Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sober Code Cracked

Posted by CowboyNeal on from the guts-spilled dept.

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

5 of 303 comments (clear)

  1. Re:Calculate the exact URLs by pe1chl · · Score: 5, Informative

    The URLs are not domain names registered in DNS, but page names on "free homepage" services.
    So they would have to get in contact with the providers of those services instead (arcor.de, pages.at)

  2. RTFA by igb · · Score: 4, Informative

    The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

  3. Re:This is a new one... by Alex+Zepeda · · Score: 4, Informative

    I'm curious if you bothered to read F-Secure's blog:

    So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

    Something to think about.

    --
    The revolution will be mocked
  4. Mod the parent down by Alex+Zepeda · · Score: 4, Informative

    Read the F-Secure blog.

    Or read my previous comment.

    F-Secure didn't simply crack the algorithm yesterday.

    --
    The revolution will be mocked
  5. They cracked it in May! by kyz · · Score: 5, Informative
    My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea.

    As it clearly says in F-Secure's blog, they cracked this in May. They're only going public now. They've informed both the ISPs affected and the police. It is very unlikely that anyone will be able to register those accounts - if they do, they'll probably be talking to the police.

    The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.
    --
    Does my bum look big in this?