Forgot your password?
typodupeerror
Worms Security IT

Sober Code Cracked 303

Posted by CowboyNeal
from the guts-spilled dept.
An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."
This discussion has been archived. No new comments can be posted.

Sober Code Cracked

Comments Filter:
  • by Anonymous Coward on Friday December 09, 2005 @04:46AM (#14217548)
    It said "lol no it's not a worm"
  • by Anonymous Coward on Friday December 09, 2005 @04:47AM (#14217551)
    Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?
    • by buro9 (633210) <david@buro[ ]om ['9.c' in gap]> on Friday December 09, 2005 @04:49AM (#14217558) Homepage
      "why do talented people waste their abilities on viruses?"

      Money?
      Acclaim (within a small community)?
      Politics?

      I would guess money. Spam pays very well, and a lot of viruses and worms have had monetary ulterior motives, as always, follow the money.
      • Recognition (Score:3, Informative)

        They do it so they can stick a finger up to the cops and say `I'm better than you`, such is the mentality of the virus writer or cracker. They also get recognition within the blackhat community as the person who reaped havoc worldwide. Then there's that smug satisfaction that they haven't been caught. Scientifically, the risk of getting caught topped off with not actually having been caught triggers a dopamine release which makes people feel good. Such is the way virus writers get their thrills.

        The only w

      • Their organised crime bosses pay better and give better conditions than so called legitimate software companies. You may as well be writing worms as some of the stuff that big corporations like Sony are sending out.
      • by muffen (321442) on Friday December 09, 2005 @09:53AM (#14218729)
        How many people have been mentioned in almost every newspapaper in the entire world on the same day, I doubt the president reached the levels that de Gusman did after writing the loveletter worm, and this is a guy in the phillpines who will probably not be able to afford a trip outside his country ever.

        The feeling of power for this individual must be enormous... not saying its right, but you were asking why people write these things, and the feeling of power is something I believe is a big reason.

        Then ofcourse we have the fact that a lot of these threats steal information etc, so as you say, money would be another reason...
    • I was actually thinking the same as I read the article, but I was thinking more along the lines of, "Wow, that is quite clever. Innovative, too. Wonder why I couldn't think of something like that."

      It is quite true though that the talent these days seems to be going to those who like to do something malicious with their talent. It saddens me to no end, but I do believe this is a common road that those with actual talent and insight seem to be wanting to follow these days; it's a trend.

      But, alas, I digress. M
    • by killjoe (766577) on Friday December 09, 2005 @05:18AM (#14217655)
      As people at slashdot are fond of pointing out. Businesses are not moral, they are not supposed to be moral. This guy is doing his best to increase shareholder value. Presumably he is majority shareholder but really that's not so relevant is it?
    • why do talented people waste their abilities on viruses?

      Because it's perceived as more profitable than dealing with a manager?
    • My guess it's boredom. Some talented people do stupid stuff because they have nothing better to do.
    • by blorg (726186) on Friday December 09, 2005 @05:50AM (#14217755)
      ...living in countries where employment opportunities may be limited (I'm thinking former Soviet Bloc, Pakistan, India - countries with strong traditions in mathematics/sciences.) There is also potential for a similar thing to happen with nuclear weapons in some of these countries, which is a good bit scarier (as indeed did happen with Pakistan, although not in that case due to a lack of employment.)
    • I disagree that writing worms and virus is clever. Not only from moral point of view even from a technical point of view its not that hard. Its really for kids "my first program", something like that before they learn real programming. There had been a teacher (I do not recall the link now) that proved with his computer science class that writing an exploit/worm needs less than 30 days for computer newbies. Fact. In the early 90's I did some virus programming, too. And I should therefor know what I say. Be
      • by Xarius (691264) on Friday December 09, 2005 @07:16AM (#14218017) Homepage
        I bet he's smart enough to know what a god damned paragraph is though...
      • I'd like to start by saying grow up. Your rant sounded like a school kid that was mad that the other kids were getting the attention. As for you "virus" we have no proof that you even made such a thing and I personally doubt it because of how much you over played the cloak and dagger theme. Locked up in a safe, yeah right. While I agree that the script kiddies don't know squat the "crackers" that made new worms and virii can be quite clever. There is a difference between people who just use someone els
      • " And if any of those newbie junkprogrammers out there that has no better to do than to destroy the medium they live in really become smart, than the internet will stop in its actual existance,"

        I am rather suprized that you believe that the virus writers would even want to destroy their own enviroment. A clever virus would not destroy its own method of survival, that would be stupid. Instead, a clever virus will use as little resources as it can so it isn't caught because of performance hit.

        Secondly, the
      • by daniel_mcl (77919) on Friday December 09, 2005 @09:58AM (#14218771) Homepage
        First, I have a hard time believing that a professor took students from being "computer newbies" to being able to print out "hello world" ten times in thirty days, much less write some sort of working virus; trying to teach students anything outside of their major is roughly equivalent to pushing dead whales uphill in terms of efficiency. I've been in a lot of classes and taught a few, and I know that the average student will not do any work if it's at all plausible that a significant number of other students won't do it either -- school these days has become a generalized prisoner's dilemma situation, in which the teacher can only fail so many students before being reassigned.

        In the larger scope, I'll just say that it's very tempting to think that one's computer programs just scale automatically, but this is simply not the case. Chances are that you were working on a very homogeneous network at that point, which most machines running rollout-synchronized versions of the same software. I've written "worms" that work under such an environment myself -- unlocking the parental protection on the middle-school computers made lunch-time in the library a lot more interesting. In such a situation, a worm either doesn't spread at all or immediately takes over the entire network, so any success is an impressive one.

        On the real internet, on the other hand, we have a very complicated mesh of various systems with different sorts of protections, some explicitly designed as such but most just due to random variations that prevent a given buffer overflow from working on more than one system. Even if someone is running a vulnerable system somewhere out there, there's a good chance that getting at it may involve going past some other system that is simply going to eat it alive. We're not talking just about computers, but also about routers, switches, and all that Cisco equipment that's silently running a good deal of the net without anyone ever thinking about it.

        That's why there hasn't been a real worm on the internet in quite a while; essentially every major virus in recent memory has relied on social-engineering to trick the user into manually installing the virus onto his own computer. In fact, I'd seriously doubt that it's even feasible to create a self-distributing worm on the internet at this point, unless Microsoft is dumb enough to build remote-execution capability into their application software again.

        Of course, if you were actually working on a diverse, real-world type network, and you managed to devise cross-platform vectors, that's quite different and it'd be interesting to hear about. But if you're like the majority of people who make claims like these, I'm gonna have to say that your eyes are probably a little bigger than your mouth on this one.
    • Hackers and virus writers - They both do things which will let them sit back and be proud of what they've done.

      Some people do constructive things for that, others do very destructive things.

      It's the rush of having made a difference [dotgnu.info] in this world that drives both categories of people. Some sadly seem to like hiding and laughing, some others prefer to do creative things.

      Once you're into adult hood, being a puppet master online starts to lose it's charm and you want more bragging rights - which is one

      • Once you're into adult hood, being a puppet master online starts to lose it's charm and you want more bragging rights - which is one of the thing that drives some h4x0rs back into the straight and narrow path of goodness.

        So the Sober worm author's destiny is to become a mild mannered hard working citizen in the IT work place. Who'd have thunk it.
    • by golgotha007 (62687) on Friday December 09, 2005 @07:55AM (#14218122)
      why do talented people waste their abilities on viruses?

      The ability to control several hundred thousand zombie computers.. are you kidding?

      money, man, money.

      You can do lots of things with that, but the most lucritive might be to blackmail gambling sites. If they don't pay, you DOS their IP block.

    • by Guppy06 (410832) on Friday December 09, 2005 @09:54AM (#14218739)
      "why do talented people waste their abilities on viruses?"

      Sex. It's all about the groupies, man!
  • What should happen (Score:5, Interesting)

    by gbulmash (688770) * <semi_famous&yahoo,com> on Friday December 09, 2005 @04:47AM (#14217553) Homepage Journal
    Now does this mean a race for everyone to try to grab the URL and place their favorite code there? I think rather than random zombie crap, someone should put up code that makes infected systems flash a simulated Blue Screen of Death telling users their PCs won't ever work again until they wipe Windows and install BeOS or Plan9 (I'd say Linux, but that's such a /. cliche now).

    - Greg

    • The alternative (Score:3, Interesting)

      by Shihar (153932)
      My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea. Thinking on it now, this very well could be an excellent method of trapping more then one shit head at a time.

