Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sober Code Cracked

Posted by CowboyNeal on from the guts-spilled dept.

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

70 of 303 comments (clear)

  1. code cracked, communication revealed by Anonymous Coward · · Score: 5, Funny

    It said "lol no it's not a worm"

    1. Re:code cracked, communication revealed by Anonymous Coward · · Score: 5, Funny

      Anyone can crack sober code. The challenge is to crack code written when drunk.

  2. Hard to admit, but that is quite clever by Anonymous Coward · · Score: 5, Insightful

    Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?

    1. Re:Hard to admit, but that is quite clever by buro9 · · Score: 4, Insightful

      "why do talented people waste their abilities on viruses?"

      Money?
      Acclaim (within a small community)?
      Politics?

      I would guess money. Spam pays very well, and a lot of viruses and worms have had monetary ulterior motives, as always, follow the money.

    2. Re:Hard to admit, but that is quite clever by bioteq · · Score: 2

      I was actually thinking the same as I read the article, but I was thinking more along the lines of, "Wow, that is quite clever. Innovative, too. Wonder why I couldn't think of something like that."

      It is quite true though that the talent these days seems to be going to those who like to do something malicious with their talent. It saddens me to no end, but I do believe this is a common road that those with actual talent and insight seem to be wanting to follow these days; it's a trend.

      But, alas, I digress. Maybe this guy (or kid) will see the grey or perhaps even the white in his days and come on over and give us a hand.

    3. Re:Hard to admit, but that is quite clever by killjoe · · Score: 3, Interesting

      As people at slashdot are fond of pointing out. Businesses are not moral, they are not supposed to be moral. This guy is doing his best to increase shareholder value. Presumably he is majority shareholder but really that's not so relevant is it?

      --
      evil is as evil does
    4. Re:Hard to admit, but that is quite clever by raehl · · Score: 2, Insightful

      why do talented people waste their abilities on viruses?

      Because it's perceived as more profitable than dealing with a manager?

      --
      paintball
    5. Re:Hard to admit, but that is quite clever by Antony-Kyre · · Score: 2, Insightful

      My guess it's boredom. Some talented people do stupid stuff because they have nothing better to do.

    6. Re:Hard to admit, but that is quite clever by Silizium · · Score: 3, Interesting

      I disagree that writing worms and virus is clever. Not only from moral point of view even from a technical point of view its not that hard. Its really for kids "my first program", something like that before they learn real programming. There had been a teacher (I do not recall the link now) that proved with his computer science class that writing an exploit/worm needs less than 30 days for computer newbies. Fact. In the early 90's I did some virus programming, too. And I should therefor know what I say. Before anyone stands up now to get the morality firehose, I did it at university in a special labratory under supervision by our prof for computer security. And every line from that code lies since that time cool and quiet locked up deep in a safe. It was a result from a roleplay "virus/worm attacker vs defending programs". I was in the attacker party and we did not only win that battle, we smashed them, we nihilated them. Why? I's sooo easy to write this sort of code and defending is practical impossible. Today antivirus software is really crap, even if they have no chance when it comes to high noon between good and evil. And I think not one of the actual worms or virus is nearly as sophisticated as our "gaming" ones were in that time. There are certain very dangerous vectors of attack actual antivirus software has never had to deal with, I promise. And every of that yet unused vectors are still deadly. And if any of those newbie junkprogrammers out there that has no better to do than to destroy the medium they live in really become smart, than the internet will stop in its actual existance. Thats fact as I see. So I hope the smart programmers will do in real software and in security and the kids and unscrupulous criminals will play with something different in future. Its really enough that people are so dumb to answer letters from nigeria. I think we cant hope that we can finally fight that state of mind. (In german words: "Gegen Dummheit kämpfen Götter selbst vergebens" which means that even gods cant fight foolery) But in the war of machines there is only one hope for us: that the bad guys stay that dumb and bone-lazy as they are and that they stay playing games or taking drugs in there sparetime instead doing their homework. Or else we all would be doomed. The fight is not to win against a serious attacker. Not with our current computer architecture, not with programs that are thrown on market the first second its possible, because a competitior might be faster or because it maximizes the corp profit to shorten the developers time of work for security. And the real dangers are yet undiscoverd or I should better say "too heavy for kids". Good luck everyone. But never *never* tell me again that a virus programmer is "quite smart". He's not. Not in any sense. I have seen smart virus code. And I'm glad its locked up. Still...

    7. Re:Hard to admit, but that is quite clever by Xarius · · Score: 5, Funny

      I bet he's smart enough to know what a god damned paragraph is though...

