More details on Sober worm



There’s a bit more detail in this betanews article on the sober worm. They basically say that the next expected “release” is January 8th, that f-secure has cracked the “code” of the worm. You see it appears that the URL’s that new versions of the worm are downloaded from are not hardcoded, but “psuedorandom” and they’ve cracked the algorithm the worm uses.


They say they’ve had it cracked since about May of this year, but had kept things close to the vest, only notifying German authorites located where the url’s were to be hosted. They say 99% of the url’s are currently non-existent, but all the virus writer must do is activate one and then all the currently infected sober systems start updating. After the January 5/6 check, the virus will check every two weeks for updates.

It is a quite clever “distributed” model that they seem to have employed to evade getting it snuffed out up until now. Most of the url’s seem to be pointing to accounts that would be hosted at free sites.

It sounds as though this will require continued monitoring and attention until the machines infected by sober are eliminated.

Related Posts

Blog Traffic Exchange Related Posts
  • Zotob.b may be affecting some XP SP2/2003 installs As I noted yesterday, virii typically get updated and improved. Yesterdays reports about the zotob virus noted that Windows Xp service pack 2 and Windows 2003 were not affected by the new worm. Today however, the sans institute is reporting that zotob may be affecting some XP sp2 and 2003......
  • The Blackworm, Nyxem, KamaSutra Worm... Lot's of news following up on the Nyxem worm in the last few days. It's currently going under a number of names, the Kama Sutra Worm, Blackworm are some of the more common names. Sans has a page for information on the worm here. Microsoft has detailed manual removal instructions.......
  • Sending Virus or Spam Abuse reports It occured to me that I may not have brought things to a neat conclusion on the post earlier about tracking email header data. I did make reference to sending an abuse report. Here's an attempt to clear up a few things that might still be fuzzy. 1) usually the......
Blog Traffic Exchange Related Websites
  • Real-estate Hosting - Don't Overpay! Recently, I d been using WordTracker.com to see which "real estate property website" phrases get searched quite often through Google, Yahoo and similar major search engines. It surprised me that the phrase "property web hosting" and also the longer "real-estate internet page hosting" were two of the most commonly searched......
  • Small Business Financing: Taking Advantage Of Credit Cards And Knowing When To Avoid Them If you’re looking at starting a small business, you may be overwhelmed by the prospect of finding a way to fund your new venture. While there are a variety of options out there, one size does not fit all, and you’ll want to take a careful look at your own......
  • Wickedly Spooky Halloween Roundup Happy Sunday to all my readers! Today's all about the roundup. As usual we have the Fitness Health Network of which I am a part of so go ahead and browse through the posts. You'll find they have a lot of great things to say. A little further down are......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site