Sober Code Cracked

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

Hard to admit, but that is quite clever

Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?

Re:Hard to admit, but that is quite clever

[buro9]

"why do talented people waste their abilities on viruses?"

Money?
Acclaim (within a small community)?
Politics?

I would guess money. Spam pays very well, and a lot of viruses and worms have had monetary ulterior motives, as always, follow the money.

Re:Hard to admit, but that is quite clever

How else would you do this? It sounds like the algorithm is nothing more than a one-time pad codebook. The author has a compromised onte-time pad and will now generate a new one. The fact that the code was broken merely means that the time-frame between agent distribution and activiation will become shorter.

Re:Hard to admit, but that is quite clever

[raehl]

why do talented people waste their abilities on viruses?

Because it's perceived as more profitable than dealing with a manager?

Re:Hard to admit, but that is quite clever

[Antony-Kyre]

My guess it's boredom. Some talented people do stupid stuff because they have nothing better to do.

Re:Hard to admit, but that is quite clever

[golgotha007]

why do talented people waste their abilities on viruses?

The ability to control several hundred thousand zombie computers.. are you kidding?

money, man, money.

You can do lots of things with that, but the most lucritive might be to blackmail gambling sites. If they don't pay, you DOS their IP block.

Re:Hard to admit, but that is quite clever

[ronanbear]

Their organised crime bosses pay better and give better conditions than so called legitimate software companies. You may as well be writing worms as some of the stuff that big corporations like Sony are sending out.

Re:Hard to admit, but that is quite clever

[daniel_mcl]

First, I have a hard time believing that a professor took students from being "computer newbies" to being able to print out "hello world" ten times in thirty days, much less write some sort of working virus; trying to teach students anything outside of their major is roughly equivalent to pushing dead whales uphill in terms of efficiency. I've been in a lot of classes and taught a few, and I know that the average student will not do any work if it's at all plausible that a significant number of other students won't do it either -- school these days has become a generalized prisoner's dilemma situation, in which the teacher can only fail so many students before being reassigned.

In the larger scope, I'll just say that it's very tempting to think that one's computer programs just scale automatically, but this is simply not the case. Chances are that you were working on a very homogeneous network at that point, which most machines running rollout-synchronized versions of the same software. I've written "worms" that work under such an environment myself -- unlocking the parental protection on the middle-school computers made lunch-time in the library a lot more interesting. In such a situation, a worm either doesn't spread at all or immediately takes over the entire network, so any success is an impressive one.

On the real internet, on the other hand, we have a very complicated mesh of various systems with different sorts of protections, some explicitly designed as such but most just due to random variations that prevent a given buffer overflow from working on more than one system. Even if someone is running a vulnerable system somewhere out there, there's a good chance that getting at it may involve going past some other system that is simply going to eat it alive. We're not talking just about computers, but also about routers, switches, and all that Cisco equipment that's silently running a good deal of the net without anyone ever thinking about it.

That's why there hasn't been a real worm on the internet in quite a while; essentially every major virus in recent memory has relied on social-engineering to trick the user into manually installing the virus onto his own computer. In fact, I'd seriously doubt that it's even feasible to create a self-distributing worm on the internet at this point, unless Microsoft is dumb enough to build remote-execution capability into their application software again.

Of course, if you were actually working on a diverse, real-world type network, and you managed to devise cross-platform vectors, that's quite different and it'd be interesting to hear about. But if you're like the majority of people who make claims like these, I'm gonna have to say that your eyes are probably a little bigger than your mouth on this one.

Re:Hard to admit, but that is quite clever

[Silizium]

Dude. There are other languages than english and other coutrys than the u.s.a. around the world. So sorry that I do talk native german. Maybe you have a better grammar and spelling if we talk in german?