      --
      C17H21NO4
    8. Re:Hard to admit, but that is quite clever by golgotha007 · · Score: 3, Insightful

      why do talented people waste their abilities on viruses?

      The ability to control several hundred thousand zombie computers.. are you kidding?

      money, man, money.

      You can do lots of things with that, but the most lucritive might be to blackmail gambling sites. If they don't pay, you DOS their IP block.

    9. Re:Hard to admit, but that is quite clever by Baddas · · Score: 2, Funny

      Even though their skills are well up to snuff

      Not that I'm bitter or anything.

    10. Re:Hard to admit, but that is quite clever by databyss · · Score: 3, Interesting

      Dude, grammar, spelling and just about anything that involves text communcation evades you.

      WTF?!?: "Complexability, I sniff the smell of it when my face is pushed in that kind."

      WTF?!?: "I just wrote a trojan horse back in the mid-90s in a very simple script-language called pilot."

      So you just wrote it? Or you wrote it in the mid-90's.

      WTF?!?: "And that one worked so good as a proof-of-concept, that the sysadmin (a friend of mine) banned me for a month."

      Earlier you said that people can't attack you for berrating virus writers when you yourself wrote a virus because you only wrote it as part of a college experiment. Now you say you wrote a malicious program as a "proof-of-concept" and were banned by your friend?

      Why would your friend ban you if it was just a proof-of-concept. That means it was never deployed. Also, why would your friend ban you?

      When push comes to shove, Sober is indeed a clever program. Deal with it. Is it a good program to write? No.

      Your lies and bullshittery are blatant my friend.

      Does you mom know you say stuff like this on the interwebs? She might ground you!

      --
      Hmmm witty sig or funny sig? Maybe elitest techy sig!
    11. Re:Hard to admit, but that is quite clever by ronanbear · · Score: 3, Insightful

      Their organised crime bosses pay better and give better conditions than so called legitimate software companies. You may as well be writing worms as some of the stuff that big corporations like Sony are sending out.

      --
      the more they over-think the plumbing the easier it is to stop up the pipe
    12. Re:Hard to admit, but that is quite clever by Hal_Porter · · Score: 3, Funny

      Hmm, remember teh Lordz Prayer. I've marked the relevant line.

      Our Father, who Pwnz heaven 0f da 1337z , j00 r0ck!
      May all 0ur base someday be belong to you!
      May j00 0wn earth just like j00 0wn heaven.
      Give us this day our warez, mp3z, and pr0n through a phat pipe.
      And cut us some slack when we act like n00b lamerz, just as we teach n00bz when they act lame on us.
      Please don't give us root access on some poor d00d'z box when we're too pissed off to think about what's right and wrong, and if you could keep the fbi off our backs, we'd appreciate it.
      For j00 0wn r00t on all our b0x3s 4ever and ever,

      3N74H .

      Eloquent words, eh?

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    13. Re:Hard to admit, but that is quite clever by muffen · · Score: 4, Interesting

      How many people have been mentioned in almost every newspapaper in the entire world on the same day, I doubt the president reached the levels that de Gusman did after writing the loveletter worm, and this is a guy in the phillpines who will probably not be able to afford a trip outside his country ever.

      The feeling of power for this individual must be enormous... not saying its right, but you were asking why people write these things, and the feeling of power is something I believe is a big reason.

      Then ofcourse we have the fact that a lot of these threats steal information etc, so as you say, money would be another reason...

    14. Re:Hard to admit, but that is quite clever by Guppy06 · · Score: 3, Funny

      "why do talented people waste their abilities on viruses?"

      Sex. It's all about the groupies, man!

    15. Re:Hard to admit, but that is quite clever by daniel_mcl · · Score: 3, Insightful

      First, I have a hard time believing that a professor took students from being "computer newbies" to being able to print out "hello world" ten times in thirty days, much less write some sort of working virus; trying to teach students anything outside of their major is roughly equivalent to pushing dead whales uphill in terms of efficiency. I've been in a lot of classes and taught a few, and I know that the average student will not do any work if it's at all plausible that a significant number of other students won't do it either -- school these days has become a generalized prisoner's dilemma situation, in which the teacher can only fail so many students before being reassigned.

      In the larger scope, I'll just say that it's very tempting to think that one's computer programs just scale automatically, but this is simply not the case. Chances are that you were working on a very homogeneous network at that point, which most machines running rollout-synchronized versions of the same software. I've written "worms" that work under such an environment myself -- unlocking the parental protection on the middle-school computers made lunch-time in the library a lot more interesting. In such a situation, a worm either doesn't spread at all or immediately takes over the entire network, so any success is an impressive one.

