Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sober Code Cracked

Posted by CowboyNeal on from the guts-spilled dept.

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

19 of 303 comments (clear)

  1. code cracked, communication revealed by Anonymous Coward · · Score: 5, Funny

    It said "lol no it's not a worm"

    1. Re:code cracked, communication revealed by Anonymous Coward · · Score: 5, Funny

      Anyone can crack sober code. The challenge is to crack code written when drunk.

  2. Virus writer is a Free Software fanatic by ReformedExCon · · Score: 5, Funny

    Why else would he choose a date that coincides with the 21st anniversary of Richard Stallman's starting the GNU project?

    http://en.wikipedia.org/wiki/January_5

    --
    Jesus saved me from my past. He can save you as well.
    1. Re:Virus writer is a Free Software fanatic by Hinhule · · Score: 3, Funny

      I think we have stumbled over who wrote the virus.

      Richard Stallman is the only Free software fanatic.

    2. Re:Virus writer is a Free Software fanatic by Anonymous Coward · · Score: 1, Funny

      It all makes sense! Marilyn Manson writes the Sober worm, gets it to download a HTTP server and a copy of his latest album, then gets the PC to phone home every time it goes online, which issues an automatic DMCA takedown order on the PC that it came from! Ohh boy, wait till the boys at the RIAA get wind of this one... They'll be screaming "Why didn't we think of that!"

  3. Patent by digid · · Score: 5, Funny

    Let's award the Sober Virus writer a patent. I think he'd qualify.

    1. Re:Patent by ArcticCelt · · Score: 2, Funny

      Plus those nasty "pirates" at F-Secure have violated the DMCA by circumventing the security algorithm in Sober and should be prosecuted as soon as possible!

      --

      Yahh, hiii haaaaa! -Major Kong, from Dr. Strangelove
  4. roflcopter by Anonymous Coward · · Score: 4, Funny

    Hay guys I have a gr8 idea, why dont they just put a prog at the urls the virus checks, which an infected coputer can run and it will delete the virus!!

    +5 informative

  5. Well known URLs by g-san · · Score: 4, Funny

    one is supposedly http://it.slashdot.org/comments.pl?sid=170643&thre shold=1&mode=thread&commentsort=0&op=Reply

    It posts trollish looking messages and chats to you in IM. :)

    Personally, I usually just chill while connected with ethereal running, then connect back to the PCs backdoored by the viruses that are trying to infect my honeypot on tcp/135. Then a simple netstat will show you an established tcp connection back to the IRC server the virus is using to announce itself to the author (not to mention about 500 connections SYN-SENT or ESTABLISHED to PCs being infected/probed, also a good source for other infected, backdoored PCs. You do know what is attacking you and what tcp backdoor it runs, right?) You can usually spot that connection, it has a high TCP destination port, whereas the normal vector port is 135/137/139. It's really sad to see thousands of PCs aleady announcing themselves to the author on that IRC channel as, "Hey come on over, I am running W2k|2XP. I am XP200453." And there is no one there to give me +OP privs!!! Batrastards!!! I could echo 'you are hacked please visit windowsupdate.com'> the startup folder all I want for days to each one of them to no avail... or echo ''you are a moron, too stupid to own a computer, put it back in the box and yadayadayada....

    I wonder what I would do with a beowulf cluster of networks of hacked (i.e. unpatched windows) PCs. probably echo the same message in the same fashion as above, yet, alas, I am seriously lacking in motivation and spare time. (q.q.v 4. Pr0F1T!!!)

    so little time, so many IP addresses, so many ignorant users.... so many clever, clever coders...

  6. Re:Applications? by Skapare · · Score: 4, Funny

    Better yet, have it install Ubuntu and solve the longer term problem, too. :-)

    --
    now we need to go OSS in diesel cars
  7. Next headline - F-Secure in violation of DRM by Knightlymuse · · Score: 5, Funny

    Gets sued by virus writer. :)

  8. Re:Hard to admit, but that is quite clever by Xarius · · Score: 5, Funny

    I bet he's smart enough to know what a god damned paragraph is though...

    --
    C17H21NO4
  9. Re:Now work backwards? by mrogers · · Score: 3, Funny

    Police today announced that they have arrested the author of the Sober internet worm. The suspect was named as Mr. Qwert Y. Asdfasdf123 of 456 Hjklhjkl Street, Mnbvmnbv, Alabama. He was caught after using his real name and address to register a website used by the worm.

  10. Re:Hard to admit, but that is quite clever by Baddas · · Score: 2, Funny

    Even though their skills are well up to snuff

    Not that I'm bitter or anything.

  11. Reminds me of a song..... by Theovon · · Score: 2, Funny

    Sober cracked code, and I don't care. Sober cracked code, and I don't care. Sober cracked code, and I don't caaaaaaaaare. And the hacker's gone away.

    (Note: I apologize to anyone who is aware of the origins of the song I'm parodying.)

  12. Re:Hard to admit, but that is quite clever by Hal_Porter · · Score: 3, Funny

    Hmm, remember teh Lordz Prayer. I've marked the relevant line.

    Our Father, who Pwnz heaven 0f da 1337z , j00 r0ck!
    May all 0ur base someday be belong to you!
    May j00 0wn earth just like j00 0wn heaven.
    Give us this day our warez, mp3z, and pr0n through a phat pipe.
    And cut us some slack when we act like n00b lamerz, just as we teach n00bz when they act lame on us.
    Please don't give us root access on some poor d00d'z box when we're too pissed off to think about what's right and wrong, and if you could keep the fbi off our backs, we'd appreciate it.
    For j00 0wn r00t on all our b0x3s 4ever and ever,

    3N74H .

    Eloquent words, eh?

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  13. Re:Hard to admit, but that is quite clever by Guppy06 · · Score: 3, Funny

    "why do talented people waste their abilities on viruses?"

    Sex. It's all about the groupies, man!

  14. DMCA by watermark · · Score: 2, Funny

    The sober author should have included a Eula. "By using your computer, you accept the terms and conditions located at C:\eula.txt"

  15. Re:Hard to admit, but that is quite clever by Anonymous Coward · · Score: 1, Funny

    "Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?"

    Maybe they couldn't find a boyfriend on their own, and were hoping to get caught.