Sober virus code cracked by security firms

Antivirus companies say they have cracked an algorithm that was being used by the Sober worm to "communicate" with its author.

The latest variant of the Sober worm caused havoc in November by duping users into executing it by masking itself as emails from the FBI and CIA. Antivirus companies were aware that the worm somehow knew how to update itself via the web. The worm's author programmed this functionality to control infected machines and, if required, change their behaviour.

Finnish antivirus firm F-Secure revealed last week that it had cracked the algorithm used by the worm and could now calculate the exact URLs the worm would check on a particular day.

Mikko Hypponen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it.

He said in his blog: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety-nine per cent of the URLs simply don't exist...However, the virus author can pre-calculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and 'bang', it's run globally on hundreds of thousands of machines."

According to F-Secure's calculations, on 5 January 2006, all computers infected with the latest variant of Sober will look for an updated file located in a list of domains.

Hypponen advised administrators to ensure any infected PCs can't upgrade automatically by blocking access to the domains.

Adam Biviano, premium services manager at Trend Micro, said that blocking the URLs could be beneficial, but the safest bet would be to ensure that PCs are safe.

He said: "Blocking those URLs is not a bad idea but administrators need to make sure their machines are not infected in the first place."

Munir Kotadia writes for ZDNet Australia