Slashdot Mirror
Sober Code Cracked
An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."
- Greg
Start a happiness pandemic
So they've figured out the algo, and while I haven't RTFA, i assume the domains don't exist yet either.
If that's true, what's to stop say symantec predicting a domain for a particular date, taking the domain, and putting a disinfection program up.
"According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day." - wouldn't that be possible by just running the worm in a sandboxed computer, with the computer's clock set to some future date? Of course, understanding the code may reveal other hidden features, but if you only want to know what the worm will do tomorrow, you can just try it out.
My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea. Thinking on it now, this very well could be an excellent method of trapping more then one shit head at a time.
Publicize the information so that other people can also figure out the algorithm. Don't give it away, just let out of enough so that a dedicated person can reach the same conclusion. Now just wait and nab every single bastard dumb enough to try and post code for Sober to get. While you are at it, switch off every website in question when its time to upload comes up. Not only do you cripple the virus's ability to upload, but you catch everyone stupid enough to try and abuse it.
Granted, catching someone based off domain registration probably is not trivial, but I wouldn't be surprised if the feds have something up their sleeve.
...namely that he isn't a multinational corporation and that the patent wouldn't fuck over everyone, er I mean wouldn't protect innovation...
~HTP~ Hug that tux
As people at slashdot are fond of pointing out. Businesses are not moral, they are not supposed to be moral. This guy is doing his best to increase shareholder value. Presumably he is majority shareholder but really that's not so relevant is it?
evil is as evil does
Isn't the authorities being able to block a URL a problem? If authority means "Software I've willingly installed on my computer to block malicious URLs", then good, fine and dandy. If authorities means the government, I'm not so keen about that possibility.
paintball
Close.
The actual prudent thing to do would be to use said algorithm and see what domain is generated on the 5th of January 2006, before the date even arrives. Alert ICANN registrars of the situation. Monitor that domain name, and watch for the second it gets assigned an IP. When the particular domain begins to point to a global IP address, then you can nab the perp.
As a bonus, in the above scenario, you dont have to wait for all the compromised machines to bog down yet another unsuspecting network on the 5th of January 2006. win-win. well, that dude that gets caught doesnt win...
I have often wondered why we haven't seen the emergence of worms with truly spectacular levels of sophistication. Nearly every worm / virus is small presumably so that it can spread quickly in limited bandwidth situations. The limited size means limited sophistication and sometimes flaws in the design or operation.
To the best of my knowledge no one has developed a worm with fully pluggable attack verctors and pay loads and automatic updating. An attack from such a worm would be all but unstoppable because there would always be a huge user base from which to start an attack. The attack would go like this:
Perhaps someone is already doing this, I don't know. It seems like a natural evolution for viruses though. A sort of virus P2P system so that the virus network can respond to attacks. You could even build viruses that knew the network was under attack and hid or destroyed themselves.
BTW I'm not a virus writter.
I used to have a better sig but it broke.
I disagree that writing worms and virus is clever. Not only from moral point of view even from a technical point of view its not that hard. Its really for kids "my first program", something like that before they learn real programming. There had been a teacher (I do not recall the link now) that proved with his computer science class that writing an exploit/worm needs less than 30 days for computer newbies. Fact. In the early 90's I did some virus programming, too. And I should therefor know what I say. Before anyone stands up now to get the morality firehose, I did it at university in a special labratory under supervision by our prof for computer security. And every line from that code lies since that time cool and quiet locked up deep in a safe. It was a result from a roleplay "virus/worm attacker vs defending programs". I was in the attacker party and we did not only win that battle, we smashed them, we nihilated them. Why? I's sooo easy to write this sort of code and defending is practical impossible. Today antivirus software is really crap, even if they have no chance when it comes to high noon between good and evil. And I think not one of the actual worms or virus is nearly as sophisticated as our "gaming" ones were in that time. There are certain very dangerous vectors of attack actual antivirus software has never had to deal with, I promise. And every of that yet unused vectors are still deadly. And if any of those newbie junkprogrammers out there that has no better to do than to destroy the medium they live in really become smart, than the internet will stop in its actual existance. Thats fact as I see. So I hope the smart programmers will do in real software and in security and the kids and unscrupulous criminals will play with something different in future. Its really enough that people are so dumb to answer letters from nigeria. I think we cant hope that we can finally fight that state of mind. (In german words: "Gegen Dummheit kämpfen Götter selbst vergebens" which means that even gods cant fight foolery) But in the war of machines there is only one hope for us: that the bad guys stay that dumb and bone-lazy as they are and that they stay playing games or taking drugs in there sparetime instead doing their homework. Or else we all would be doomed. The fight is not to win against a serious attacker. Not with our current computer architecture, not with programs that are thrown on market the first second its possible, because a competitior might be faster or because it maximizes the corp profit to shorten the developers time of work for security. And the real dangers are yet undiscoverd or I should better say "too heavy for kids". Good luck everyone. But never *never* tell me again that a virus programmer is "quite smart". He's not. Not in any sense. I have seen smart virus code. And I'm glad its locked up. Still...
But he must know this by now. He probably reads Slashdot.
Dude, grammar, spelling and just about anything that involves text communcation evades you.
WTF?!?: "Complexability, I sniff the smell of it when my face is pushed in that kind."
WTF?!?: "I just wrote a trojan horse back in the mid-90s in a very simple script-language called pilot."
So you just wrote it? Or you wrote it in the mid-90's.
WTF?!?: "And that one worked so good as a proof-of-concept, that the sysadmin (a friend of mine) banned me for a month."
Earlier you said that people can't attack you for berrating virus writers when you yourself wrote a virus because you only wrote it as part of a college experiment. Now you say you wrote a malicious program as a "proof-of-concept" and were banned by your friend?
Why would your friend ban you if it was just a proof-of-concept. That means it was never deployed. Also, why would your friend ban you?
When push comes to shove, Sober is indeed a clever program. Deal with it. Is it a good program to write? No.
Your lies and bullshittery are blatant my friend.
Does you mom know you say stuff like this on the interwebs? She might ground you!
Hmmm witty sig or funny sig? Maybe elitest techy sig!
Why not use this information to post disinfection code on the next sober trigger date? That seems like the best use of this information since the author has probably already been tipped that he/she can't post their own code anymore. I wonder how many sober infected PC's are still in the wild? Cheers,
How many people have been mentioned in almost every newspapaper in the entire world on the same day, I doubt the president reached the levels that de Gusman did after writing the loveletter worm, and this is a guy in the phillpines who will probably not be able to afford a trip outside his country ever.
The feeling of power for this individual must be enormous... not saying its right, but you were asking why people write these things, and the feeling of power is something I believe is a big reason.
Then ofcourse we have the fact that a lot of these threats steal information etc, so as you say, money would be another reason...
that's an interesting problem actually
Say this algorithm was copyrighted, and used in a legitimate product.
The virus was written by someone else, who licensed this code legitimately.
Can the non-virus-writing owner now sue the antivirus companies for DMCA violations?