Sober Code Cracked

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

What should happen

[gbulmash]

Now does this mean a race for everyone to try to grab the URL and place their favorite code there? I think rather than random zombie crap, someone should put up code that makes infected systems flash a simulated Blue Screen of Death telling users their PCs won't ever work again until they wipe Windows and install BeOS or Plan9 (I'd say Linux, but that's such a /. cliche now).

- Greg

Calculate the exact URLs

[jannic]

"According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day." - wouldn't that be possible by just running the worm in a sandboxed computer, with the computer's clock set to some future date? Of course, understanding the code may reveal other hidden features, but if you only want to know what the worm will do tomorrow, you can just try it out.