Experts crack Sober worm code

The Sober worm has been used by right-wing hate groups in the past

A careful examination of the Sober worm code has revealed that its authors are planning to launch a major attack on 5 January.

The worm will contact a URL hosted in Germany or Austria and begin downloading material onto infected PCs.

Experts believe that the material could be from a neo-Nazi organisation. The activation date is the 87th anniversary of the founding of the Nazi Party, and the Sober worm has been used by right-wing hate groups in the past.

"This discovery emphasises the ever present and often underestimated threat of 'hacktivism' which combines malicious code with political causes," said Joe Payne, vice president at VeriSign iDefense Security Intelligence Services.

"Exposing this latest variant required technical and geopolitical analysis that connected the dots to give enterprises and home users plenty of time to shore up their defences."

Payne added that infected systems may start spamming the material out to email contacts once the attack begins, which could cause serious clogging problems with some email systems.

This latest Sober variant has had several troubling aspects for security vendors, suggesting that it is not an ordinary piece of code.

Police in Bavaria were able to give an advance warning of an attack recently. "The Bavarian police have not explained how they knew it was coming," said Graham Cluley, senior technology consultant at Sophos.

"It is possible that they are monitoring the communications of the authors. It is possible we'll see arrest soon."

Cluley explained that one of the reasons for the worm's success is its social engineering techniques.

The email containing the worm purported to come from the FBI and accused the recipient of visiting illegal websites. "They must want to be caught if they're baiting the FBI," said Cluley. 

Antivirus firm F-Secure said that the methods the worm uses are very sophisticated. The worm will seek the material from a website with a semi-randomly generated URL, none of which is registered as yet.

This will allow the writer to just register one or two URLs at the last minute and use those to distribute the material. The actual URL will depend on the date used to register.

"The Sober virus author can pre-calculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm," said Mikko Hyppönen, chief research officer at F-Secure.

"This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs.

Computer users are being warned to patch their systems and download the latest virus updates before 5 January.

Donal Casey, security consultant at technology integrators Morse, said: "It's not often that you'll ever get this much advance warning of a virus attack, so there is little excuse for people and businesses not to be prepared.

"The key is making sure that people at home and employees at work, especially those using mobile devices like laptops, are regularly updating their antivirus software so that they are protected.

"With the Christmas break coming up, organisations need to ensure that they have the processes in place so that updates are not neglected."