Sober Worm Code Algorithm Cracked
Anti-virus researchers crack the algorithm used in the nonstop Sober worm attacks to accurately predict the dates and URLs that will be used in future variants.The algorithm used in one of the most debilitating e-mail worm attacks in history has been cracked, allowing virus researchers to accurately predict the dates and URLs that will be used in future mutants. Researchers at Finnish anti-virus vendor F-Secure Corp. first cracked the code used in the Win32.Sober worm family in May this year but withheld details until this week to avoid tipping off the attacker.
Mikko Hypponen, chief incident officer of F-Secure, said the Sober worm uses an algorithm to create "pseudorandom URLs" that change based on the date. "These URLs point to free hosting servers typically operating in Germany or in Austria," Hypponen explained in a blog entry.
http://people.freenet.de/gixcihnm/Hypponen said the list will change every 14 days, beginning Jan. 6, 2005. After that date the list becomes:
http://people.freenet.de/mookflolfctm/The LURHQ Threat Intelligence Group has also published an analysis of the Sober worm code that shows how the virus writer decides on the time of new attacks. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.