HomeSystemVirus Removal - SpywareThe algorithm of 'killer' Sober has been broken

The algorithm of 'killer' Sober has been broken

Security firm F-Secure Corp has announced that it has successfully dismantled the algorithm used in the Sober worm. This success promises to help the anti-virus program completely block the variants of the Sober worm.

The algorithm of 'killer' Sober has been broken Picture 1

Sober has been "rampaging" around the Internet since October 2003, with about 20 different variants.The latest variant according to F-Secure is Sober.Y (US-CERT called CME-681), which infects more than 40% of the machines infected by the worm and virus that F-Secure discovered.

One of Sober's most dangerous features is its ability to automatically download new variants, and instantly infect other computer systems very quickly.According to security firm iDefence, the new Sober.Y variant will update itself to the new variant from the Web page named: Jan.5 and will spread on January 5, 2006.

For a long time, anti-virus researchers have had trouble analyzing virus patterns, to find out the location of the worm's spread.Because the URLs used in Sober variants are generated from a secret algorithm.Sober used this algorithm to generate random URLs based on dates.

These URLs usually point to Web sites in Germany and Australia, because the servers here allow hosting of Web sites for free.The author of the worm only needs to calculate the URL beforehand on any day.When he wants to run a program on an infected computer, he only needs to register a legitimate URL, upload his program and very quickly, hundreds of thousands of computers worldwide. will be infected.

Sober uses a list of 15 Web sites that contain different characters based on dates, registered from free Web site providers, such as a Web site with a bizarre name like: Jan.5 . After every 14 days, this list will change the other 15 Web sites, the name will now be Jan.6 .

F-Secure claims it has broken the algorithm used by Sober.That helps to determine the actual URL address that new variants of the worm will be downloaded easily and simply.Once you have identified which URLs are deeply distributed, Web server managers can immediately block these Web sites, as well as make a list of those Web sites on the list of prohibited access in their firewalls. company.

F-Secure also added that it had actually cracked Sober's algorithm in May 2005.But the company did not publish publicly but waited until this point to monitor Sober's actions.

Minh Phuc

4 ★ | 1 Vote
soberwebsitesworm

You should read it

May be interested

  • New Trojan forged McAfeePhoto of New Trojan forged McAfee
    websense security labs has just warned users about a new type of trojan that is spreading across the internet by spoofing a new patch of mcafee antivirus software.
  • Deep exploits Windows errors in October patchPhoto of Deep exploits Windows errors in October patch
    according to finnish security firm f-secure, dasher.b, after penetrating into windows 2000 and windows xp computers, it has not installed ms05-051 patch table, will automatically load a rootkit capable of detecting keyboard characters ( keylogger) above
  • Spyware 'made in Vietnam'Photo of Spyware 'made in Vietnam'
    one day at the end of the year, ms. phy, a maritime university student, opened her computer and received an offline message which is a link with a domain name starting with vuonnhac. i wonder if a friend sent me the song online, she was dry
  • Security firms need 17 hours to kill a new virusPhoto of Security firms need 17 hours to kill a new virus
    according to us network security company ironport, windows computer users are not protected from the attacks of new malicious programs for a total of 56 days a year.
  • 2006 - year of mobile malwarePhoto of 2006 - year of mobile malware
    according to a study published yesterday by mcafee avert labs, in 2006, the threat of mobile security will triple when smartphones and other mobile devices are available. become popular.
  • Virus 'Santa' harasses messaging servicesPhoto of Virus 'Santa' harasses messaging services
    virus writers are taking advantage of santa claus's image to trick users of america online's instant messaging (im) system, microsoft msn and yahoo to click on files containing dangerous software.

Virus Removal - Spyware