So if not, please stop that. I do my best to be understandable, if you dont like to read my commentary then skip it. Gna. That shit makes me angry. I never ever criticised anyone who talks german with a foreign accent. I never tried to bawl somebody out because he was not a native speaker. This is really bullshit, lets stop it before it begins. I try my best, is that okay for you? Skip it please. Its loss of bandwidth.

To your questions.

I did a lot of research for computer security issues. Including worms, virus and trojan horses, but Im no specialist that has completely focused on that thing. I never stopped to be interested, I specialised on university for a while on that theme and I grew up in the 80s where there was no "cybercrime" at all. Not here. Not in germany. We had no laws. So we did what was possible. But in that time nobody was destructive. Everyone was just damn curious. When the damn NASA hack was hitting the news at '86 (I think) I was damn near that. From the scene just an inch away.

In that time nobody thought a computer system was really vulnerable - but us - the hackers. So I grew up not in the mind of destruction but in a mind of conciousness that security is only in the hand of those who care for it. And who test it. And who spend time and energy in it.

Yes, I was a hacker and Im proud to say I am today. I dont hack into systems. Im not destructive. I write code, I test security, I play with system. Playing, yes that would be the right word for ist. Just for fun. And I did it in the 80s and I still do it. And, yes, I think its a good way to live with computers. I have fun at work.

In the early 90s I first and last put a thing you'll call a trojan horse into the "wild". There was no "internet" in that time. It was no big deal, but that progamm managed to trick a database and send me usernames and passwords. (Certainly never used the data, I have no interest in that sort of thing.) I just wanted to show my friend a big security hole in his system, but he instead of fixing it ran almost amok.

Stupid.

After a month he spoke to me again and with my help we fixed that thing. A whole month his system was unfixed and vunerable. "But it was only such a harmless feature", he declared. It was not. There is no such thing like a harmless new feature.

Please search google for "pilot script language" for more info about how harmless the feature really was and that even such a dumb little scripting language can be used to trick systems or users. It was a cool hack. No big one, shure. I have done better things after that but that one is a good lesson. New features mean new security holes. Thats it.

At that time I reverse engeneered viruscode and the first wormcodes on the new rising internet. Most of the code is really poor, poor, poor. Its bad tested, poorly written and only one of 20, 30 or even 100 virus/worms are what I call "interesting". Yes, I really was not keen on sacrificing my whole life in reverse engeneering shitty code. That is very, very boresome to reverse engeneer the tenth shitty little script-kiddie worm that was only altered enough that the antivirus software does not recognize it. Even the bugs are in it.

In the mid 90s I quit that after years of studing. So, no, I have not reverse engeneered bloody sober. Its really not worth it. It should just be destroyed. It has no really new features in it, it is not even on the same level of that worms of the mid 90s. Its just actual and uses some nice features that are not new, are not well programmed, are not innovative and is short to say boring.

Its not easy to write a worm like that. Really. This is not that what I say. But its no big deal. There are tools out there, there are people with code who invented ways for intrusion, this thing is just a rughly hammered toget

Re:Disinfection

[Sinus0idal]

Because even though they might be doing something they deem to be nice, running code on someone elses computer without permission is still illegal.

Applications?

[FhnuZoag]

Can we use this discovery to distribute a cure?

I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction.

Problem solved.

Re:My Question...

[The+Amazing+Fish+Boy]

I think the best use of this information is uploading a disabling and/or revealing program ("your computer is infected with sober, click next to reactivate it") via one of the sites.

Yeah, because when I get a mysterious popup telling me my computer may be infected I always click "Next."

Re:The alternative

[Gordonjcp]

Granted, catching someone based off domain registration probably is not trivial, but I wouldn't be surprised if the feds have something up their sleeve.

It's unlikely that the URL would be any "easily found" string of characters. I would suspect it's probably alphabet soup with a TLD suffix, but you would be able to catch "likely looking" Sober URLs.

.
Now what you want is for domain registration companies to watch out for said "likely looking" URL and flag it up as suspicious somehow.

Now work backwards?