      On the real internet, on the other hand, we have a very complicated mesh of various systems with different sorts of protections, some explicitly designed as such but most just due to random variations that prevent a given buffer overflow from working on more than one system. Even if someone is running a vulnerable system somewhere out there, there's a good chance that getting at it may involve going past some other system that is simply going to eat it alive. We're not talking just about computers, but also about routers, switches, and all that Cisco equipment that's silently running a good deal of the net without anyone ever thinking about it.

      That's why there hasn't been a real worm on the internet in quite a while; essentially every major virus in recent memory has relied on social-engineering to trick the user into manually installing the virus onto his own computer. In fact, I'd seriously doubt that it's even feasible to create a self-distributing worm on the internet at this point, unless Microsoft is dumb enough to build remote-execution capability into their application software again.

      Of course, if you were actually working on a diverse, real-world type network, and you managed to devise cross-platform vectors, that's quite different and it'd be interesting to hear about. But if you're like the majority of people who make claims like these, I'm gonna have to say that your eyes are probably a little bigger than your mouth on this one.

      --
      I used to read Caltizzle. I was a lot cooler than you.
    16. Re:Hard to admit, but that is quite clever by Silizium · · Score: 3, Insightful

      Dude. There are other languages than english and other coutrys than the u.s.a. around the world. So sorry that I do talk native german. Maybe you have a better grammar and spelling if we talk in german?

      So if not, please stop that. I do my best to be understandable, if you dont like to read my commentary then skip it. Gna. That shit makes me angry. I never ever criticised anyone who talks german with a foreign accent. I never tried to bawl somebody out because he was not a native speaker. This is really bullshit, lets stop it before it begins. I try my best, is that okay for you? Skip it please. Its loss of bandwidth.

      To your questions.

      I did a lot of research for computer security issues. Including worms, virus and trojan horses, but Im no specialist that has completely focused on that thing. I never stopped to be interested, I specialised on university for a while on that theme and I grew up in the 80s where there was no "cybercrime" at all. Not here. Not in germany. We had no laws. So we did what was possible. But in that time nobody was destructive. Everyone was just damn curious. When the damn NASA hack was hitting the news at '86 (I think) I was damn near that. From the scene just an inch away.

      In that time nobody thought a computer system was really vulnerable - but us - the hackers. So I grew up not in the mind of destruction but in a mind of conciousness that security is only in the hand of those who care for it. And who test it. And who spend time and energy in it.

      Yes, I was a hacker and Im proud to say I am today. I dont hack into systems. Im not destructive. I write code, I test security, I play with system. Playing, yes that would be the right word for ist. Just for fun. And I did it in the 80s and I still do it. And, yes, I think its a good way to live with computers. I have fun at work.

      In the early 90s I first and last put a thing you'll call a trojan horse into the "wild". There was no "internet" in that time. It was no big deal, but that progamm managed to trick a database and send me usernames and passwords. (Certainly never used the data, I have no interest in that sort of thing.) I just wanted to show my friend a big security hole in his system, but he instead of fixing it ran almost amok.

      Stupid.

      After a month he spoke to me again and with my help we fixed that thing. A whole month his system was unfixed and vunerable. "But it was only such a harmless feature", he declared. It was not. There is no such thing like a harmless new feature.

      Please search google for "pilot script language" for more info about how harmless the feature really was and that even such a dumb little scripting language can be used to trick systems or users. It was a cool hack. No big one, shure. I have done better things after that but that one is a good lesson. New features mean new security holes. Thats it.

      At that time I reverse engeneered viruscode and the first wormcodes on the new rising internet. Most of the code is really poor, poor, poor. Its bad tested, poorly written and only one of 20, 30 or even 100 virus/worms are what I call "interesting". Yes, I really was not keen on sacrificing my whole life in reverse engeneering shitty code. That is very, very boresome to reverse engeneer the tenth shitty little script-kiddie worm that was only altered enough that the antivirus software does not recognize it. Even the bugs are in it.

      In the mid 90s I quit that after years of studing. So, no, I have not reverse engeneered bloody sober. Its really not worth it. It should just be destroyed. It has no really new features in it, it is not even on the same level of that worms of the mid 90s. Its just actual and uses some nice features that are not new, are not well programmed, are not innovative and is short to say boring.

      Its not easy to write a worm like that. Really. This is not that what I say. But its no big deal. There are tools out there, there are people with code who invented ways for intrusion, this thing is just a rughly hammered toget

  3. What should happen by gbulmash · · Score: 5, Interesting
    Now does this mean a race for everyone to try to grab the URL and place their favorite code there? I think rather than random zombie crap, someone should put up code that makes infected systems flash a simulated Blue Screen of Death telling users their PCs won't ever work again until they wipe Windows and install BeOS or Plan9 (I'd say Linux, but that's such a /. cliche now).

