Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sober Code Cracked

CowboyNeal posted more than 8 years ago | from the guts-spilled dept.

Worms 303

An anonymous reader writes "The algorithm used by the Sober worm to 'communicate' with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: "Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don't exist...however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally on hundreds of thousands of machines," Hyppönen said. Sober is expected to launch itself again on January 5, 2006."

cancel ×

303 comments

Sorry! There are no comments related to the filter you selected.

code cracked, communication revealed (5, Funny)

Anonymous Coward | more than 8 years ago | (#14217548)

It said "lol no it's not a worm"

Re:code cracked, communication revealed (-1)

Anonymous Coward | more than 8 years ago | (#14217678)

My worm is hard for her! [dailycampus.com] I just love crazy women who also look great.

Re:code cracked, communication revealed (5, Funny)

Anonymous Coward | more than 8 years ago | (#14217741)

Anyone can crack sober code. The challenge is to crack code written when drunk.

Next headline - F-Secure in violation of DRM (5, Funny)

Knightlymuse (626563) | more than 8 years ago | (#14217751)

Gets sued by virus writer. :)

Hard to admit, but that is quite clever (5, Insightful)

Anonymous Coward | more than 8 years ago | (#14217551)

Feel a bit embarrased, but I am impressed. I think that's fairly clever programming - why do talented people waste their abilities on viruses?

Re:Hard to admit, but that is quite clever (4, Insightful)

buro9 (633210) | more than 8 years ago | (#14217558)

"why do talented people waste their abilities on viruses?"

Money?
Acclaim (within a small community)?
Politics?

I would guess money. Spam pays very well, and a lot of viruses and worms have had monetary ulterior motives, as always, follow the money.

Re:Hard to admit, but that is quite clever (0)

Anonymous Coward | more than 8 years ago | (#14217608)

uh- its fun too?

Recognition (3, Informative)

hug_the_penguin (933796) | more than 8 years ago | (#14217648)

They do it so they can stick a finger up to the cops and say `I'm better than you`, such is the mentality of the virus writer or cracker. They also get recognition within the blackhat community as the person who reaped havoc worldwide. Then there's that smug satisfaction that they haven't been caught. Scientifically, the risk of getting caught topped off with not actually having been caught triggers a dopamine release which makes people feel good. Such is the way virus writers get their thrills.

The only way they can make money is from a rival company wanting the worm to take down their competition, or a rival country in some cases, wanting to take down a lot of a country's infrastructure based on the net. We're all familiar with the hackers the russian government hired to try and rip down the internet, but it is often attempted with worms too

Re:Recognition (0, Informative)

Anonymous Coward | more than 8 years ago | (#14217674)

WROUGHT havoc. viruses don't reap havoc. they WREAK havoc.

Re:Recognition (1)

hug_the_penguin (933796) | more than 8 years ago | (#14217685)

Yeah, but it was fairly obvious what was meant. I'll go get my caffeine now

Re:Hard to admit, but that is quite clever (2)

bioteq (809524) | more than 8 years ago | (#14217629)

I was actually thinking the same as I read the article, but I was thinking more along the lines of, "Wow, that is quite clever. Innovative, too. Wonder why I couldn't think of something like that."

It is quite true though that the talent these days seems to be going to those who like to do something malicious with their talent. It saddens me to no end, but I do believe this is a common road that those with actual talent and insight seem to be wanting to follow these days; it's a trend.

But, alas, I digress. Maybe this guy (or kid) will see the grey or perhaps even the white in his days and come on over and give us a hand.

Re:Hard to admit, but that is quite clever (1)

koi88 (640490) | more than 8 years ago | (#14217698)


It is quite true though that the talent these days seems to be going to those who like to do something malicious with their talent.
We all remember the good old days when talent was only used for the benefit of mankind...

Re:Hard to admit, but that is quite clever (1)

bioteq (809524) | more than 8 years ago | (#14217718)

Shhh!

No one is supposed to know that it has been this way forever! It is part of the Super Secret(tm) that us Cool Club Kids (tm) have had for ages.

