Personal Tech Pipeline | Aggressive Sober.p Worm To Strike Monday

White Papers

Sponsor Resources

Free Newsletter GlossaryContact UsAbout Us
Players & CamsPhones & PDAsHome & AutoOnline

May 20, 2005

Aggressive Sober.p Worm To Strike Monday

Courtesy of TechWeb News

Monday may be a very bad day, a security researcher said Friday as he warned that the aggressive Sober worm of early May is timed to download new code the first day of next workweek.

Sober.p, the mass-mailed worm that spread voraciously by virtue of its offer of free World Cup tickets, is poised to launch another attack Monday, said Dmitri Alperovitch, a research engineer with an Alpharetta, Ga.-based security firm CipherTrust.

"At the moment, the payload is unknown, but it may be another form of spam, like Sober.q; more malicious code, like another virus; or a denial-of-service attack."

Starting last weekend, Sober.p-infected machines were sent a Trojan horse, dubbed Sober.q by anti-virus vendors, that spewed out large amounts of right-wing German hate mail.

According to Alperovitch, Sober.p has code indicating that it will "reactivate" on May 23, just as it did earlier when it began listening for instructions from its creator; that first activation resulted in the spam of this week.

"He's accumulated a number of machines," said Alperovitch, but he wouldn't hazard even an estimate as to the size of the network of infected machines, also called a "botnet."

The interesting thing about Sober.p, and its follow-on attacks, said Alperovitch, is the way the hacker has hidden the source of the code which is downloaded to previously-compromised PCs. Typically, worms embed the URLs or IP addresses of the sending servers of later attacks in their code. Although it may take time for researchers to dig through the worm before finding those addresses, they can usually root them out in time to stymie the attack by having the servers taken offline by ISPs or hosting services.

Sober.p, however, uses a more ingenious method that essentially "randomizes" the URLs of the servers from which code, like the Sober.q Trojan and whatever is downloaded by infected PCs on Monday, is drawn. Every hour an algorithm in Sober.p creates a time stamp-like key, then uses that to generate a URL to a server on one of five different hosting services operating in Germany and Austria.

"Sober.p's maker knows the algorithm, so he can generate the URL long before a specific hour," said Alperovitch. "He can register the URL with a hosting company days in advance, and plant the code to be downloaded by Sober.p-infected machines days in advance, too. It may already be on servers."

The hour-by-hour change of servers and the randomly-created URLs means that the hacker can launch his attacks Monday with impunity.

"The only way to stop this would be to convince all five hosting services to stop taking registrations," said Alperovitch. And that's not likely something any of them would agree to.

"He has a large community of infected machines already," said Alperovitch. "He may want to enlarge that community, or replace the worm [Sober.p] on the machines. We just don't know. "What we do know is that he'll likely be successful," Alperovitch went on. "He used the same algorithm to distribute the Sober.q Trojan, and look what that did."

Users who suspect that their machines may be infected by the Sober.p worm can turn to several free detect-and-destroy tools, including ones provided by Symantec and McAfee.

E-mail This Story
Print This Story
Reprint This Story

Get the latest Personal Tech news, product info, and trends every week.

Related Content

  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Main RSS Feed
  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Blog RSS Feed

Keeping Up To Date On Enterprise Server Tech?
Review our compilation of columns on server security, database software, and Linux issues.
How to Achieve High Performance Through IT
Learn to achieve high performance by aligning IT to
strategic objectives and solutions to unlock that value.
Using Current Performance to Shape
Future Results

Hear new strategies for improving business
performance and results.

Editor's Picks

Well, Microsoft has "unfolded" its "Origami" ultra-mobile PC platform Thursday. It turned out to be a full-featured PC smaller than a tablet but bigger than a PDA. Are you impressed?
Yes! I want one!
Sort of. We'll see.
No! It's too big for a pocket and too small for real computing. What's the point?

In search of personal tech products? See our new Product Finder, where you'll find personal computing devices, communications solutions, security products, and more.

Transform your IT infrastructure with IBM
Successful CIOs see IT as a prime stimulus for business innovation-and themselves as key participants in a process that develops business and IT strategies in concert. Read an executive summary and register to download the full IBM paper.

Symantec Backup Solutions
Desktop to Data Center Protection. Explore the Official Symantec Site.

Block or Secure IM Use
IM threats up 250%. Protect your corporate network. Free Download.

Secure & Easy Console Management with Digi CM
The Digi CM console server provides secure, intelligent & easy access to network devices with a serial console port. With Digi CM, you can securely monitor & control servers, routers, switches & other devices even when your network is down.

Learn how much you save with open source.
Find out how much of a financial impact open source can have on your enterprise. Get these tools now, compliments of JBoss. Go!

Buy a Link Now

Top ten search terms from the TechWeb TechEncyclopedia
Stellent eSeminar "Approaches to Metadata Design" on March 23
Mobilized Solutions Guide: Find and compare solutions for your business
Top Requested White Paper Categories from TechWeb White paper Library
Top ten search terms from the TechWeb TechEncyclopedia