    - Greg

    --
    Start a happiness pandemic
  4. Virus writer is a Free Software fanatic by ReformedExCon · · Score: 5, Funny

    Why else would he choose a date that coincides with the 21st anniversary of Richard Stallman's starting the GNU project?

    http://en.wikipedia.org/wiki/January_5

    --
    Jesus saved me from my past. He can save you as well.
    1. Re:Virus writer is a Free Software fanatic by Hinhule · · Score: 3, Funny

      I think we have stumbled over who wrote the virus.

      Richard Stallman is the only Free software fanatic.

    2. Re:Virus writer is a Free Software fanatic by Segway+Ninja · · Score: 2, Informative

      Or prehaps 26 years after "Hewlett-Packard announces release of its first personal computer."
      Or maybe the writer intends to make bigger news than when "Warner Brothers [showed] the first color newsreel" (1948)
      Or maybe it's the writers birthday.
      Or maybe it's the first day they intend to be awake after the New Year celebrations
      Or maybe it's to bring down IT infastructure just as we're getting back to work just after the Holiday Celebrations end.

      The possibilites are endless, and there are far more logical explanations than "Sober was written by a free software fanatic, it's true it's true!"

    3. Re:Virus writer is a Free Software fanatic by tokul · · Score: 3, Informative

      No, Sober is pro Nazi virus. Jan 05 is "1919 - Free Committee for a German Workers' Peace founded." Check virus descriptions on any antivirus vendor site.

      If you think, that is about free software, then you haven't got bunch of text emails about dresden bombings and other propaganda.

  5. Patent by digid · · Score: 5, Funny

    Let's award the Sober Virus writer a patent. I think he'd qualify.

    1. Re:Patent by ArcticCelt · · Score: 2, Funny

      Plus those nasty "pirates" at F-Secure have violated the DMCA by circumventing the security algorithm in Sober and should be prosecuted as soon as possible!

      --

      Yahh, hiii haaaaa! -Major Kong, from Dr. Strangelove
  6. Disinfection by ivan+kk · · Score: 2, Interesting

    So they've figured out the algo, and while I haven't RTFA, i assume the domains don't exist yet either.

    If that's true, what's to stop say symantec predicting a domain for a particular date, taking the domain, and putting a disinfection program up.

    1. Re:Disinfection by Sinus0idal · · Score: 4, Insightful

      Because even though they might be doing something they deem to be nice, running code on someone elses computer without permission is still illegal.

    2. Re:Disinfection by HappyMeal · · Score: 2, Interesting
      Actually, TFA points out the domains (and they do exist):

      http://people.freenet.de/

      http://scifi.pages.at/

      http://home.pages.at/

      http://free.pages.at/

      http://home.arcor.de/

      I do wish they hadn't publicized it... might have scared off the guy or convinced him to really hide identity when registering.

      Also some risk that sites around the world might indiscriminately block traffic to/from these sites, rather than specific URLs there. :(

      Though, I guess, your point regarding disinfection is well taken. :)

  7. Calculate the exact URLs by jannic · · Score: 5, Interesting

    "According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day." - wouldn't that be possible by just running the worm in a sandboxed computer, with the computer's clock set to some future date? Of course, understanding the code may reveal other hidden features, but if you only want to know what the worm will do tomorrow, you can just try it out.

    1. Re:Calculate the exact URLs by pe1chl · · Score: 5, Informative

      The URLs are not domain names registered in DNS, but page names on "free homepage" services.
      So they would have to get in contact with the providers of those services instead (arcor.de, pages.at)

    2. Re:Calculate the exact URLs by mallumax · · Score: 2, Interesting
      For once RTFA
      The virus even synchronizes the machines via atom clocks so the activation will not happen before January 5th, even if the clock of the computer is incorrect.
      If the virus writer is smart enough to generate pseudo random urls of which 90% are false, he is smart enough not to trust the computer clock.
      --
      TechSutra
  8. The alternative by Shihar · · Score: 3, Interesting

    My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea. Thinking on it now, this very well could be an excellent method of trapping more then one shit head at a time.

    Publicize the information so that other people can also figure out the algorithm. Don't give it away, just let out of enough so that a dedicated person can reach the same conclusion. Now just wait and nab every single bastard dumb enough to try and post code for Sober to get. While you are at it, switch off every website in question when its time to upload comes up. Not only do you cripple the virus's ability to upload, but you catch everyone stupid enough to try and abuse it.

    Granted, catching someone based off domain registration probably is not trivial, but I wouldn't be surprised if the feds have something up their sleeve.

