Slashdot Mirror
Sober Code Cracked
An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."
Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?
Because even though they might be doing something they deem to be nice, running code on someone elses computer without permission is still illegal.
Can we use this discovery to distribute a cure?
I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction.
Problem solved.
I think the best use of this information is uploading a disabling and/or revealing program ("your computer is infected with sober, click next to reactivate it") via one of the sites.
Yeah, because when I get a mysterious popup telling me my computer may be infected I always click "Next."
I find myself in the unusual and possibly unique situation of agreeing with other people on Slashdot.
It would have been better not to release this information. Now the author knows the game is up. Unless they have already traced him from some of the previous URLs, which I doubt.
So why release it then? The AV company just couldn't resist jumping up and down and showing everybody how clever they are. AV is more about marketing than technology anyway.
The thing is, I bet this algorithm wasn't even that hard to reverse engineer. I mean, I'm not saying that I could have done it and I'm sure most of you couldn't either. But to someone skilled in the black arts of disassembly and debuggery (if that isn't a word it should be), it would probably have been fairly trivial. At the end of the day, Virus authors usually aren't that bright. You can obfuscate and encrypt your code as much as you want but at some point it still has to executed. Most of the techniques are well known and I doubt this idiot invented any new ones.
...living in countries where employment opportunities may be limited (I'm thinking former Soviet Bloc, Pakistan, India - countries with strong traditions in mathematics/sciences.) There is also potential for a similar thing to happen with nuclear weapons in some of these countries, which is a good bit scarier (as indeed did happen with Pakistan, although not in that case due to a lack of employment.)
1.) Assuming the author(s) is(are) paying attention to happenings on the internet, he would be an idiot to actually try to put anything on those domains for that date (assuming there isn't anything there yet). If he does, I would guess that he would be as good as caught...well...maybe...I guess it depends on how well he covers his tracks when uploading his intended payload.
2.) Both of the linked articles urge SysAdmins to block the URLs they have listed, but I HIGHLY doubt that most of the infected home users will do so, or even know how to, so that will leave a lot of machines trying to connect. Can the URLs be blocked at the ISP level?
3.) Going with the parent post's idea, might it not be a good idea for the authorities to set up those URLs now, and put removal tools on them (assuming they can be automated and it can happen in the background)? It seems to me that any machines still infected when that date hits would be automatically cleaned and the problem would be solved on the first day...
4.) Or, if it is even possible, have the ISPs monitor for requests to those URLs (while blocking them), and if they receive requests for those URLs on that date, automatically send an email to the account holders of the IPs that are trying to access the URLs informing them that their machines are infected with Sober and provide instructions (and software) on how to remove it? Of course, this requires cooperation from a LOT of ISPs, but it doesn't seem completely impossible. Of course, this idea also depends on the users to take action to clean their systems and we all know how well personal responsibility is doing these days...
5.) However, perhaps the ISPs can monitor requests for the URLs that Sober will request, and then perhaps start disconnecting users who don't clean their systems after being warned.
Anyway, just some thoughts...but I see no reason for the net to be rid of Sober after the first day (or first month going by 4 and 5 above) of activation...
Of course, I don't know a lot of details about how these things could be implemented, so take it with a grain of salt...
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks