The killer 'Sober's algorithm has been broken

Picture 1 of The killer 'Sober's algorithm has been broken Security firm F-Secure Corp has announced that it has successfully dismantled the algorithm used in the Sober worm. This success promises to help the anti-virus program completely block the variants of the Sober worm.

Sober has been "rampaging" around the Internet since October 2003, with about 20 different variations. The latest variant according to F-Secure is Sober.Y (US-CERT called CME-681), this variant infects more than 40% of the machines infected by the worm and virus that F-Secure discovered.

One of Sober's most dangerous features is its ability to automatically download new variants, and instantly infect other computer systems very quickly. According to security firm iDefence, the new Sober.Y variant will update itself to the new variant from the Web page named: Jan.5 and will spread on January 5, 2006.

For a long time, anti-virus researchers have had trouble analyzing virus samples, to find out the location of the worm's spread. Because the URLs used in Sober variants are generated from a secret algorithm. Sober used this algorithm to generate random URLs based on dates.

These URLs usually point to Web sites in Germany and Australia, because the servers here allow hosting of Web sites for free. The author of the worm only needs to calculate the URL beforehand on any day. When he wants to run a program on an infected computer, he only needs to register a legitimate URL, upload his program and very quickly, hundreds of thousands of computers worldwide. will be infected.

Sober uses a list of 15 Web sites that contain different characters based on dates, registered from free Web site providers, such as a Web site with a bizarre name like: Jan.5. After every 14 days, this list will change the other 15 Web sites, the name will now be Jan.6.

F-Secure claims it has broken the algorithm used by Sober. That helps to determine the actual URL address that new variants of the worm will be downloaded easily and simply. Once you have identified which URLs are deeply distributed, Web server managers can immediately block these Web sites, as well as make a list of those Web sites on the list of prohibited access in their firewalls. company.

F-Secure also added that it had actually cracked Sober's algorithm in May 2005. But the company did not publish publicly but waited until this point to monitor Sober's actions.

Minh Phuc