      Publicize the information so that other people can also figure out the algorithm. Don't give it away, just let out of enough so that a dedicated person can reach the same conclusion. Now just wait and nab every single bastard dumb enough to try
      • Re:The alternative (Score:2, Interesting)

        by Lesrahpem (687242)
        Maybe the people who released this publicly are in opposition to full-disclosure practices and are trying to prove their point?
      • Re:The alternative (Score:3, Insightful)

        by Gordonjcp (186804)
        Granted, catching someone based off domain registration probably is not trivial, but I wouldn't be surprised if the feds have something up their sleeve.

        It's unlikely that the URL would be any "easily found" string of characters. I would suspect it's probably alphabet soup with a TLD suffix, but you would be able to catch "likely looking" Sober URLs.

        .
        Now what you want is for domain registration companies to watch out for said "likely looking" URL and flag it up as suspicious somehow.
      • Domain registration? That is no good... "It" compromises your web server, then installs a listener where it wants to bloom, it goes on and on. Wait until we get multi-headed viruses (the "lame" hydra concept from swordfish or the network of 13 viruses/worms from that W. Gibson X-Files episode.) It not only infects pcs, but has them connect back to backdoored webservers or pick-a-vulnerable-service to tell the third coordinator proc/worm which PC to infect next, that looks up a list of vulnerable backdoored
      • by kyz (225372) on Friday December 09, 2005 @06:49AM (#14217922) Homepage
        My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea.

        As it clearly says in F-Secure's blog, they cracked this in May. They're only going public now. They've informed both the ISPs affected and the police. It is very unlikely that anyone will be able to register those accounts - if they do, they'll probably be talking to the police.

        The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.
  • by ReformedExCon (897248) <reformed.excon@gmail.com> on Friday December 09, 2005 @04:48AM (#14217554)
    Why else would he choose a date that coincides with the 21st anniversary of Richard Stallman's starting the GNU project?

    http://en.wikipedia.org/wiki/January_5 [wikipedia.org]
    • I think we have stumbled over who wrote the virus.

      Richard Stallman is the only Free software fanatic.
    • Everyone check under the bed tonight, it's those damn commies [socialistparty.org.uk].

      Relevant quote from above link:

      "However, the capitalists, many of whom had up to then held Hitler at arms length, took fright at the upsurge in votes for the workers' parties. Consequently, on January 5 1933, Hitler was invited to address a meeting of industrialists and bankers organised by vice-president Baron von Papen, at the home of the aforementioned Baron von Schroeder. At the meeting, Hitler promised to bring an end to democracy in G
    • Or prehaps 26 years after "Hewlett-Packard announces release of its first personal computer."
      Or maybe the writer intends to make bigger news than when "Warner Brothers [showed] the first color newsreel" (1948)
      Or maybe it's the writers birthday.
      Or maybe it's the first day they intend to be awake after the New Year celebrations
      Or maybe it's to bring down IT infastructure just as we're getting back to work just after the Holiday Celebrations end.

      The possibilites are endless, and there are far more logical expl
    • No, Sober is pro Nazi virus. Jan 05 is "1919 - Free Committee for a German Workers' Peace founded." Check virus descriptions on any antivirus vendor site.

      If you think, that is about free software, then you haven't got bunch of text emails about dresden bombings and other propaganda.
  • Patent (Score:5, Funny)

    by digid (259751) * on Friday December 09, 2005 @04:48AM (#14217555)
    Let's award the Sober Virus writer a patent. I think he'd qualify.
    • ...namely that he isn't a multinational corporation and that the patent wouldn't fuck over everyone, er I mean wouldn't protect innovation...
    • actually i think that according to the united states patent system, he may infact HAVE the patent on the algorithm that generates the URL's from where to download "updates" to his worms.

      using this algorithm without his permission is illegal and also capturing him after using this algorithm in the illegal way is not legal and he must be released from custody ... like in the movies :)

      and since you can't be charged for 1 crime twice, he will be off the hook ... aint life just fun ?
      • Re:Patent (Score:3, Funny)

        by ArcticCelt (660351)
        Plus those nasty "pirates" at F-Secure have violated the DMCA by circumventing the security algorithm in Sober and should be prosecuted as soon as possible!
  • Disinfection (Score:2, Interesting)

    by ivan kk (917820)
    So they've figured out the algo, and while I haven't RTFA, i assume the domains don't exist yet either.