[BoldAndBusted]

Hmm... If they can predict forward in time what sites Sober will seek, can not they also look backward in time to see what sites the worm sought in the past ? If so, could they not then check the registration records for each of those sites and... find the author?

Re:Calculate the exact URLs

But you can set up a fake NTP source, which is (or ought to be) a piece of cake for any security company.

This is a new one...

[Slashcrap]

I find myself in the unusual and possibly unique situation of agreeing with other people on Slashdot.

It would have been better not to release this information. Now the author knows the game is up. Unless they have already traced him from some of the previous URLs, which I doubt.

So why release it then? The AV company just couldn't resist jumping up and down and showing everybody how clever they are. AV is more about marketing than technology anyway.

The thing is, I bet this algorithm wasn't even that hard to reverse engineer. I mean, I'm not saying that I could have done it and I'm sure most of you couldn't either. But to someone skilled in the black arts of disassembly and debuggery (if that isn't a word it should be), it would probably have been fairly trivial. At the end of the day, Virus authors usually aren't that bright. You can obfuscate and encrypt your code as much as you want but at some point it still has to executed. Most of the techniques are well known and I doubt this idiot invented any new ones.

Re:This is a new one...

[Tom]

AV is more about marketing than technology anyway.

No, it isn't. Not about either of those. It's about hard work. AV means having honeynets to catch the malware, then take it apart, create a signature, plug that into your file and send out an update. All as quickly as possible, pretty much around the clock.

uh..

[nexcomlink]

How do they or anyone of us know it's going to be expected on that date? Nobody can predict an outbreak because there is never a set time for one. If the virus author can change the date he would. Like they say always expect the unexpected and what was expected is deemed to be better or worse than it was intended to be.

Many viruses come from very talented people...

[blorg]

...living in countries where employment opportunities may be limited (I'm thinking former Soviet Bloc, Pakistan, India - countries with strong traditions in mathematics/sciences.) There is also potential for a similar thing to happen with nuclear weapons in some of these countries, which is a good bit scarier (as indeed did happen with Pakistan, although not in that case due to a lack of employment.)

Re:My Question...

[m50d]

So people know things to look for when analysing other viruses?

To expand...

[interactive_civilian]

They know the activation date (January 5, 2006), and they know the URLs that Sober will try to connect to on that date, right? From this, I see a few things:

1.) Assuming the author(s) is(are) paying attention to happenings on the internet, he would be an idiot to actually try to put anything on those domains for that date (assuming there isn't anything there yet). If he does, I would guess that he would be as good as caught...well...maybe...I guess it depends on how well he covers his tracks when uploading his intended payload.

2.) Both of the linked articles urge SysAdmins to block the URLs they have listed, but I HIGHLY doubt that most of the infected home users will do so, or even know how to, so that will leave a lot of machines trying to connect. Can the URLs be blocked at the ISP level?

3.) Going with the parent post's idea, might it not be a good idea for the authorities to set up those URLs now, and put removal tools on them (assuming they can be automated and it can happen in the background)? It seems to me that any machines still infected when that date hits would be automatically cleaned and the problem would be solved on the first day...

4.) Or, if it is even possible, have the ISPs monitor for requests to those URLs (while blocking them), and if they receive requests for those URLs on that date, automatically send an email to the account holders of the IPs that are trying to access the URLs informing them that their machines are infected with Sober and provide instructions (and software) on how to remove it? Of course, this requires cooperation from a LOT of ISPs, but it doesn't seem completely impossible. Of course, this idea also depends on the users to take action to clean their systems and we all know how well personal responsibility is doing these days...

5.) However, perhaps the ISPs can monitor requests for the URLs that Sober will request, and then perhaps start disconnecting users who don't clean their systems after being warned.

Anyway, just some thoughts...but I see no reason for the net to be rid of Sober after the first day (or first month going by 4 and 5 above) of activation...

Of course, I don't know a lot of details about how these things could be implemented, so take it with a grain of salt...

