The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

F-Secure : News from the Lab – How Sober activates

More info on the Sober variant to activate next year.

How Sober activates – Posted by Mikko @ 16:02 GMT

First Sober variant was found in October 2003. Since then, we’ve found over 20 different variants.

Most of these variants contain a routine that activates the virus at later date. After this the virus will try to periodically download and run a file from several websites. This is the way most new Sober variants are distributed: the author uploads a new version and all the infected machines will suddenly get infected with the new variant.

Virus statistics

Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 5th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever. The virus even synchronizes the machines via atom clocks so the activation will not happen before January 5th, even if the clock of the computer is incorrect.

So, what URL is the virus using? This is the tricky part. The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly. So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don’t exist.

However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It’s run globally in hundreds of thousands of machines.

The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn’t want to talk about it publically then – we didn’t want to fill in the virus writer on this. But he must know this by now.

So what do these pseudorandom URLs look like?

Sober.Y listThey look like this. These are the download sites Sober.Y will start using on 5th of January. We’re leaving out the filename of the actual executable, but this should be good enough list of addresses you might want to block at your corporate firewall, if you’re a system administrator:

Right now, none of these URLs exist. If they are to be used, the virus writer will register them just before the activation.

However, the list will change every 14 days, and the first change will happen already on 6th of January. Then the list becomes:

Last thing: Several earlier Sober variants (most notably Sober.Q) have been sending out neonazi propaganda messages. According to iDefense, the activation date of January 5th is an anniversary date for the nazi party.


December 8, 2005 - Posted by | Antivirus News

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: