Sober Code Cracked 303
An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."
Hard to admit, but that is quite clever (Score:5, Insightful)
Re:Hard to admit, but that is quite clever (Score:5, Insightful)
Money?
Acclaim (within a small community)?
Politics?
I would guess money. Spam pays very well, and a lot of viruses and worms have had monetary ulterior motives, as always, follow the money.
Re:Disinfection (Score:5, Insightful)
Applications? (Score:5, Insightful)
I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction.
Problem solved.
Re:My Question... (Score:5, Insightful)
Yeah, because when I get a mysterious popup telling me my computer may be infected I always click "Next."
Re:Hard to admit, but that is quite clever (Score:0, Insightful)
Re:Hard to admit, but that is quite clever (Score:3, Insightful)
Because it's perceived as more profitable than dealing with a manager?
Re:The alternative (Score:3, Insightful)
It's unlikely that the URL would be any "easily found" string of characters. I would suspect it's probably alphabet soup with a TLD suffix, but you would be able to catch "likely looking" Sober URLs.
.
Now what you want is for domain registration companies to watch out for said "likely looking" URL and flag it up as suspicious somehow.
Now work backwards? (Score:4, Insightful)
Hmm... If they can predict forward in time what sites Sober will seek, can not they also look backward in time to see what sites the worm sought in the past ? If so, could they not then check the registration records for each of those sites and... find the author?
Re:Calculate the exact URLs (Score:1, Insightful)
This is a new one... (Score:4, Insightful)
It would have been better not to release this information. Now the author knows the game is up. Unless they have already traced him from some of the previous URLs, which I doubt.
So why release it then? The AV company just couldn't resist jumping up and down and showing everybody how clever they are. AV is more about marketing than technology anyway.
The thing is, I bet this algorithm wasn't even that hard to reverse engineer. I mean, I'm not saying that I could have done it and I'm sure most of you couldn't either. But to someone skilled in the black arts of disassembly and debuggery (if that isn't a word it should be), it would probably have been fairly trivial. At the end of the day, Virus authors usually aren't that bright. You can obfuscate and encrypt your code as much as you want but at some point it still has to executed. Most of the techniques are well known and I doubt this idiot invented any new ones.
Re:Hard to admit, but that is quite clever (Score:3, Insightful)
uh.. (Score:2, Insightful)
Many viruses come from very talented people... (Score:5, Insightful)
Re:My Question... (Score:3, Insightful)
To expand... (Score:5, Insightful)
1.) Assuming the author(s) is(are) paying attention to happenings on the internet, he would be an idiot to actually try to put anything on those domains for that date (assuming there isn't anything there yet). If he does, I would guess that he would be as good as caught...well...maybe...I guess it depends on how well he covers his tracks when uploading his intended payload.
2.) Both of the linked articles urge SysAdmins to block the URLs they have listed, but I HIGHLY doubt that most of the infected home users will do so, or even know how to, so that will leave a lot of machines trying to connect. Can the URLs be blocked at the ISP level?
3.) Going with the parent post's idea, might it not be a good idea for the authorities to set up those URLs now, and put removal tools on them (assuming they can be automated and it can happen in the background)? It seems to me that any machines still infected when that date hits would be automatically cleaned and the problem would be solved on the first day...
4.) Or, if it is even possible, have the ISPs monitor for requests to those URLs (while blocking them), and if they receive requests for those URLs on that date, automatically send an email to the account holders of the IPs that are trying to access the URLs informing them that their machines are infected with Sober and provide instructions (and software) on how to remove it? Of course, this requires cooperation from a LOT of ISPs, but it doesn't seem completely impossible. Of course, this idea also depends on the users to take action to clean their systems and we all know how well personal responsibility is doing these days...
5.) However, perhaps the ISPs can monitor requests for the URLs that Sober will request, and then perhaps start disconnecting users who don't clean their systems after being warned.
Anyway, just some thoughts...but I see no reason for the net to be rid of Sober after the first day (or first month going by 4 and 5 above) of activation...
Of course, I don't know a lot of details about how these things could be implemented, so take it with a grain of salt...
Re:Well known URLs (Score:4, Insightful)
I really do the echo something > notice.txt into startup folder, hoping the person will take action and realize they are infected... who knows what good that does. I am also a staunch privacy advocate, so nothing malicious (flame-suit on) from my end. mostly dir c:\windows\system32 |find "" to look for recently installed malware. I could care less about your files. That was how I found the log file that had what looked like a complete connection log to the IRC server. Too bad there are not more good commands in windows command shells (usually a virus opens a socket to cmd.exe) or I would kill and clean up and reboot, or even ftp down the patch, not like MS supports that though. (God the good old days of pre-retirement) This happens in internet time, not human time. If someone was really malicious, there is really no way even hundreds of humans could stop it. I take that back, a good hacker (in the MIT sense...) could reconnect back to the machine and issue some commands to shutdown the proc and stop the scanning, but again you are limited to what is at the ms-dos command shell, and we all know how well the anti-blaster worm worked with it's ICMP DOS. But given that a goofball scriptkiddie could connect like I did, maybe that is a good thing (good luck kiddies). Careful what you wish for and all that.
Disclaimer: Really, if I was black hat, would I post with my own account? (laughs hysterically as g-san gets investigated by the FBI the next day). Anyways come get me, I would love to work for you FBI and you could use my help.
Here goes... submit...
Re:Hard to admit, but that is quite clever (Score:4, Insightful)
The ability to control several hundred thousand zombie computers.. are you kidding?
money, man, money.
You can do lots of things with that, but the most lucritive might be to blackmail gambling sites. If they don't pay, you DOS their IP block.
Re:Hard to admit, but that is quite clever (Score:3, Insightful)
Re:Hard to admit, but that is quite clever (Score:4, Insightful)
In the larger scope, I'll just say that it's very tempting to think that one's computer programs just scale automatically, but this is simply not the case. Chances are that you were working on a very homogeneous network at that point, which most machines running rollout-synchronized versions of the same software. I've written "worms" that work under such an environment myself -- unlocking the parental protection on the middle-school computers made lunch-time in the library a lot more interesting. In such a situation, a worm either doesn't spread at all or immediately takes over the entire network, so any success is an impressive one.
On the real internet, on the other hand, we have a very complicated mesh of various systems with different sorts of protections, some explicitly designed as such but most just due to random variations that prevent a given buffer overflow from working on more than one system. Even if someone is running a vulnerable system somewhere out there, there's a good chance that getting at it may involve going past some other system that is simply going to eat it alive. We're not talking just about computers, but also about routers, switches, and all that Cisco equipment that's silently running a good deal of the net without anyone ever thinking about it.
That's why there hasn't been a real worm on the internet in quite a while; essentially every major virus in recent memory has relied on social-engineering to trick the user into manually installing the virus onto his own computer. In fact, I'd seriously doubt that it's even feasible to create a self-distributing worm on the internet at this point, unless Microsoft is dumb enough to build remote-execution capability into their application software again.
Of course, if you were actually working on a diverse, real-world type network, and you managed to devise cross-platform vectors, that's quite different and it'd be interesting to hear about. But if you're like the majority of people who make claims like these, I'm gonna have to say that your eyes are probably a little bigger than your mouth on this one.
Re:This is a new one... (Score:3, Insightful)
No, it isn't. Not about either of those. It's about hard work. AV means having honeynets to catch the malware, then take it apart, create a signature, plug that into your file and send out an update. All as quickly as possible, pretty much around the clock.
Re:Next headline - F-Secure in violation of DRM (Score:1, Insightful)
Re:Hard to admit, but North Korea... (Score:2, Insightful)
Re:At least Viruses dont spontaneously mutate (Score:4, Insightful)
That statment is naive. Biological organisms also have very strict rules that they need to conform, even stricter than computer programs. That is why most mutations are lethal.
Biological virus don't have anything like junk-DNA to mutate into something usefull. This happens because bilogical virus are also constrained into a small size, just like the computer's ones.
The biological virus can spread while mutating because each virus creates milions of descendents with hundreds of different mutations. Just out of luck, some are can spread well. We can do this with computer virus too.
Re:Hard to admit, but that is quite clever (Score:3, Insightful)
So if not, please stop that. I do my best to be understandable, if you dont like to read my commentary then skip it. Gna. That shit makes me angry. I never ever criticised anyone who talks german with a foreign accent. I never tried to bawl somebody out because he was not a native speaker. This is really bullshit, lets stop it before it begins. I try my best, is that okay for you? Skip it please. Its loss of bandwidth.
To your questions.
I did a lot of research for computer security issues. Including worms, virus and trojan horses, but Im no specialist that has completely focused on that thing. I never stopped to be interested, I specialised on university for a while on that theme and I grew up in the 80s where there was no "cybercrime" at all. Not here. Not in germany. We had no laws. So we did what was possible. But in that time nobody was destructive. Everyone was just damn curious. When the damn NASA hack was hitting the news at '86 (I think) I was damn near that. From the scene just an inch away.
In that time nobody thought a computer system was really vulnerable - but us - the hackers. So I grew up not in the mind of destruction but in a mind of conciousness that security is only in the hand of those who care for it. And who test it. And who spend time and energy in it.
Yes, I was a hacker and Im proud to say I am today. I dont hack into systems. Im not destructive. I write code, I test security, I play with system. Playing, yes that would be the right word for ist. Just for fun. And I did it in the 80s and I still do it. And, yes, I think its a good way to live with computers. I have fun at work.
In the early 90s I first and last put a thing you'll call a trojan horse into the "wild". There was no "internet" in that time. It was no big deal, but that progamm managed to trick a database and send me usernames and passwords. (Certainly never used the data, I have no interest in that sort of thing.) I just wanted to show my friend a big security hole in his system, but he instead of fixing it ran almost amok.
Stupid.
After a month he spoke to me again and with my help we fixed that thing. A whole month his system was unfixed and vunerable. "But it was only such a harmless feature", he declared. It was not. There is no such thing like a harmless new feature.
Please search google for "pilot script language" for more info about how harmless the feature really was and that even such a dumb little scripting language can be used to trick systems or users. It was a cool hack. No big one, shure. I have done better things after that but that one is a good lesson. New features mean new security holes. Thats it.
At that time I reverse engeneered viruscode and the first wormcodes on the new rising internet. Most of the code is really poor, poor, poor. Its bad tested, poorly written and only one of 20, 30 or even 100 virus/worms are what I call "interesting". Yes, I really was not keen on sacrificing my whole life in reverse engeneering shitty code. That is very, very boresome to reverse engeneer the tenth shitty little script-kiddie worm that was only altered enough that the antivirus software does not recognize it. Even the bugs are in it.
In the mid 90s I quit that after years of studing. So, no, I have not reverse engeneered bloody sober. Its really not worth it. It should just be destroyed. It has no really new features in it, it is not even on the same level of that worms of the mid 90s. Its just actual and uses some nice features that are not new, are not well programmed, are not innovative and is short to say boring.
Its not easy to write a worm like that. Really. This is not that what I say. But its no big deal. There are tools out there, there are people with code who invented ways for intrusion, this thing is just a rughly hammered toget
Re:code cracked, communication revealed (Score:1, Insightful)
Re:Next headline - F-Secure in violation of DRM (Score:1, Insightful)