Will the Sober Worm Spawn?

At exactly 00:00 hours GMT, the Sober worm is programmed to launch a new wave of attacks. Whether or not it happens, anti-virus researches are preaching the 'be prepared' gospel.

At exactly 00:00 hours GMT on Thursday (7 p.m. in New York, 4 p.m. in California), computers already infected with the Sober worm will start connecting to a known list of URLs to download a new mutant. Because this is known, the pre-programmed attack may not happen at all.

However, anti-virus experts have issued a call-to-arms, urging businesses and consumers to prepare for the worst.

"Sober is a very aggressive virus and although we know what it will do next, we have to take all the necessary precautions," said Mikko Hypponen, chief incident officer of F-Secure Corp., the Finnish anti-virus specialist credited with cracking the worm code algorithm.

In an interview with eWEEK, Hypponen said the Sober.Y variant accounts for more than half of all virus infections worldwide. "This particular variant was launched on November 22 last year and its already at the top of every chart. And this is the variant set to activate today," he added.

Hypponen has published a list of 45 URLs that will be used to reinfect computers already controlled by the Sober attacker and the immediate recommendation is for IT administrators to block the addresses at the firewall level.

/zimages/6/28571.gifSober worm code algorithm cracked. Click here to read more.

The URLs all point to free hosting servers operating out of Germany and Austria and, although the sites remain offline, it is likely the attacker has not even registered the domains yet.

The worm code uses an algorithm to create "pseudorandom URLs" that change based on the date. This allows the virus writer to pre-calculate the URL for any date and simply register the domain to upload a malicious program and unleash another round of attacks.

"He knows that we have cracked the code so he may not go ahead at all. Its very likely that he wont even try to register those names," Hypponen said, noting that law enforcement authorities in Europe have been notified and are likely monitoring activity around those domains.

Because there has never been a financial motive associated with the Sober attacks, Hypponen believes it is the work of a single attacker or a very small group.

In the past, the worm has used the lure of free tickets for next years World Cup soccer tournament in Germany and has regularly spammed out messages with German nationalistic propaganda.

Microsoft Corp. also flagged the planned attack as a legitimate threat with the release of a special security advisory to warn that the worm will try to use social engineering tricks to tempt e-mail users into clicking on executable attachments.

Microsoft added detection for the latest Sober variants in its December 2005 update to the Malicious Software Removal Tool and in the Windows Live Safety Center.

An updated version of the malware removal tool will also ship on January 10 with new detections if another variant emerges.

Stefana Ribaudo-Muller, director of Computer Associates International Inc.s eTrust unit, urged enterprise IT administrators to perform system scans ahead of the attack to ensure systems are not already infected by Sober.

"If theres a Sober infection, that machine will try to connect to download new code," Ribaudo-Muller said in an interview.

/zimages/6/28571.gifZombies boost new Sober variant. Click here to read more.

"Theres a likelihood that nothing at all will happen, but we are recommending that computer users be vigilant. Scan your systems and remove any malware from networks prior to [this new attack]," Ribaudo-Muller added.

Shane Coursen, senior technical consultant at Kaspersky Lab, recommends that administrators set up filters to strip all attachments at the gateway as part of preparations for an attack. "Since we already know the list of domains this attack will use, the best thing to do is block that list of URLs immediately."

Costin Raiu, head of research & development at Kaspersky Lab in Romania, believes the anticipated epidemic "may not hit for a while."

"Some of the sites which could host the malicious binary files may be shut down successfully before the trigger time. Additionally, its up to the bad guys to choose the real activation date by placing [or not] the update on the net. In short, no-one can tell exactly what the impact of 6th January on virus history will be," Raiu said in a Viruslist.com blog entry.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.