Occasionally, I run across a computer virus or a worm that manages to constantly top itself with new variants. After nearly 20 variations, the Sober virus still amazes me. Beginning January 6, 2006, the Sober virus will launch another wave of e-mail attacks on the Internet. How do we know this? Thanks to diligence of Mikko Hypponen and his antivirus research staff at F-Secure, we know that within an encrypted part of the latest Sober worm is a complex set of instructions detailing several dates on which Sober is likely to make another attack; and thanks to another set of researchers at iDefense, we think January 5 or 6, 2006, either a Thursday or a Friday--just in time to fill everyone's e-mailbox with junk over the weekend--is the most likely of those dates for that attack to occur.
The "bootstrap" effect
Imagine sending a very large and sophisticated virus over e-mail--your ISP or company would certainly stop it dead at the gateway. So, virus writers have started sending out smaller versions that merely infect. Once installed, the small virus then opens a backdoor to call out to the predetermined Web server IP address from which it then loads a more sophisticated version of itself (or it transforms the infected PC into a conduit for spam, pornography, or a host of other malicious uses). If the small virus downloaded the larger code upon infection, there would be a collision of newly infected machines and second-wave infections, so virus writers have started delaying the second wave by several days or even several weeks.
Imagine sending a very large and sophisticated virus over e-mail--your ISP or company would certainly stop it dead at the gateway.
Early examples of bootstrapping viruses simply put the Web server addresses in the virus code in plain text. Not bright. Antivirus researchers were able to read the Web server addresses and shut them down before a major attack could occur. So the virus writers started encrypting them. Again, antivirus researchers were able to crack the encryption and notify authorities. Perhaps the best-known example of this was Sobig.f, where up to 20 servers were primed to download new code on a preset date. With only hours to go, antivirus researchers were able to crack the encryption, alert the authorities, and shut down at least 18 of the Web servers.
Why Sober is special
Most of the Sober variants use a trigger delay; they install quickly but then sleep for a preset period of time before reaching out and contacting the Internet for a new download. The latest Sober variants, released November 15, 2005, added a new wrinkle: encryption and a random number generator. Using a complex algorithm, Sober produces a series of different dates, each with its own set of Web server ISPs. In other words, every so many days, Sober changes its ISP contact information (using mostly free Web hosts in Germany and Austria). According to F-Secure, the antivirus vendor that first broke the algorithm, these addresses have been mostly bogus; at least the addresses produced do not correspond to live Web servers. The list of probable Web servers changes every 14 days. In looking at the possible combinations of dates and Web servers, security company iDefense thinks that the addresses set to activate January 5, 2006, are particularly significant.
Why January 5?
iDefense relied upon a little social-engineering logic to figure this one out. Previous versions of Sober have struck on dates significant to the National Socialist (Nazi) Party in Germany. For example, Sober.n coincided with April 19, Hitler's birthday. Other variants spread long tracts of NeoNazi propaganda. On January 5, 1919, the National Socialist (Nazi) Party in Germany was founded. Of the possible dates for the next Sober virus attack, iDefense thinks this is the most likely date (although F-Secure now says the date is after January 5, 2006, so it could be January 6, 2006, when the actual attack occurs).
It's important to note that your PC must already be infected with Sober before it becomes a foot soldier in this expected January 5 assault. No infection, no participation.
It is believed that the authors of the Sober virus live or work in the Bavarian district of Germany, although whether they believe the vitriol they spam is another matter. The spread of Nazi propaganda could be no more than a cruel Internet joke. For example, Netsky author Sven Jashen (also from Germany) buried snippets of Russian within his code to fool researchers into thinking the Netsky code originated in Russia. Then again, the level of sophistication in each variant suggests professionals, not amateurs, might be behind Sober.
It's important to note that your PC must already be infected with Sober before it becomes a foot soldier in this expected January 5 assault. No infection, no participation. So clean your desktop computer now. For corporate systems, it's also important to create firewall rules that block IP requests to the January 5 addresses. According to F-Secure, the addresses to be contacted on January 5, 2006, include:
At present, these addresses have not been registered. All correspond to free Web host sites in Germany and Austria. Assuming they are real, someone will have to register these addresses before January 5, 2006. Perhaps the individuals responsible will be dumb enough to give away enough personal information to lead to their arrest.
The end of Sober?
So, in theory, a full-scale Sober attack should be a bust on January 6, 2006. Unfortunately, many PCs worldwide are connected to the Internet without antivirus protection. I expect to see some activity but not a full-out assault. Either way, keep your antivirus protection primed over the holidays and install a firewall if you haven't already. And don't be too surprised if you find a ton of junk e-mail in your in-box starting January 6, 2006, or you find your e-mail traffic is a little slower. It's Sober.
Who do you think is responsible for the Sober virus? Kids? Neo-Nazi loyalists? Organized crime? Talk back to me.