Re:Well known URLs

[g-san]

Unlikely, most I have seen seem to be a hacked servers. I saw a log file on an infected PC, I connected to the same server and issued the same commands, but by the time I got there the jig must have been up, not the same PCs/output in the channel. Meaning, I issued the same commands but did not see the pages and pages (and pages and pages and pages, literally thousands) of entries as in the log file of IP addresses and entries like 2K10234 and XP11442. Strange thing is the "IRC" server was still running. I say that cause the commands were IRC like but not full blown RFC 1459. I sent a note to abuse@isp.com. Maybe the author got his list and was covering his tracks, but the goods were already in a log file on the PC. Again, just noticed out of the 500-700 connections open connections (netstat -an |find "ESTAB") on the infected PC one was not to the viruse's vector port, thought I would check it out... took several tries to even get to the same channel. I had to join one channel and then issue a command to join the second channel to even try. Can't remember which worm it was (not sober), but this was a few days after it was announced and thought I would sniff to see how prevalent it was. Odd. The virus descriptions say, "opens a backdoor on port xxx," and I would just try to connect to port xxx after I got connections, sometimes you just get a c:\windows prompt. Very scary, glad I know how to keep my win pc up to date, and run linux otherwise. And I consider that to be an invitation of sorts, as in, "I'm sorry, were you trying to tell me something? Were YOU trying to hack ME? YOU connected to ME. I am only looking out for my own security here."

I really do the echo something > notice.txt into startup folder, hoping the person will take action and realize they are infected... who knows what good that does. I am also a staunch privacy advocate, so nothing malicious (flame-suit on) from my end. mostly dir c:\windows\system32 |find "" to look for recently installed malware. I could care less about your files. That was how I found the log file that had what looked like a complete connection log to the IRC server. Too bad there are not more good commands in windows command shells (usually a virus opens a socket to cmd.exe) or I would kill and clean up and reboot, or even ftp down the patch, not like MS supports that though. (God the good old days of pre-retirement) This happens in internet time, not human time. If someone was really malicious, there is really no way even hundreds of humans could stop it. I take that back, a good hacker (in the MIT sense...) could reconnect back to the machine and issue some commands to shutdown the proc and stop the scanning, but again you are limited to what is at the ms-dos command shell, and we all know how well the anti-blaster worm worked with it's ICMP DOS. But given that a goofball scriptkiddie could connect like I did, maybe that is a good thing (good luck kiddies). Careful what you wish for and all that.

Disclaimer: Really, if I was black hat, would I post with my own account? (laughs hysterically as g-san gets investigated by the FBI the next day). Anyways come get me, I would love to work for you FBI and you could use my help. ;) /disclaimer

Here goes... submit...

Re:Next headline - F-Secure in violation of DRM

[emptycorp]

Did you mean DMCA?

Re:Hard to admit, but North Korea...

[BoRegardless]

& China & India groups might be using surepticious quiet entries to gather up all sorts of intellectual property secrets so they don't have to invent them "in-house".

Re:At least Viruses dont spontaneously mutate

[marcosdumay]

"A virus can't just start rewriting itself with whacky random code because programs have to conform to very strict rules to still work, whereas biological mutations..."

That statment is naive. Biological organisms also have very strict rules that they need to conform, even stricter than computer programs. That is why most mutations are lethal.

Biological virus don't have anything like junk-DNA to mutate into something usefull. This happens because bilogical virus are also constrained into a small size, just like the computer's ones.

The biological virus can spread while mutating because each virus creates milions of descendents with hundreds of different mutations. Just out of luck, some are can spread well. We can do this with computer virus too.

Re:code cracked, communication revealed

Actually, that's easier. Drunk people always tell you what they're going to do just before they do it. Therefore theyd actually document something for once.

Re:Next headline - F-Secure in violation of DRM

As unlikely as that may be, it's exactly what we need to rid the world of DMCA like bullshit.