Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sober Code Cracked

Posted by CowboyNeal on from the guts-spilled dept.

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

14 of 303 comments (clear)

  1. Recognition by hug_the_penguin · · Score: 3, Informative
    They do it so they can stick a finger up to the cops and say `I'm better than you`, such is the mentality of the virus writer or cracker. They also get recognition within the blackhat community as the person who reaped havoc worldwide. Then there's that smug satisfaction that they haven't been caught. Scientifically, the risk of getting caught topped off with not actually having been caught triggers a dopamine release which makes people feel good. Such is the way virus writers get their thrills.

    The only way they can make money is from a rival company wanting the worm to take down their competition, or a rival country in some cases, wanting to take down a lot of a country's infrastructure based on the net. We're all familiar with the hackers the russian government hired to try and rip down the internet, but it is often attempted with worms too

    --
    ~HTP~ Hug that tux ;)
    1. Re:Recognition by Anonymous Coward · · Score: 0, Informative

      WROUGHT havoc. viruses don't reap havoc. they WREAK havoc.

  2. Re:Virus writer is a Free Software fanatic by Segway+Ninja · · Score: 2, Informative

    Or prehaps 26 years after "Hewlett-Packard announces release of its first personal computer."
    Or maybe the writer intends to make bigger news than when "Warner Brothers [showed] the first color newsreel" (1948)
    Or maybe it's the writers birthday.
    Or maybe it's the first day they intend to be awake after the New Year celebrations
    Or maybe it's to bring down IT infastructure just as we're getting back to work just after the Holiday Celebrations end.

    The possibilites are endless, and there are far more logical explanations than "Sober was written by a free software fanatic, it's true it's true!"

  3. Re:Calculate the exact URLs by pe1chl · · Score: 5, Informative

    The URLs are not domain names registered in DNS, but page names on "free homepage" services.
    So they would have to get in contact with the providers of those services instead (arcor.de, pages.at)

  4. Re:Virus writer is a Free Software fanatic by tokul · · Score: 3, Informative

    No, Sober is pro Nazi virus. Jan 05 is "1919 - Free Committee for a German Workers' Peace founded." Check virus descriptions on any antivirus vendor site.

    If you think, that is about free software, then you haven't got bunch of text emails about dresden bombings and other propaganda.

  5. RTFA by igb · · Score: 4, Informative

    The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

  6. Re:This is a new one... by Alex+Zepeda · · Score: 4, Informative

    I'm curious if you bothered to read F-Secure's blog:

    So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

    Something to think about.

    --
    The revolution will be mocked
  7. Mod the parent down by Alex+Zepeda · · Score: 4, Informative

    Read the F-Secure blog.

    Or read my previous comment.

    F-Secure didn't simply crack the algorithm yesterday.

    --
    The revolution will be mocked
  8. Re:uhh... by Nogami_Saeko · · Score: 2, Informative

    It doesn't look like the program is generating completely random domains, it looks like it's using domains that can be created on one of the free hosting services (ie: like the european version of geocities or whatever) that are mentioned on the page.

    So all you'd need to do is register the account name on the free hosting service that's utilized for that day and away you go. Not a problem to register an account using a hacked email account and keep it anonymous.

    N.

    --
    "Nothing strengthens authority so much as silence." - Charles de Gaulle
  9. BZZZZT!!! Talking out of you a** ... by hummassa · · Score: 3, Informative

    Ok, so, it's /., we don't usually RTFA, but those are the domains:
    http://people.freenet.de/
    http://scifi.pages.at/
    http://home.pages.at/
    http://free.pages.at/
    http://home.arcor.de/
    not really "alphabet soup with a TLD suffix", uh?

    --
    It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
  10. They cracked it in May! by kyz · · Score: 5, Informative
    My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea.

    As it clearly says in F-Secure's blog, they cracked this in May. They're only going public now. They've informed both the ISPs affected and the police. It is very unlikely that anyone will be able to register those accounts - if they do, they'll probably be talking to the police.

    The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.
    --
    Does my bum look big in this?
  11. Re:Many viruses come from very talented people... by arose · · Score: 2, Informative

    Believe it or not but part of Germany is also part of the former Soviet Block...

    --
    Analogies don't equal equalities, they are merely somewhat analogous.
  12. Re:Hard to admit, but that is quite clever by Anonymous Coward · · Score: 1, Informative

    Look, it's not that difficult. You can't just press enter in the text field. You have to use the html tags. I mean at least put in a $lt br &gt twice and that will break it up. Unfortunately, that won't solve all of your problems. Your post was poorly spelled, and worse, poorly written. An attempt at writing a word isn't good enough. At least make it readable. This is for intelligent communication. Take a second to paste it into a word processing program and for all that is holy CLICK PREVIEW!

  13. Re:Why did they have to crypto'ally crack the code by Butterspoon · · Score: 3, Informative
    This wouldn't work because the worm syncs with an a timeserver, so you get the activation on the target date even if your system clock's wrong.

    Yeah you could spoof the response from the timesever, but simply cracking the code is far more elegant.

    --
    pi = 2*|arg(God)|