of the bag (I'm sure he reads /.), it's kind of useless.

Re:Why did they have to crypto'ally crack the code

[Alsee]

you could spoof the response from the timesever, but simply cracking the code is far more elegant.

I guess it depends how you define elegant. It'd say elegant means a small simple solution, an economy of effort. A small graceful judo move that turns the enemy againt itself and brushes away the most elaborate defenses.

A few deft strokes of the keyboard to feed fake date packets to the virus and it doesn't matter what defenses are in place, it doesn't matter how complex or powerful those defenses are. You turn the virus against itself and let it do the grunt work for you.

On the other hand elegant solutions tend to be very specific and focused. If you want to understand the virus completely then you need to do the grunt work of disecting the whole thing, and you must fight to defeat each obstacle placed in your way. Brute force overpowering of the enemy. Not elegant at all if it's evil code.

-

Backtracking

[Lord+Jester]

I would, if I had the algorythm, generate past URLs and check into the registrations from those. At some level there is a trail as these domains were paid for.

Even if it is a ddns registration, it points to a computer that may be abe to be tracked down.

Previous headline:

[jim_v2000]

Sober author hired by F-Secure.

Obvious Solution?

[lordsid]

Register these precalculated urls and upload a program that tells the zombie computer to firewall off every connection to the internet. Hell notify the user with a nice pop up while you are at it. Then the user will wonder what's wrong and attempt to fix it hopefully.

And in all honestly they really shouldn't have disclosed this information.

to easy

[PermanentMarker]

Sounds to easy, so now higly talented people just put their infected computer a day forward in time and can predict the next attack ?

You lose three times

[p3d0]

Once because you would mod such an obvious idea as "insightful"; once because you didn't get the joke that the GP is making fun of the Slashdot moderators; and once because you didn't use Preview.

Why did you have to ask your question on Slashdot?

[p3d0]

Couldn't you simply have read the article?

The virus even synchronizes the machines via atom clocks so the activation will not happen before January 5th, even if the clock of the computer is incorrect.

Antivirus virus

[gcostanzo]

If we know what URL's that the virus is going to try to connect to, we should encourage administrators NOT to block these URL's, register them ourselves and place our own code on them which will cause the virus to self destruct.

The idea of an antivirus-virus is much debited. In the past some have tried to make a virus which goes around patching the exploit on which it came in. Oversights in the development of this antivirus-virus have caused problems in other places (namely on the network infrastructure side.) The difference here is this: we are not USING the exploit, we are merely directing code that uses the exploit to no longer use it. (and to perhaps create a popup message warning the user that they are infected with something) This will create no additional network traffic.

This is of course in the hopes that the virus author did not anticipate this sort of action and make the virus expect some sort of encrypted certificate in the "virus update"

- Greg Costanzo