Sober Code Cracked 303
An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."
Recognition (Score:3, Informative)
The only way they can make money is from a rival company wanting the worm to take down their competition, or a rival country in some cases, wanting to take down a lot of a country's infrastructure based on the net. We're all familiar with the hackers the russian government hired to try and rip down the internet, but it is often attempted with worms too
Re:Virus writer is a Free Software fanatic (Score:2, Informative)
Or maybe the writer intends to make bigger news than when "Warner Brothers [showed] the first color newsreel" (1948)
Or maybe it's the writers birthday.
Or maybe it's the first day they intend to be awake after the New Year celebrations
Or maybe it's to bring down IT infastructure just as we're getting back to work just after the Holiday Celebrations end.
The possibilites are endless, and there are far more logical explanations than "Sober was written by a free software fanatic, it's true it's true!"
Re:Recognition (Score:0, Informative)
Re:Calculate the exact URLs (Score:5, Informative)
So they would have to get in contact with the providers of those services instead (arcor.de, pages.at)
Re:Virus writer is a Free Software fanatic (Score:3, Informative)
If you think, that is about free software, then you haven't got bunch of text emails about dresden bombings and other propaganda.
RTFA (Score:5, Informative)
Re:This is a new one... (Score:4, Informative)
So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.
Something to think about.
Mod the parent down (Score:4, Informative)
Or read my previous comment [slashdot.org].
F-Secure didn't simply crack the algorithm yesterday.
Re:uhh... (Score:3, Informative)
So all you'd need to do is register the account name on the free hosting service that's utilized for that day and away you go. Not a problem to register an account using a hacked email account and keep it anonymous.
N.
BZZZZT!!! Talking out of you a** ... (Score:4, Informative)
http://people.freenet.de/ [freenet.de]
http://scifi.pages.at/ [pages.at]
http://home.pages.at/ [pages.at]
http://free.pages.at/ [pages.at]
http://home.arcor.de/ [arcor.de]
not really "alphabet soup with a TLD suffix", uh?
They cracked it in May! (Score:5, Informative)
As it clearly says in F-Secure's blog, they cracked this in May. They're only going public now. They've informed both the ISPs affected and the police. It is very unlikely that anyone will be able to register those accounts - if they do, they'll probably be talking to the police.
Re:Many viruses come from very talented people... (Score:3, Informative)
Re:Hard to admit, but that is quite clever (Score:1, Informative)
Re:Why did they have to crypto'ally crack the code (Score:3, Informative)
Yeah you could spoof the response from the timesever, but simply cracking the code is far more elegant.