December 9, 2005 9:48 AM PST

Sober code cracked

Antivirus companies say they have cracked an algorithm that was being used by the Sober worm to "communicate" with its author.

The latest variant of the Sober worm caused havoc in November by duping users into executing it by masking itself as e-mails from the FBI and CIA. Antivirus companies were aware that the worm somehow knew how to update itself via the Web. The worm's author programmed this functionality to control infected machines and, if required, change their behavior.

On Thursday, Finnish antivirus firm F-Secure revealed that it had cracked the algorithm used by the worm and could now calculate the exact URLs the worm would check on a particular day.

Mikko Hypponen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it.

"Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety-nine percent of the URLs simply don't exist...However, the virus author can pre-calculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hypponen wrote in his blog.

According to F-Secure's calculations, on Jan. 5, 2006, all computers infected with the latest variant of Sober will look for an updated file located in a list of domains, including:

http://people.freenet.de/gixcihnm/

http://scifi.pages.at/agzytvfbybn/

http://home.pages.at/bdalczxpctcb/

http://free.pages.at/ftvuefbumebug/

http://home.arcor.de/ijdsqkkxuwp/

Hypponen advised administrators to ensure any infected PCs can't upgrade automatically by blocking access to the domains.

Adam Biviano, premium services manager at Trend Micro, said that blocking the URLs could be beneficial, but the safest bet would be to ensure that PCs are safe.

"Blocking those URLs is not a bad idea but administrators need to make sure their machines are not infected in the first place," Biviano said.

Munir Kotadia of ZDNet Australia reported from Sydney.

12 comments

Join the conversation!
Add your comment
So can they catch the guy who did it?
That would be nice. I had my inboxes flooded with the crap from the idiot, so please go catch him.
Posted by R. U. Sirius (745 comments )
Reply Link Flag
the real root
one of the main problems is people not being well enough trained to know not to open such email attachments. :)
Posted by ndrtek_rob (5 comments )
Link Flag
Yea, the idiot . . .
who did this to you is called Microsoft, and you're a fool for using
their products.
Posted by rbannon (96 comments )
Link Flag
Isn't that a violation of the DCMA?
I mean they decoded a program without permission.

Didn't they break the law?

Oh wait.. it was a Finnish company... I guess Finland doesn't have stupid laws like the DCMA (Digital Millennium Copyright Act)
Posted by Leppard (41 comments )
Reply Link Flag
oh yes
Oh yes. Brilliant comment right there. Let's go ahead and ignore the Finnish thing and all. Imagine the company is American. An anti-virus team is going to be prosecuted for cracking a code (durrrrrrrr, yeah it is clearly copyrighted by its owner) on an illegal program. Yeah, that makes sense. You are incredible. Go play in traffic.
Posted by fbuckleb (1 comment )
Link Flag
update the infected machines with disabled virus code
If the virus code has been cracked why not update the infected machines with disabled virus code?
Posted by dfc5000 (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.