Slashdot Mirror
Sober Code Cracked
An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."
It said "lol no it's not a worm"
Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?
- Greg
Start a happiness pandemic
Why else would he choose a date that coincides with the 21st anniversary of Richard Stallman's starting the GNU project?
http://en.wikipedia.org/wiki/January_5
Jesus saved me from my past. He can save you as well.
Let's award the Sober Virus writer a patent. I think he'd qualify.
"According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day." - wouldn't that be possible by just running the worm in a sandboxed computer, with the computer's clock set to some future date? Of course, understanding the code may reveal other hidden features, but if you only want to know what the worm will do tomorrow, you can just try it out.
Because even though they might be doing something they deem to be nice, running code on someone elses computer without permission is still illegal.
Can we use this discovery to distribute a cure?
I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction.
Problem solved.
Hay guys I have a gr8 idea, why dont they just put a prog at the urls the virus checks, which an infected coputer can run and it will delete the virus!!
+5 informative
I think the best use of this information is uploading a disabling and/or revealing program ("your computer is infected with sober, click next to reactivate it") via one of the sites.
Yeah, because when I get a mysterious popup telling me my computer may be infected I always click "Next."
one is supposedly http://it.slashdot.org/comments.pl?sid=170643&thre shold=1&mode=thread&commentsort=0&op=Reply
:)
It posts trollish looking messages and chats to you in IM.
Personally, I usually just chill while connected with ethereal running, then connect back to the PCs backdoored by the viruses that are trying to infect my honeypot on tcp/135. Then a simple netstat will show you an established tcp connection back to the IRC server the virus is using to announce itself to the author (not to mention about 500 connections SYN-SENT or ESTABLISHED to PCs being infected/probed, also a good source for other infected, backdoored PCs. You do know what is attacking you and what tcp backdoor it runs, right?) You can usually spot that connection, it has a high TCP destination port, whereas the normal vector port is 135/137/139. It's really sad to see thousands of PCs aleady announcing themselves to the author on that IRC channel as, "Hey come on over, I am running W2k|2XP. I am XP200453." And there is no one there to give me +OP privs!!! Batrastards!!! I could echo 'you are hacked please visit windowsupdate.com'> the startup folder all I want for days to each one of them to no avail... or echo ''you are a moron, too stupid to own a computer, put it back in the box and yadayadayada....
I wonder what I would do with a beowulf cluster of networks of hacked (i.e. unpatched windows) PCs. probably echo the same message in the same fashion as above, yet, alas, I am seriously lacking in motivation and spare time. (q.q.v 4. Pr0F1T!!!)
so little time, so many IP addresses, so many ignorant users.... so many clever, clever coders...
I have often wondered why we haven't seen the emergence of worms with truly spectacular levels of sophistication. Nearly every worm / virus is small presumably so that it can spread quickly in limited bandwidth situations. The limited size means limited sophistication and sometimes flaws in the design or operation.
To the best of my knowledge no one has developed a worm with fully pluggable attack verctors and pay loads and automatic updating. An attack from such a worm would be all but unstoppable because there would always be a huge user base from which to start an attack. The attack would go like this:
Perhaps someone is already doing this, I don't know. It seems like a natural evolution for viruses though. A sort of virus P2P system so that the virus network can respond to attacks. You could even build viruses that knew the network was under attack and hid or destroyed themselves.
BTW I'm not a virus writter.
I used to have a better sig but it broke.
I find myself in the unusual and possibly unique situation of agreeing with other people on Slashdot.
It would have been better not to release this information. Now the author knows the game is up. Unless they have already traced him from some of the previous URLs, which I doubt.
So why release it then? The AV company just couldn't resist jumping up and down and showing everybody how clever they are. AV is more about marketing than technology anyway.
The thing is, I bet this algorithm wasn't even that hard to reverse engineer. I mean, I'm not saying that I could have done it and I'm sure most of you couldn't either. But to someone skilled in the black arts of disassembly and debuggery (if that isn't a word it should be), it would probably have been fairly trivial. At the end of the day, Virus authors usually aren't that bright. You can obfuscate and encrypt your code as much as you want but at some point it still has to executed. Most of the techniques are well known and I doubt this idiot invented any new ones.
Gets sued by virus writer. :)
...living in countries where employment opportunities may be limited (I'm thinking former Soviet Bloc, Pakistan, India - countries with strong traditions in mathematics/sciences.) There is also potential for a similar thing to happen with nuclear weapons in some of these countries, which is a good bit scarier (as indeed did happen with Pakistan, although not in that case due to a lack of employment.)
The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.
Read the F-Secure blog.
Or read my previous comment.
F-Secure didn't simply crack the algorithm yesterday.
The revolution will be mocked
1.) Assuming the author(s) is(are) paying attention to happenings on the internet, he would be an idiot to actually try to put anything on those domains for that date (assuming there isn't anything there yet). If he does, I would guess that he would be as good as caught...well...maybe...I guess it depends on how well he covers his tracks when uploading his intended payload.
2.) Both of the linked articles urge SysAdmins to block the URLs they have listed, but I HIGHLY doubt that most of the infected home users will do so, or even know how to, so that will leave a lot of machines trying to connect. Can the URLs be blocked at the ISP level?
3.) Going with the parent post's idea, might it not be a good idea for the authorities to set up those URLs now, and put removal tools on them (assuming they can be automated and it can happen in the background)? It seems to me that any machines still infected when that date hits would be automatically cleaned and the problem would be solved on the first day...
4.) Or, if it is even possible, have the ISPs monitor for requests to those URLs (while blocking them), and if they receive requests for those URLs on that date, automatically send an email to the account holders of the IPs that are trying to access the URLs informing them that their machines are infected with Sober and provide instructions (and software) on how to remove it? Of course, this requires cooperation from a LOT of ISPs, but it doesn't seem completely impossible. Of course, this idea also depends on the users to take action to clean their systems and we all know how well personal responsibility is doing these days...
5.) However, perhaps the ISPs can monitor requests for the URLs that Sober will request, and then perhaps start disconnecting users who don't clean their systems after being warned.
Anyway, just some thoughts...but I see no reason for the net to be rid of Sober after the first day (or first month going by 4 and 5 above) of activation...
Of course, I don't know a lot of details about how these things could be implemented, so take it with a grain of salt...
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
As it clearly says in F-Secure's blog, they cracked this in May. They're only going public now. They've informed both the ISPs affected and the police. It is very unlikely that anyone will be able to register those accounts - if they do, they'll probably be talking to the police.
Does my bum look big in this?