Sober worm cracked
Finnish security firm F-Secure has cracked a code used by the Sober worm, potentially allowing the company to block the worm from receiving updates.
Sober has mutated constantly since October 2003, when the first variant was picked up, with more than 20 other variants making the rounds. Last month the latest version, called Sober.Y by F-Secure (or CME-681 using US-CERT's CME naming system), was responsible for the biggest outbreak of the year, and still accounts for about 40 percent of all infections detected by F-Secure.
One of the features that has made Sober so dangerous is its ability to download new variants, instantly infecting large numbers of machines, say security experts. The current variant is expected to re-activate itself on 5 January, according to iDefense.
The downloading pattern stumped anti-virus researchers for a time because the URL used was created by a secret algorithm. "Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria," said Mikko Hypponen, F-Secure's manager of anti-virus research.
Posted by - GoogleFreak
December 13, 2005, 3:37 pm
News Source - Tech World
Go Back to main News
