More details on Sober worm



There’s a bit more detail in this betanews article on the sober worm. They basically say that the next expected “release” is January 8th, that f-secure has cracked the “code” of the worm. You see it appears that the URL’s that new versions of the worm are downloaded from are not hardcoded, but “psuedorandom” and they’ve cracked the algorithm the worm uses.


They say they’ve had it cracked since about May of this year, but had kept things close to the vest, only notifying German authorites located where the url’s were to be hosted. They say 99% of the url’s are currently non-existent, but all the virus writer must do is activate one and then all the currently infected sober systems start updating. After the January 5/6 check, the virus will check every two weeks for updates.

It is a quite clever “distributed” model that they seem to have employed to evade getting it snuffed out up until now. Most of the url’s seem to be pointing to accounts that would be hosted at free sites.

It sounds as though this will require continued monitoring and attention until the machines infected by sober are eliminated.

Related Posts

Blog Traffic Exchange Related Posts
  • Zotob.b may be affecting some XP SP2/2003 installs As I noted yesterday, virii typically get updated and improved. Yesterdays reports about the zotob virus noted that Windows Xp service pack 2 and Windows 2003 were not affected by the new worm. Today however, the sans institute is reporting that zotob may be affecting some XP sp2 and 2003......
  • HP virus throttler available for Linux HP will be making their virus throttler software avialable for Linux. Their virus throttler software detects compromised machines on a network, mails the administrator and throttles network connections to the machine, attempting to minimize the impact of the viral outbreak. (It seems as though it would be especially useful against......
  • Sending Virus or Spam Abuse reports It occured to me that I may not have brought things to a neat conclusion on the post earlier about tracking email header data. I did make reference to sending an abuse report. Here's an attempt to clear up a few things that might still be fuzzy. 1) usually the......
Blog Traffic Exchange Related Websites
  • Real-estate Hosting - Don't Overpay! Recently, I d been using WordTracker.com to see which "real estate property website" phrases get searched quite often through Google, Yahoo and similar major search engines. It surprised me that the phrase "property web hosting" and also the longer "real-estate internet page hosting" were two of the most commonly searched......
  • Weekly Mashup, Apple Pie Edition This week you can find me in 3 different carnivals: Savings Not Shoes hosted the Festival of Frugality and included my article Can I Get a Job with a Misdemeanor? I  hosted the Money Hacks Carnival and went with an apple pie theme for National Apple Pie day. Financial Highway hosted the Carnival of Debt......
  • Movin' on Up! Why I Finally Made the Switch to a Self-Hosted Wordpress Blog The Conservative Journal began nearly 3 years ago as a purely political Wordpress-hosted blog.  Throughout the nearly 3 year journey, a lot of contributors have come and gone, some for more nefarious reasons than others (I'm looking at you, short-term writer who stole an iPad!).  One thing that has been......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site