Finnish security firm F-Secure has cracked a code used by the Sober
worm, potentially allowing the company to block the worm from receiving
updates.
Sober has mutated constantly
since October 2003, when the first variant was picked up, with more
than 20 other variants making the rounds. Last month the latest
version, called Sober.Y by F-Secure (or CME-681 using US-CERT"s CME naming system), was responsible for the biggest outbreak of the year, and still accounts for about 40 percent of all infections detected by F-Secure.
One of the features that has made Sober so dangerous is its ability
to download new variants, instantly infecting large numbers of
machines, say security experts. The current variant is expected to
re-activate itself on 5 January, according to iDefense.
The
downloading pattern stumped anti-virus researchers for a time because
the URL used was created by a secret algorithm. "Sober has been using
an algorithm to create pseudorandom URLs which will change based on
date. These URLs point to free hosting servers typically operating in
Germany or in Austria," said Mikko Hypponen, F-Secure"s manager of
anti-virus research.