    1. Re:The alternative by Lesrahpem · · Score: 2, Interesting

      Maybe the people who released this publicly are in opposition to full-disclosure practices and are trying to prove their point?

    2. Re:The alternative by Gordonjcp · · Score: 2, Insightful

      Granted, catching someone based off domain registration probably is not trivial, but I wouldn't be surprised if the feds have something up their sleeve.

      It's unlikely that the URL would be any "easily found" string of characters. I would suspect it's probably alphabet soup with a TLD suffix, but you would be able to catch "likely looking" Sober URLs.

      .
      Now what you want is for domain registration companies to watch out for said "likely looking" URL and flag it up as suspicious somehow.

  9. Applications? by FhnuZoag · · Score: 5, Insightful

    Can we use this discovery to distribute a cure?

    I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction.

    Problem solved.

    1. Re:Applications? by Skapare · · Score: 4, Funny

      Better yet, have it install Ubuntu and solve the longer term problem, too. :-)

      --
      now we need to go OSS in diesel cars
  10. He's missing some requirements... by hug_the_penguin · · Score: 2, Interesting

    ...namely that he isn't a multinational corporation and that the patent wouldn't fuck over everyone, er I mean wouldn't protect innovation...

    --
    ~HTP~ Hug that tux ;)
  11. roflcopter by Anonymous Coward · · Score: 4, Funny

    Hay guys I have a gr8 idea, why dont they just put a prog at the urls the virus checks, which an infected coputer can run and it will delete the virus!!

    +5 informative

  12. Re:My Question... by The+Amazing+Fish+Boy · · Score: 4, Insightful

    I think the best use of this information is uploading a disabling and/or revealing program ("your computer is infected with sober, click next to reactivate it") via one of the sites.

    Yeah, because when I get a mysterious popup telling me my computer may be infected I always click "Next."

  13. Well known URLs by g-san · · Score: 4, Funny

    one is supposedly http://it.slashdot.org/comments.pl?sid=170643&thre shold=1&mode=thread&commentsort=0&op=Reply

    It posts trollish looking messages and chats to you in IM. :)

    Personally, I usually just chill while connected with ethereal running, then connect back to the PCs backdoored by the viruses that are trying to infect my honeypot on tcp/135. Then a simple netstat will show you an established tcp connection back to the IRC server the virus is using to announce itself to the author (not to mention about 500 connections SYN-SENT or ESTABLISHED to PCs being infected/probed, also a good source for other infected, backdoored PCs. You do know what is attacking you and what tcp backdoor it runs, right?) You can usually spot that connection, it has a high TCP destination port, whereas the normal vector port is 135/137/139. It's really sad to see thousands of PCs aleady announcing themselves to the author on that IRC channel as, "Hey come on over, I am running W2k|2XP. I am XP200453." And there is no one there to give me +OP privs!!! Batrastards!!! I could echo 'you are hacked please visit windowsupdate.com'> the startup folder all I want for days to each one of them to no avail... or echo ''you are a moron, too stupid to own a computer, put it back in the box and yadayadayada....

    I wonder what I would do with a beowulf cluster of networks of hacked (i.e. unpatched windows) PCs. probably echo the same message in the same fashion as above, yet, alas, I am seriously lacking in motivation and spare time. (q.q.v 4. Pr0F1T!!!)

    so little time, so many IP addresses, so many ignorant users.... so many clever, clever coders...

    1. Re:Well known URLs by g-san · · Score: 3, Insightful

      Unlikely, most I have seen seem to be a hacked servers. I saw a log file on an infected PC, I connected to the same server and issued the same commands, but by the time I got there the jig must have been up, not the same PCs/output in the channel. Meaning, I issued the same commands but did not see the pages and pages (and pages and pages and pages, literally thousands) of entries as in the log file of IP addresses and entries like 2K10234 and XP11442. Strange thing is the "IRC" server was still running. I say that cause the commands were IRC like but not full blown RFC 1459. I sent a note to abuse@isp.com. Maybe the author got his list and was covering his tracks, but the goods were already in a log file on the PC. Again, just noticed out of the 500-700 connections open connections (netstat -an |find "ESTAB") on the infected PC one was not to the viruse's vector port, thought I would check it out... took several tries to even get to the same channel. I had to join one channel and then issue a command to join the second channel to even try. Can't remember which worm it was (not sober), but this was a few days after it was announced and thought I would sniff to see how prevalent it was. Odd. The virus descriptions say, "opens a backdoor on port xxx," and I would just try to connect to port xxx after I got connections, sometimes you just get a c:\windows prompt. Very scary, glad I know how to keep my win pc up to date, and run linux otherwise. And I consider that to be an invitation of sorts, as in, "I'm sorry, were you trying to tell me something? Were YOU trying to hack ME? YOU connected to ME. I am only looking out for my own security here."

