Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sober Code Cracked

Posted by CowboyNeal on from the guts-spilled dept.

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

9 of 303 comments (clear)

  1. Recognition by hug_the_penguin · · Score: 3, Informative
    They do it so they can stick a finger up to the cops and say `I'm better than you`, such is the mentality of the virus writer or cracker. They also get recognition within the blackhat community as the person who reaped havoc worldwide. Then there's that smug satisfaction that they haven't been caught. Scientifically, the risk of getting caught topped off with not actually having been caught triggers a dopamine release which makes people feel good. Such is the way virus writers get their thrills.

    The only way they can make money is from a rival company wanting the worm to take down their competition, or a rival country in some cases, wanting to take down a lot of a country's infrastructure based on the net. We're all familiar with the hackers the russian government hired to try and rip down the internet, but it is often attempted with worms too

    --
    ~HTP~ Hug that tux ;)
  2. Re:Calculate the exact URLs by pe1chl · · Score: 5, Informative

    The URLs are not domain names registered in DNS, but page names on "free homepage" services.
    So they would have to get in contact with the providers of those services instead (arcor.de, pages.at)

  3. Re:Virus writer is a Free Software fanatic by tokul · · Score: 3, Informative

    No, Sober is pro Nazi virus. Jan 05 is "1919 - Free Committee for a German Workers' Peace founded." Check virus descriptions on any antivirus vendor site.

    If you think, that is about free software, then you haven't got bunch of text emails about dresden bombings and other propaganda.

  4. RTFA by igb · · Score: 4, Informative

    The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

  5. Re:This is a new one... by Alex+Zepeda · · Score: 4, Informative

    I'm curious if you bothered to read F-Secure's blog:

    So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

    Something to think about.

    --
    The revolution will be mocked
  6. Mod the parent down by Alex+Zepeda · · Score: 4, Informative

    Read the F-Secure blog.

    Or read my previous comment.

    F-Secure didn't simply crack the algorithm yesterday.

    --
    The revolution will be mocked
  7. BZZZZT!!! Talking out of you a** ... by hummassa · · Score: 3, Informative

    Ok, so, it's /., we don't usually RTFA, but those are the domains:
    http://people.freenet.de/
    http://scifi.pages.at/
    http://home.pages.at/
    http://free.pages.at/
    http://home.arcor.de/
    not really "alphabet soup with a TLD suffix", uh?

    --
    It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
  8. They cracked it in May! by kyz · · Score: 5, Informative
    My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea.

    As it clearly says in F-Secure's blog, they cracked this in May. They're only going public now. They've informed both the ISPs affected and the police. It is very unlikely that anyone will be able to register those accounts - if they do, they'll probably be talking to the police.

    The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.
    --
    Does my bum look big in this?
  9. Re:Why did they have to crypto'ally crack the code by Butterspoon · · Score: 3, Informative
    This wouldn't work because the worm syncs with an a timeserver, so you get the activation on the target date even if your system clock's wrong.

    Yeah you could spoof the response from the timesever, but simply cracking the code is far more elegant.

    --
    pi = 2*|arg(God)|