Don't let it out.

Re:Hard to admit, but that is quite clever (0, Insightful)

Anonymous Coward | more than 8 years ago | (#14217652)

How else would you do this? It sounds like the algorithm is nothing more than a one-time pad codebook. The author has a compromised onte-time pad and will now generate a new one. The fact that the code was broken merely means that the time-frame between agent distribution and activiation will become shorter.

Re:Hard to admit, but that is quite clever (3, Interesting)

killjoe (766577) | more than 8 years ago | (#14217655)

As people at slashdot are fond of pointing out. Businesses are not moral, they are not supposed to be moral. This guy is doing his best to increase shareholder value. Presumably he is majority shareholder but really that's not so relevant is it?

Re:Hard to admit, but that is quite clever (2, Insightful)

raehl (609729) | more than 8 years ago | (#14217657)

why do talented people waste their abilities on viruses?

Because it's perceived as more profitable than dealing with a manager?

Re:Hard to admit, but that is quite clever (0)

Anonymous Coward | more than 8 years ago | (#14217673)

why do talented people waste their abilities on viruses?

"Bob" [subgenius.com] made them do it.

Re:Hard to admit, but that is quite clever (2, Insightful)

Antony-Kyre (807195) | more than 8 years ago | (#14217721)

My guess it's boredom. Some talented people do stupid stuff because they have nothing better to do.

Many viruses come from very talented people... (4, Insightful)

blorg (726186) | more than 8 years ago | (#14217755)

...living in countries where employment opportunities may be limited (I'm thinking former Soviet Bloc, Pakistan, India - countries with strong traditions in mathematics/sciences.) There is also potential for a similar thing to happen with nuclear weapons in some of these countries, which is a good bit scarier (as indeed did happen with Pakistan, although not in that case due to a lack of employment.)

What should happen (5, Interesting)

gbulmash (688770) | more than 8 years ago | (#14217553)

Now does this mean a race for everyone to try to grab the URL and place their favorite code there? I think rather than random zombie crap, someone should put up code that makes infected systems flash a simulated Blue Screen of Death telling users their PCs won't ever work again until they wipe Windows and install BeOS or Plan9 (I'd say Linux, but that's such a /. cliche now).

- Greg

The alternative (3, Interesting)

Shihar (153932) | more than 8 years ago | (#14217585)

My first impression was that not only did they tip thier hand, but now everyone and their dog will attempt to post code, and that this was a stupid idea. Thinking on it now, this very well could be an excellent method of trapping more then one shit head at a time.

Publicize the information so that other people can also figure out the algorithm. Don't give it away, just let out of enough so that a dedicated person can reach the same conclusion. Now just wait and nab every single bastard dumb enough to try and post code for Sober to get. While you are at it, switch off every website in question when its time to upload comes up. Not only do you cripple the virus's ability to upload, but you catch everyone stupid enough to try and abuse it.

Granted, catching someone based off domain registration probably is not trivial, but I wouldn't be surprised if the feds have something up their sleeve.

Re:The alternative (2, Interesting)

Lesrahpem (687242) | more than 8 years ago | (#14217656)

Maybe the people who released this publicly are in opposition to full-disclosure practices and are trying to prove their point?

Re:The alternative (2, Insightful)

Gordonjcp (186804) | more than 8 years ago | (#14217661)

Granted, catching someone based off domain registration probably is not trivial, but I wouldn't be surprised if the feds have something up their sleeve.

It's unlikely that the URL would be any "easily found" string of characters. I would suspect it's probably alphabet soup with a TLD suffix, but you would be able to catch "likely looking" Sober URLs.

.
Now what you want is for domain registration companies to watch out for said "likely looking" URL and flag it up as suspicious somehow.

Re:The alternative (0)

Anonymous Coward | more than 8 years ago | (#14217729)

It could be dictionary based and still generate a lot of very normal looking urls

My dictionary file has 96274 words. Just using 3 word combinations that you have almost 90 trillion possible urls.