      I really do the echo something > notice.txt into startup folder, hoping the person will take action and realize they are infected... who knows what good that does. I am also a staunch privacy advocate, so nothing malicious (flame-suit on) from my end. mostly dir c:\windows\system32 |find "" to look for recently installed malware. I could care less about your files. That was how I found the log file that had what looked like a complete connection log to the IRC server. Too bad there are not more good commands in windows command shells (usually a virus opens a socket to cmd.exe) or I would kill and clean up and reboot, or even ftp down the patch, not like MS supports that though. (God the good old days of pre-retirement) This happens in internet time, not human time. If someone was really malicious, there is really no way even hundreds of humans could stop it. I take that back, a good hacker (in the MIT sense...) could reconnect back to the machine and issue some commands to shutdown the proc and stop the scanning, but again you are limited to what is at the ms-dos command shell, and we all know how well the anti-blaster worm worked with it's ICMP DOS. But given that a goofball scriptkiddie could connect like I did, maybe that is a good thing (good luck kiddies). Careful what you wish for and all that.

      Disclaimer: Really, if I was black hat, would I post with my own account? (laughs hysterically as g-san gets investigated by the FBI the next day). Anyways come get me, I would love to work for you FBI and you could use my help. ;) /disclaimer

      Here goes... submit...

  14. Recognition by hug_the_penguin · · Score: 3, Informative
    They do it so they can stick a finger up to the cops and say `I'm better than you`, such is the mentality of the virus writer or cracker. They also get recognition within the blackhat community as the person who reaped havoc worldwide. Then there's that smug satisfaction that they haven't been caught. Scientifically, the risk of getting caught topped off with not actually having been caught triggers a dopamine release which makes people feel good. Such is the way virus writers get their thrills.

    The only way they can make money is from a rival company wanting the worm to take down their competition, or a rival country in some cases, wanting to take down a lot of a country's infrastructure based on the net. We're all familiar with the hackers the russian government hired to try and rip down the internet, but it is often attempted with worms too

    --
    ~HTP~ Hug that tux ;)
  15. What's meant by "authorities"? by raehl · · Score: 2, Interesting

    Isn't the authorities being able to block a URL a problem? If authority means "Software I've willingly installed on my computer to block malicious URLs", then good, fine and dandy. If authorities means the government, I'm not so keen about that possibility.

    --
    paintball
  16. Now work backwards? by BoldAndBusted · · Score: 3, Insightful

    Hmm... If they can predict forward in time what sites Sober will seek, can not they also look backward in time to see what sites the worm sought in the past ? If so, could they not then check the registration records for each of those sites and... find the author?

    1. Re:Now work backwards? by mrogers · · Score: 3, Funny

      Police today announced that they have arrested the author of the Sober internet worm. The suspect was named as Mr. Qwert Y. Asdfasdf123 of 456 Hjklhjkl Street, Mnbvmnbv, Alabama. He was caught after using his real name and address to register a website used by the worm.

  17. Re:uhh... by PhreakOfTime · · Score: 2, Interesting

    Close.

    The actual prudent thing to do would be to use said algorithm and see what domain is generated on the 5th of January 2006, before the date even arrives. Alert ICANN registrars of the situation. Monitor that domain name, and watch for the second it gets assigned an IP. When the particular domain begins to point to a global IP address, then you can nab the perp.

    As a bonus, in the above scenario, you dont have to wait for all the compromised machines to bog down yet another unsuspecting network on the 5th of January 2006. win-win. well, that dude that gets caught doesnt win...

  18. Sophistication by squoozer · · Score: 4, Interesting

    I have often wondered why we haven't seen the emergence of worms with truly spectacular levels of sophistication. Nearly every worm / virus is small presumably so that it can spread quickly in limited bandwidth situations. The limited size means limited sophistication and sometimes flaws in the design or operation.

    To the best of my knowledge no one has developed a worm with fully pluggable attack verctors and pay loads and automatic updating. An attack from such a worm would be all but unstoppable because there would always be a huge user base from which to start an attack. The attack would go like this:

    1. Author writes the first version of the virus and deliberately infects machines. This version doesn't spread on it's own. This version doesn't need to be terribly good it just needs to infect 1000 machines or so, be upgradeable and form the initial core of the virus P2P system (maybe that should be V2V?).
    2. Author refines virus and releases a new version. Some of the 1000 initial infections are still infected and upgrade themselves. They go on to infect other boxes automatically. Each box will try and upgrade and infect new boxes.
    3. Hole exploited by the stage two virus is closed. Many are lost.
    4. Author writes new exploit module and uploads it to virus network which them re-infects lost boxes and new boxes.
    5. Virus scanners get to understand core virus and destroy numerous infections.
    6. Author releases new version into the virus network which upgrades currect installs. And so it goes on.
    7. ???
    8. Profit!

