F-Secure claims to have cracked Sober Worm

Sober has been one of the most popular worms hitting the web since quite sometime. However, the latest news in is somewhat consoling as the security firm F-Secure has claimed that they have finally managed to have cracked the Sober Worm and have found a list of URLs which the infected machines would access to download a fresher copy.

Another security firm, iDefense earlier this week had some other leads out of the worm’s code when they confirmed that the next release date of Sober would be Jan. 5, 2006. F-Secure on their part have identified the Web sites that Sober will use to pull updates to already-compromised PCs. This update would bring new code and a list of new sites to access during the next attack stage.

Mikko Hyppönen, F-Secure’s chief research officer wrote in a Blog post on the company’s research Blog: “Most of [the Sober] variants contain a routine that activates the virus at a later date. After this, [Sober] will try to periodically download and run a file from several sites. This is the way most new Sober variants are distributed: the author uploads a new version and all the infected machines will suddenly get infected with the new variant.”

However, the worm has been very smartly designed and it would use an existing algorithm inside its code to use the current date to generate a number of pseudo-random URLs to access the new code if the original list of websites is not accessible.