Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sober Code Cracked

Posted by CowboyNeal on from the guts-spilled dept.

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

4 of 303 comments (clear)

  1. What should happen by gbulmash · · Score: 5, Interesting
    Now does this mean a race for everyone to try to grab the URL and place their favorite code there? I think rather than random zombie crap, someone should put up code that makes infected systems flash a simulated Blue Screen of Death telling users their PCs won't ever work again until they wipe Windows and install BeOS or Plan9 (I'd say Linux, but that's such a /. cliche now).

    - Greg

    --
    Start a happiness pandemic
  2. Calculate the exact URLs by jannic · · Score: 5, Interesting

    "According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day." - wouldn't that be possible by just running the worm in a sandboxed computer, with the computer's clock set to some future date? Of course, understanding the code may reveal other hidden features, but if you only want to know what the worm will do tomorrow, you can just try it out.

  3. Sophistication by squoozer · · Score: 4, Interesting

    I have often wondered why we haven't seen the emergence of worms with truly spectacular levels of sophistication. Nearly every worm / virus is small presumably so that it can spread quickly in limited bandwidth situations. The limited size means limited sophistication and sometimes flaws in the design or operation.

    To the best of my knowledge no one has developed a worm with fully pluggable attack verctors and pay loads and automatic updating. An attack from such a worm would be all but unstoppable because there would always be a huge user base from which to start an attack. The attack would go like this:

    1. Author writes the first version of the virus and deliberately infects machines. This version doesn't spread on it's own. This version doesn't need to be terribly good it just needs to infect 1000 machines or so, be upgradeable and form the initial core of the virus P2P system (maybe that should be V2V?).
    2. Author refines virus and releases a new version. Some of the 1000 initial infections are still infected and upgrade themselves. They go on to infect other boxes automatically. Each box will try and upgrade and infect new boxes.
    3. Hole exploited by the stage two virus is closed. Many are lost.
    4. Author writes new exploit module and uploads it to virus network which them re-infects lost boxes and new boxes.
    5. Virus scanners get to understand core virus and destroy numerous infections.
    6. Author releases new version into the virus network which upgrades currect installs. And so it goes on.
    7. ???
    8. Profit!

    Perhaps someone is already doing this, I don't know. It seems like a natural evolution for viruses though. A sort of virus P2P system so that the virus network can respond to attacks. You could even build viruses that knew the network was under attack and hid or destroyed themselves.

    BTW I'm not a virus writter.

    --
    I used to have a better sig but it broke.
  4. Re:Hard to admit, but that is quite clever by muffen · · Score: 4, Interesting

    How many people have been mentioned in almost every newspapaper in the entire world on the same day, I doubt the president reached the levels that de Gusman did after writing the loveletter worm, and this is a guy in the phillpines who will probably not be able to afford a trip outside his country ever.

    The feeling of power for this individual must be enormous... not saying its right, but you were asking why people write these things, and the feeling of power is something I believe is a big reason.

    Then ofcourse we have the fact that a lot of these threats steal information etc, so as you say, money would be another reason...