The first Sober Worm appeared in October 2003, but now the word "Sober" has turned into a huge series of variants.
AV vendors don't use common names, so it is normally pretty hard for normal people to cross reference Sober variants. We are at Sober.Y, or is it Sober.AH? Who knows, just know that they are dangerous. =)
Algorithm-Based URL
Many of the sober variants contain a very complex algorithm that is used to compute the next series of download URLs.
LURHQ has a great write-up on the date algorithm.
You heard Jan5th right? So did I. But LURHQ reports that the branch logic points to Jan 6th.
"Note that the "begin update" logic in the current variant is actually "current date > Jan 5", not "current date == Jan 5", so the update other sources are saying will occur on Jan 5, 2006 won't actually happen until Jan 6, 2006. "
Keep your eyes open this friday for strange e-mails and keep your ears on all the AV news.
Advanced "Keep-alive" Tricks
Most Sober variants have been shown to deactivate many popular antivirus packages, including Microsoft AntiSpyware and HijackThis.
When it gets in, it is pretty hard to remove. Booting on a Linux disc and cleaning the infected disk sounds like a good idea however.
Mass-Mailing MO
Most Sober variants have their own SMTP engines and generate large amounts of e-mail traffic. Sober uses e-mail generation as a method to spread.
But how can e-mail spreading still be effective?? People have been told not to click on unknown links, don’t open e-mail from strange people…delete, delete.
Sober is the king of using Social Engineering (SE) attacks in mass e-mails however. Sober.X included real looking messages from the CIA, the FBI and the German Bundeskriminalamat (BKA).
An alleged child porn offender even turned himself in to the police after receiving one of these Sober e-mails.
History / Political Motivations
One Sober variant sent messages of support for the far-right groups in Germany pending the local elections in the state of North-Rhine Westphalia. Some groups see connections between Sober Key dates and important days in history. WW2, Battles in German, Nazi party, etc, etc.
Are these motivations true or just a smart SE attack? Who knows...and in the sense of security, I don’t care.
Summary
1) Watch your e-mail servers tomorrow. It is possible they we will see a huge flux of e-mails generated by this “Sober update code”.
2) Block the known update sites listed in this F-Secure blog entry.
3) Make sure you e-mail gateway AV is up-to-date and stays that way. Double check AV on your endpoints and make sure it is updating as well.
3) Remember the Sober creator (or group) aren’t stupid and most likely aren’t very poor either.
As that old NSA saying goes: “Attacks always get better, they never get worse.”
No comments:
Post a Comment