    Perhaps someone is already doing this, I don't know. It seems like a natural evolution for viruses though. A sort of virus P2P system so that the virus network can respond to attacks. You could even build viruses that knew the network was under attack and hid or destroyed themselves.

    BTW I'm not a virus writter.

    --
    I used to have a better sig but it broke.
  19. This is a new one... by Slashcrap · · Score: 4, Insightful

    I find myself in the unusual and possibly unique situation of agreeing with other people on Slashdot.

    It would have been better not to release this information. Now the author knows the game is up. Unless they have already traced him from some of the previous URLs, which I doubt.

    So why release it then? The AV company just couldn't resist jumping up and down and showing everybody how clever they are. AV is more about marketing than technology anyway.

    The thing is, I bet this algorithm wasn't even that hard to reverse engineer. I mean, I'm not saying that I could have done it and I'm sure most of you couldn't either. But to someone skilled in the black arts of disassembly and debuggery (if that isn't a word it should be), it would probably have been fairly trivial. At the end of the day, Virus authors usually aren't that bright. You can obfuscate and encrypt your code as much as you want but at some point it still has to executed. Most of the techniques are well known and I doubt this idiot invented any new ones.

    1. Re:This is a new one... by Alex+Zepeda · · Score: 4, Informative

      I'm curious if you bothered to read F-Secure's blog:

      So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

      Something to think about.

      --
      The revolution will be mocked
    2. Re:This is a new one... by Tom · · Score: 2, Insightful

      AV is more about marketing than technology anyway.

      No, it isn't. Not about either of those. It's about hard work. AV means having honeynets to catch the malware, then take it apart, create a signature, plug that into your file and send out an update. All as quickly as possible, pretty much around the clock.

      --
      Assorted stuff I do sometimes: Lemuria.org
  20. uh.. by nexcomlink · · Score: 2, Insightful

    How do they or anyone of us know it's going to be expected on that date? Nobody can predict an outbreak because there is never a set time for one. If the virus author can change the date he would. Like they say always expect the unexpected and what was expected is deemed to be better or worse than it was intended to be.

  21. Next headline - F-Secure in violation of DRM by Knightlymuse · · Score: 5, Funny

    Gets sued by virus writer. :)

  22. Many viruses come from very talented people... by blorg · · Score: 4, Insightful

    ...living in countries where employment opportunities may be limited (I'm thinking former Soviet Bloc, Pakistan, India - countries with strong traditions in mathematics/sciences.) There is also potential for a similar thing to happen with nuclear weapons in some of these countries, which is a good bit scarier (as indeed did happen with Pakistan, although not in that case due to a lack of employment.)

    1. Re:Many viruses come from very talented people... by arose · · Score: 2, Informative

      Believe it or not but part of Germany is also part of the former Soviet Block...

      --
      Analogies don't equal equalities, they are merely somewhat analogous.
  23. Re:My Question... by m50d · · Score: 2, Insightful

    So people know things to look for when analysing other viruses?

    --
    I am trolling
  24. RTFA by igb · · Score: 4, Informative

    The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

    1. Re:RTFA by taursir · · Score: 2, Interesting

      But he must know this by now. He probably reads Slashdot.

  25. Mod the parent down by Alex+Zepeda · · Score: 4, Informative

    Read the F-Secure blog.

    Or read my previous comment.

    F-Secure didn't simply crack the algorithm yesterday.

    --
    The revolution will be mocked
  26. Re:uhh... by Nogami_Saeko · · Score: 2, Informative

    It doesn't look like the program is generating completely random domains, it looks like it's using domains that can be created on one of the free hosting services (ie: like the european version of geocities or whatever) that are mentioned on the page.

    So all you'd need to do is register the account name on the free hosting service that's utilized for that day and away you go. Not a problem to register an account using a hacked email account and keep it anonymous.

    N.

    --
    "Nothing strengthens authority so much as silence." - Charles de Gaulle
  27. To expand... by interactive_civilian · · Score: 4, Insightful
    They know the activation date (January 5, 2006), and they know the URLs that Sober will try to connect to on that date, right? From this, I see a few things:

    1.) Assuming the author(s) is(are) paying attention to happenings on the internet, he would be an idiot to actually try to put anything on those domains for that date (assuming there isn't anything there yet). If he does, I would guess that he would be as good as caught...well...maybe...I guess it depends on how well he covers his tracks when uploading his intended payload.