    If that's true, what's to stop say symantec predicting a domain for a particular date, taking the domain, and putting a disinfection program up.
    • Re:Disinfection (Score:5, Insightful)

      by Sinus0idal (546109) on Friday December 09, 2005 @04:57AM (#14217590)
      Because even though they might be doing something they deem to be nice, running code on someone elses computer without permission is still illegal.
      • Not everything unlawful is unethical and in this instance, I side with the ethical thing to do.
        • Not everything unlawful is unethical and in this instance, I side with the ethical thing to do.

          Unless they fuck it up. Sorry no, Symantec can run code on my PC once they pry it from my warm moist hands.

      • They didn't run anything. They served up a file in the normal way in response to a normal http request. No trickery, no buffer overflows or anything like that. If someone chooses to download and execute the file that's their business.
    • Re:Disinfection (Score:2, Interesting)

      by HappyMeal (867072) *
      Actually, TFA points out the domains (and they do exist):

      http://people.freenet.de/

      http://scifi.pages.at/

      http://home.pages.at/

      http://free.pages.at/

      http://home.arcor.de/

      I do wish they hadn't publicized it... might have scared off the guy or convinced him to really hide identity when registering.

      Also some risk that sites around the world might indiscriminately block traffic to/from these sites, rather than specific URLs there. :(

      Though, I guess, your point regarding disinfectio

      • Actually, TFA points out the domains (and they do exist):

        The domains do, but not the URLs. These look like free hosts, anyone can register and put up a simple page without having to supply any ID.

      • RTFA (Score:5, Informative)

        by igb (28052) on Friday December 09, 2005 @06:08AM (#14217809)
        The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.
  • by jannic (152373) * on Friday December 09, 2005 @04:55AM (#14217581)
    "According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day." - wouldn't that be possible by just running the worm in a sandboxed computer, with the computer's clock set to some future date? Of course, understanding the code may reveal other hidden features, but if you only want to know what the worm will do tomorrow, you can just try it out.
    • For once RTFA
      The virus even synchronizes the machines via atom clocks so the activation will not happen before January 5th, even if the clock of the computer is incorrect.
      If the virus writer is smart enough to generate pseudo random urls of which 90% are false, he is smart enough not to trust the computer clock.
  • Simple (Score:2, Redundant)

    by Placido (209939)
    Register one of the URLs and post some code which, when executed, stops the worm executing. Rinse. Repeat.
  • Applications? (Score:5, Insightful)

    by FhnuZoag (875558) on Friday December 09, 2005 @05:05AM (#14217617)
    Can we use this discovery to distribute a cure?

    I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction.

    Problem solved.
    • by Skapare (16644) on Friday December 09, 2005 @05:45AM (#14217739) Homepage

      Better yet, have it install Ubuntu and solve the longer term problem, too. :-)

    • To expand... (Score:5, Insightful)

      by interactive_civilian (205158) <mamoru&gmail,com> on Friday December 09, 2005 @06:22AM (#14217850) Homepage Journal
      They know the activation date (January 5, 2006), and they know the URLs that Sober will try to connect to on that date, right? From this, I see a few things:

      1.) Assuming the author(s) is(are) paying attention to happenings on the internet, he would be an idiot to actually try to put anything on those domains for that date (assuming there isn't anything there yet). If he does, I would guess that he would be as good as caught...well...maybe...I guess it depends on how well he covers his tracks when uploading his intended payload.

      2.) Both of the linked articles urge SysAdmins to block the URLs they have listed, but I HIGHLY doubt that most of the infected home users will do so, or even know how to, so that will leave a lot of machines trying to connect. Can the URLs be blocked at the ISP level?

      3.) Going with the parent post's idea, might it not be a good idea for the authorities to set up those URLs now, and put removal tools on them (assuming they can be automated and it can happen in the background)? It seems to me that any machines still infected when that date hits would be automatically cleaned and the problem would be solved on the first day...

      4.) Or, if it is even possible, have the ISPs monitor for requests to those URLs (while blocking them), and if they receive requests for those URLs on that date, automatically send an email to the account holders of the IPs that are trying to access the URLs informing them that their machines are infected with Sober and provide instructions (and software) on how to remove it? Of course, this requires cooperation from a LOT of ISPs, but it doesn't seem completely impossible. Of course, this idea also depends on the users to take action to clean their systems and we all know how well personal responsibility is doing these days...