Re:The alternative (1)

blazzy (923401) | more than 8 years ago | (#14217750)

Replying to myself here: If it's one url per day as the article implies, and if we know how to calculate the url for a given day, it should be trivial for law enforcement/registrars to track.

Re:The alternative (1)

g-san (93038) | more than 8 years ago | (#14217706)

Domain registration? That is no good... "It" compromises your web server, then installs a listener where it wants to bloom, it goes on and on. Wait until we get multi-headed viruses (the "lame" hydra concept from swordfish or the network of 13 viruses/worms from that W. Gibson X-Files episode.) It not only infects pcs, but has them connect back to backdoored webservers or pick-a-vulnerable-service to tell the third coordinator proc/worm which PC to infect next, that looks up a list of vulnerable backdoored PCs infected by sober and virus-of-the-week. I just hope it doesn't seach the web with a smart algorythm that can interpret human text and read open source software source code to search for more software flaws in networked software and the fed#^%G#%D

Wintermute Syntax Error: What are you doing, Dave?

Virus writer is a Free Software fanatic (5, Funny)

ReformedExCon (897248) | more than 8 years ago | (#14217554)

Why else would he choose a date that coincides with the 21st anniversary of Richard Stallman's starting the GNU project?

http://en.wikipedia.org/wiki/January_5 [wikipedia.org]

Re:Virus writer is a Free Software fanatic (3, Funny)

Hinhule (811436) | more than 8 years ago | (#14217594)

I think we have stumbled over who wrote the virus.

Richard Stallman is the only Free software fanatic.

Re:Virus writer is a Free Software fanatic (0)

Anonymous Coward | more than 8 years ago | (#14217596)

Or that could just be apohenia [skepdic.com] .

Re:Virus writer is a Free Software fanatic (1)

TapeCutter (624760) | more than 8 years ago | (#14217637)

Everyone check under the bed tonight, it's those damn commies [socialistparty.org.uk] .

Relevant quote from above link:

"However, the capitalists, many of whom had up to then held Hitler at arms length, took fright at the upsurge in votes for the workers' parties. Consequently, on January 5 1933, Hitler was invited to address a meeting of industrialists and bankers organised by vice-president Baron von Papen, at the home of the aforementioned Baron von Schroeder. At the meeting, Hitler promised to bring an end to democracy in Germany and to smash the labour movement so the capitalists would be free to make their profits in peace. Within ten days, the financial problems of the Nazi party had disappeared."

Re:Virus writer is a Free Software fanatic (2, Informative)

Segway Ninja (777415) | more than 8 years ago | (#14217651)

Or prehaps 26 years after "Hewlett-Packard announces release of its first personal computer."
Or maybe the writer intends to make bigger news than when "Warner Brothers [showed] the first color newsreel" (1948)
Or maybe it's the writers birthday.
Or maybe it's the first day they intend to be awake after the New Year celebrations
Or maybe it's to bring down IT infastructure just as we're getting back to work just after the Holiday Celebrations end.

The possibilites are endless, and there are far more logical explanations than "Sober was written by a free software fanatic, it's true it's true!"

Re:Virus writer is a Free Software fanatic (1)

Folmer (827037) | more than 8 years ago | (#14217662)

Or maybe it's the writers birthday.
Well.. then it MUST be Marilyn Manson who wrote it...
Anyway.. he will surely be blamed for it...

Re:Virus writer is a Free Software fanatic (1, Funny)

Anonymous Coward | more than 8 years ago | (#14217681)

It all makes sense! Marilyn Manson writes the Sober worm, gets it to download a HTTP server and a copy of his latest album, then gets the PC to phone home every time it goes online, which issues an automatic DMCA takedown order on the PC that it came from! Ohh boy, wait till the boys at the RIAA get wind of this one... They'll be screaming "Why didn't we think of that!"

Re:Virus writer is a Free Software fanatic (3, Informative)

tokul (682258) | more than 8 years ago | (#14217709)

No, Sober is pro Nazi virus. Jan 05 is "1919 - Free Committee for a German Workers' Peace founded." Check virus descriptions on any antivirus vendor site.