    2.) Both of the linked articles urge SysAdmins to block the URLs they have listed, but I HIGHLY doubt that most of the infected home users will do so, or even know how to, so that will leave a lot of machines trying to connect. Can the URLs be blocked at the ISP level?

    3.) Going with the parent post's idea, might it not be a good idea for the authorities to set up those URLs now, and put removal tools on them (assuming they can be automated and it can happen in the background)? It seems to me that any machines still infected when that date hits would be automatically cleaned and the problem would be solved on the first day...

    4.) Or, if it is even possible, have the ISPs monitor for requests to those URLs (while blocking them), and if they receive requests for those URLs on that date, automatically send an email to the account holders of the IPs that are trying to access the URLs informing them that their machines are infected with Sober and provide instructions (and software) on how to remove it? Of course, this requires cooperation from a LOT of ISPs, but it doesn't seem completely impossible. Of course, this idea also depends on the users to take action to clean their systems and we all know how well personal responsibility is doing these days...

    5.) However, perhaps the ISPs can monitor requests for the URLs that Sober will request, and then perhaps start disconnecting users who don't clean their systems after being warned.

    Anyway, just some thoughts...but I see no reason for the net to be rid of Sober after the first day (or first month going by 4 and 5 above) of activation...

    Of course, I don't know a lot of details about how these things could be implemented, so take it with a grain of salt...

    --
    "Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
  28. BZZZZT!!! Talking out of you a** ... by hummassa · · Score: 3, Informative

    Ok, so, it's /., we don't usually RTFA, but those are the domains:
    http://people.freenet.de/
    http://scifi.pages.at/
    http://home.pages.at/
    http://free.pages.at/
    http://home.arcor.de/
    not really "alphabet soup with a TLD suffix", uh?

    --
    It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
  29. They cracked it in May! by kyz · · Score: 5, Informative
    My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea.

    As it clearly says in F-Secure's blog, they cracked this in May. They're only going public now. They've informed both the ISPs affected and the police. It is very unlikely that anyone will be able to register those accounts - if they do, they'll probably be talking to the police.

    The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.
    --
    Does my bum look big in this?
  30. Why did they have to crypto'ally crack the code? by ArsenneLupin · · Score: 2, Interesting
    Why did F-Secure (and other AV researchers) have to cryptographically crack the code? Couldn't they simply have advanced the clock on their PC, and empirically snoop which URLs the virus would check?

  31. Reminds me of a song..... by Theovon · · Score: 2, Funny

    Sober cracked code, and I don't care. Sober cracked code, and I don't care. Sober cracked code, and I don't caaaaaaaaare. And the hacker's gone away.

    (Note: I apologize to anyone who is aware of the origins of the song I'm parodying.)

  32. Clean and Sober by Ritz_Just_Ritz · · Score: 2, Interesting

    Why not use this information to post disinfection code on the next sober trigger date? That seems like the best use of this information since the author has probably already been tipped that he/she can't post their own code anymore. I wonder how many sober infected PC's are still in the wild? Cheers,

  33. Re:Why did they have to crypto'ally crack the code by Butterspoon · · Score: 3, Informative
    This wouldn't work because the worm syncs with an a timeserver, so you get the activation on the target date even if your system clock's wrong.

    Yeah you could spoof the response from the timesever, but simply cracking the code is far more elegant.

    --
    pi = 2*|arg(God)|
  34. DMCA by watermark · · Score: 2, Funny

    The sober author should have included a Eula. "By using your computer, you accept the terms and conditions located at C:\eula.txt"

  35. Re:Hard to admit, but North Korea... by BoRegardless · · Score: 2, Insightful

    & China & India groups might be using surepticious quiet entries to gather up all sorts of intellectual property secrets so they don't have to invent them "in-house".

  36. Re:At least Viruses dont spontaneously mutate by marcosdumay · · Score: 3, Insightful

    "A virus can't just start rewriting itself with whacky random code because programs have to conform to very strict rules to still work, whereas biological mutations..."

    That statment is naive. Biological organisms also have very strict rules that they need to conform, even stricter than computer programs. That is why most mutations are lethal.

    Biological virus don't have anything like junk-DNA to mutate into something usefull. This happens because bilogical virus are also constrained into a small size, just like the computer's ones.

    The biological virus can spread while mutating because each virus creates milions of descendents with hundreds of different mutations. Just out of luck, some are can spread well. We can do this with computer virus too.

    --
    Rethinking email