      5.) However, perhaps the ISPs can monitor requests for the URLs that Sober will request, and then perhaps start disconnecting users who don't clean their systems after being warned.

      Anyway, just some thoughts...but I see no reason for the net to be rid of Sober after the first day (or first month going by 4 and 5 above) of activation...

      Of course, I don't know a lot of details about how these things could be implemented, so take it with a grain of salt...

  • roflcopter (Score:4, Funny)

    by Anonymous Coward on Friday December 09, 2005 @05:10AM (#14217634)
    Hay guys I have a gr8 idea, why dont they just put a prog at the urls the virus checks, which an infected coputer can run and it will delete the virus!!

    +5 informative
  • by g-san (93038) on Friday December 09, 2005 @05:15AM (#14217646)
    one is supposedly http://it.slashdot.org/comments.pl?sid=170643&thre shold=1&mode=thread&commentsort=0&op=Reply [slashdot.org]

    It posts trollish looking messages and chats to you in IM. :)

    Personally, I usually just chill while connected with ethereal running, then connect back to the PCs backdoored by the viruses that are trying to infect my honeypot on tcp/135. Then a simple netstat will show you an established tcp connection back to the IRC server the virus is using to announce itself to the author (not to mention about 500 connections SYN-SENT or ESTABLISHED to PCs being infected/probed, also a good source for other infected, backdoored PCs. You do know what is attacking you and what tcp backdoor it runs, right?) You can usually spot that connection, it has a high TCP destination port, whereas the normal vector port is 135/137/139. It's really sad to see thousands of PCs aleady announcing themselves to the author on that IRC channel as, "Hey come on over, I am running W2k|2XP. I am XP200453." And there is no one there to give me +OP privs!!! Batrastards!!! I could echo 'you are hacked please visit windowsupdate.com'> the startup folder all I want for days to each one of them to no avail... or echo ''you are a moron, too stupid to own a computer, put it back in the box and yadayadayada....

    I wonder what I would do with a beowulf cluster of networks of hacked (i.e. unpatched windows) PCs. probably echo the same message in the same fashion as above, yet, alas, I am seriously lacking in motivation and spare time. (q.q.v 4. Pr0F1T!!!)

    so little time, so many IP addresses, so many ignorant users.... so many clever, clever coders...
    • "I wonder what I would do with a beowulf cluster of networks of hacked (i.e. unpatched windows) PCs."

      Make all the phones in the world ring at once? ;P
  • by raehl (609729) <(raehl311) (at) (yahoo.com)> on Friday December 09, 2005 @05:25AM (#14217680) Homepage
    Isn't the authorities being able to block a URL a problem? If authority means "Software I've willingly installed on my computer to block malicious URLs", then good, fine and dandy. If authorities means the government, I'm not so keen about that possibility.
    • Isn't the authorities being able to block a URL a problem?

      I see no harm in the police going to the relevant ISP and asking them either not to register the username 'dfgdfbvbb', or to provide them information on the registrant. If the ISP wants a warrant for the latter, that's fine too.
  • by BoldAndBusted (679561) on Friday December 09, 2005 @05:29AM (#14217688) Homepage

    Hmm... If they can predict forward in time what sites Sober will seek, can not they also look backward in time to see what sites the worm sought in the past ? If so, could they not then check the registration records for each of those sites and... find the author?

  • Sophistication (Score:5, Interesting)

    by squoozer (730327) on Friday December 09, 2005 @05:31AM (#14217694)

    I have often wondered why we haven't seen the emergence of worms with truly spectacular levels of sophistication. Nearly every worm / virus is small presumably so that it can spread quickly in limited bandwidth situations. The limited size means limited sophistication and sometimes flaws in the design or operation.

    To the best of my knowledge no one has developed a worm with fully pluggable attack verctors and pay loads and automatic updating. An attack from such a worm would be all but unstoppable because there would always be a huge user base from which to start an attack. The attack would go like this:

    1. Author writes the first version of the virus and deliberately infects machines. This version doesn't spread on it's own. This version doesn't need to be terribly good it just needs to infect 1000 machines or so, be upgradeable and form the initial core of the virus P2P system (maybe that should be V2V?).
    2. Author refines virus and releases a new version. Some of the 1000 initial infections are still infected and upgrade themselves. They go on to infect other boxes automatically. Each box will try and upgrade and infect new boxes.
    3. Hole exploited by the stage two virus is closed. Many are lost.
    4. Author writes new exploit module and uploads it to virus network which them re-infects lost boxes and new boxes.
    5. Virus scanners get to understand core virus and destroy numerous infections.
    6. Author releases new version into the virus network which upgrades currect installs. And so it goes on.
    7. ???
    8. Profit!

