Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sober Code Cracked

Posted by CowboyNeal on from the guts-spilled dept.

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

12 of 303 comments (clear)

  1. code cracked, communication revealed by Anonymous Coward · · Score: 5, Funny

    It said "lol no it's not a worm"

    1. Re:code cracked, communication revealed by Anonymous Coward · · Score: 5, Funny

      Anyone can crack sober code. The challenge is to crack code written when drunk.

  2. Hard to admit, but that is quite clever by Anonymous Coward · · Score: 5, Insightful

    Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?

    1. Re:Hard to admit, but that is quite clever by Xarius · · Score: 5, Funny

      I bet he's smart enough to know what a god damned paragraph is though...

      --
      C17H21NO4
  3. What should happen by gbulmash · · Score: 5, Interesting
    Now does this mean a race for everyone to try to grab the URL and place their favorite code there? I think rather than random zombie crap, someone should put up code that makes infected systems flash a simulated Blue Screen of Death telling users their PCs won't ever work again until they wipe Windows and install BeOS or Plan9 (I'd say Linux, but that's such a /. cliche now).

    - Greg

    --
    Start a happiness pandemic
  4. Virus writer is a Free Software fanatic by ReformedExCon · · Score: 5, Funny

    Why else would he choose a date that coincides with the 21st anniversary of Richard Stallman's starting the GNU project?

    http://en.wikipedia.org/wiki/January_5

    --
    Jesus saved me from my past. He can save you as well.
  5. Patent by digid · · Score: 5, Funny

    Let's award the Sober Virus writer a patent. I think he'd qualify.

  6. Calculate the exact URLs by jannic · · Score: 5, Interesting

    "According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day." - wouldn't that be possible by just running the worm in a sandboxed computer, with the computer's clock set to some future date? Of course, understanding the code may reveal other hidden features, but if you only want to know what the worm will do tomorrow, you can just try it out.

    1. Re:Calculate the exact URLs by pe1chl · · Score: 5, Informative

      The URLs are not domain names registered in DNS, but page names on "free homepage" services.
      So they would have to get in contact with the providers of those services instead (arcor.de, pages.at)

  7. Applications? by FhnuZoag · · Score: 5, Insightful

    Can we use this discovery to distribute a cure?

    I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction.

    Problem solved.

  8. Next headline - F-Secure in violation of DRM by Knightlymuse · · Score: 5, Funny

    Gets sued by virus writer. :)

  9. They cracked it in May! by kyz · · Score: 5, Informative
    My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea.

    As it clearly says in F-Secure's blog, they cracked this in May. They're only going public now. They've informed both the ISPs affected and the police. It is very unlikely that anyone will be able to register those accounts - if they do, they'll probably be talking to the police.

    The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.
    --
    Does my bum look big in this?