14 DAY TRIAL // For over two years, the Sober worm has been basically a constant threat to computer owners, network administrators and security companies. The worst thing to fear about this worm was the avalanche of variants which surfaced very quickly and from different random locations, which rendered experts helpless until it was too late for many of the less fortunate computer networks hit by Sober. Security companies have been struggling ever since, trying to figure out what made the worm so unpredictable, so fast about its ways around the internet and what made it so flexible and "fresh" all the time. Unfortunately, so far experts have been defeated by Sober's author and that was all because of the originality of the code, but users also had a huge contribution to this "success story". With the recently announced high rates of computer ignorance in terms of security, it's not hard to understand why worms even far less complex than Sober manage to spread so fast. It's no wonder that it happens, when people don't take proper security measures or open all incoming attachments like some kind of Pandora box.
But news from last Thursday throws a ray of hope on the Sober status, as F-Secure, the Finnish security company, announced that it has managed to break a code used by the most "successful" family of worms which are currently swarming the Internet, and is now able to block it from being updated. This is great news and it comes at an especially important moment, when the latest version, called Sober.Y by F-Secure, managed to hit the web at full speed and take up the title for the most dangerous worm and the biggest outbreak of the year, which accounts for about 40 percent of all infections. And just to make even clearer the full potential this worm has, we must remind you that this worm outbreak has been announced before it actually happened, and specialists had plenty of time to warn users about taking all proper measures in order to avoid being infected.
The secret weapon for Sober is the updating system which sends (on the cybernetic front) an entire army of very precise soldiers, for which there is no cure before they can actually harm the computer. This particular system was the main interest of security companies, but in the end all experts shrug without coming up with a real solution for an increasingly dangerous problem. The system relied on a secret algorithm to create pseudorandom URLs which will change based on date.
The Finnish from F-Secure announced they cracked the code for this secret algorithm, which is a real breakthrough in terms of having a quieter online environment. This means Sober will no longer have the capacity of spreading it once did and that all virtual addresses that the virus relied on can now be blocked and prevent Sober from being copied on other systems.
According to Mikko Hypponen, F-Secure's manager of anti-virus research "The virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and bang! It's run globally in hundreds of thousands of machines".
Should F-Secure promises prove to be real, by taking this Sober key-element out of the game, the virus will no longer be feared as a cybernetic pandemic, but as a simple, common mass-mailer, for which security companies have plenty of blocking solutions. Network administrators will have a much easier time in blocking those addresses and the Sober worm out of their system by simply adding the addresses in the network's firewall settings.
The first time F-Secure could prove they are right will be on January 5th 2006, when all computers infected with the latest variant of Sober will try to connect to a series of websites in order to update. This list includes sites like:
* http://people.freenet.de/gixcihnm/ * http://scifi.pages.at/agzytvfbybn/ * http://home.pages.at/bdalczxpctcb/ * http://free.pages.at/ftvuefbumebug/ * http://home.arcor.de/ijdsqkkxuwp/
F-Secure advises network administrators to ensure any infected PCs can't upgrade automatically by blocking access to those domains. This is a huge step forward, but still, the goal is to prevent the initial infection of the computers.