    Perhaps someone is already doing this, I don't know. It seems like a natural evolution for viruses though. A sort of virus P2P system so that the virus network can respond to attacks. You could even build viruses that knew the network was under attack and hid or destroyed themselves.

    BTW I'm not a virus writter.

    • If you think upgradeable viruses are bad...wait until you see computer
      viruses self-mutate and evolve. Laugh if you want...it will come one of these
      days.
    • I think this would expose the virus writer to a big risk of getting exposed. If I wrote a virus, I would write it so that I can take it will me to a public computer, infect a few others machines from there, go away and let the virus do it's work without any more contact with me.
      • May the V2V network use some form of anonymizing network technology then - it's slow but what would the virus author care. Digitally sign the updates, as well, so the virus only accepts updates from the real author. The technology is there and just waiting to be exploited.

    • I have the basics of such a virus stashed somewhere secure. Once you're good enough to do something like you're suggesting you've usually grown out of wanting to release it.
      • Yeah, kind of lucky the world works that way for the most part. Touble is it only takes one person to let the cat out of the bag. The virus design in my initial post would be easy enough to stop on individual machines but, like type 1 herpes simplex (the virus that causes cold sores in humans), there would always be an unreachable portion of machines that can't be disinfected so the virus can re-emerge from these (the herpes virus lies dormant in the nerves where there is no immune response). It's an intere

  • by Slashcrap (869349) on Friday December 09, 2005 @05:33AM (#14217704)
    I find myself in the unusual and possibly unique situation of agreeing with other people on Slashdot.

    It would have been better not to release this information. Now the author knows the game is up. Unless they have already traced him from some of the previous URLs, which I doubt.

    So why release it then? The AV company just couldn't resist jumping up and down and showing everybody how clever they are. AV is more about marketing than technology anyway.

    The thing is, I bet this algorithm wasn't even that hard to reverse engineer. I mean, I'm not saying that I could have done it and I'm sure most of you couldn't either. But to someone skilled in the black arts of disassembly and debuggery (if that isn't a word it should be), it would probably have been fairly trivial. At the end of the day, Virus authors usually aren't that bright. You can obfuscate and encrypt your code as much as you want but at some point it still has to executed. Most of the techniques are well known and I doubt this idiot invented any new ones.
    • by Alex Zepeda (10955) on Friday December 09, 2005 @06:09AM (#14217812)
      I'm curious if you bothered to read F-Secure's blog:

      So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

      Something to think about.
    • by Tom (822)
      AV is more about marketing than technology anyway.

      No, it isn't. Not about either of those. It's about hard work. AV means having honeynets to catch the malware, then take it apart, create a signature, plug that into your file and send out an update. All as quickly as possible, pretty much around the clock.
  • uh.. (Score:2, Insightful)

    by nexcomlink (930801)
    How do they or anyone of us know it's going to be expected on that date? Nobody can predict an outbreak because there is never a set time for one. If the virus author can change the date he would. Like they say always expect the unexpected and what was expected is deemed to be better or worse than it was intended to be.
  • by ArsenneLupin (766289) on Friday December 09, 2005 @07:35AM (#14218075)
    Why did F-Secure (and other AV researchers) have to cryptographically crack the code? Couldn't they simply have advanced the clock on their PC, and empirically snoop which URLs the virus would check?

  • by Theovon (109752) on Friday December 09, 2005 @09:22AM (#14218480)
    Sober cracked code, and I don't care. Sober cracked code, and I don't care. Sober cracked code, and I don't caaaaaaaaare. And the hacker's gone away.

    (Note: I apologize to anyone who is aware of the origins of the song I'm parodying.)
  • Clean and Sober (Score:3, Interesting)

    by Ritz_Just_Ritz (883997) on Friday December 09, 2005 @09:48AM (#14218684)
    Why not use this information to post disinfection code on the next sober trigger date? That seems like the best use of this information since the author has probably already been tipped that he/she can't post their own code anymore. I wonder how many sober infected PC's are still in the wild? Cheers,

There are worse things in life than death. Have you ever spent an evening with an insurance salesman? -- Woody Allen

Working...