If you think, that is about free software, then you haven't got bunch of text emails about dresden bombings and other propaganda.

Re:Virus writer is a Free Software fanatic (0)

Anonymous Coward | more than 8 years ago | (#14217789)

No, he's an Iron Chef fan... it's Chen Kenichi's birthday!

Patent (5, Funny)

digid (259751) | more than 8 years ago | (#14217555)

Let's award the Sober Virus writer a patent. I think he'd qualify.

He's missing some requirements... (2, Interesting)

hug_the_penguin (933796) | more than 8 years ago | (#14217625)

...namely that he isn't a multinational corporation and that the patent wouldn't fuck over everyone, er I mean wouldn't protect innovation...

Re:Patent (1)

moro_666 (414422) | more than 8 years ago | (#14217683)

actually i think that according to the united states patent system, he may infact HAVE the patent on the algorithm that generates the URL's from where to download "updates" to his worms.

using this algorithm without his permission is illegal and also capturing him after using this algorithm in the illegal way is not legal and he must be released from custody ... like in the movies :)

and since you can't be charged for 1 crime twice, he will be off the hook ... aint life just fun ?

Re:Patent (2, Funny)

ArcticCelt (660351) | more than 8 years ago | (#14217797)

Plus those nasty "pirates" at F-Secure have violated the DMCA by circumventing the security algorithm in Sober and should be prosecuted as soon as possible!

Ok Great (-1, Redundant)

ZachPruckowski (918562) | more than 8 years ago | (#14217562)

Now let's get the feds to register every domain that the worm will check, and register it until it isn't used again. Game over for sober. If the domain for a day already exists, it gets investigated.

This is truly good news.

Re:Ok Great (1)

J0nne (924579) | more than 8 years ago | (#14217574)

And after that, the feds can install their own rootkit to spy on you...

My Question... (0, Flamebait)

Shihar (153932) | more than 8 years ago | (#14217563)

Why on earth did they release this information? I can see telling the date of the next attack, but explaining how the author communicates with the virus just seems dumb. It doesn't help anyone except for the guy who knows that his methods have been spotted. Now you know that if he decides to upload to one of his websites he is going to assume that he is going to be tracked. This just means that he is going to make sure he is covert in doing it. If they had withheld this information, they might have been able to catch him in the act without him knowing and busted the little fascist shit head.

Re:My Question... (1)

Jussi K. Kojootti (646145) | more than 8 years ago | (#14217578)

Sure, but this way F-Secure can put out a press release...

Re:My Question... (1)

TapeCutter (624760) | more than 8 years ago | (#14217742)

OTOH: If F-Secure have (knowingly or otherwise) sabotaged a major international criminal investigation they won't be making press releases for much longer. If (as is likely) the cops (via F-Secure) have known this information for a while then the timing of the press relaese is part of extracting as much as they can from a clue.

Either way, the public is a mushroom farm until they haul the toadstool into court.

Re:My Question... (0)

Anonymous Coward | more than 8 years ago | (#14217587)

I think the best use of this information is uploading a disabling and/or revealing program ("your computer is infected with sober, click next to reactivate it") via one of the sites.

Re:My Question... (4, Insightful)

The Amazing Fish Boy (863897) | more than 8 years ago | (#14217643)

I think the best use of this information is uploading a disabling and/or revealing program ("your computer is infected with sober, click next to reactivate it") via one of the sites.

Yeah, because when I get a mysterious popup telling me my computer may be infected I always click "Next."

Re:My Question... (1)

penguinoid (724646) | more than 8 years ago | (#14217710)

I think that would be more like taking the website, and when the Sober worm goes to check for instructions, send it a self-delete code.

PS: When can we expect the Drunk worm?

Re:My Question... (1)

m50d (797211) | more than 8 years ago | (#14217762)

And that's why you're not infected. We're targeting the people who are.

Re:My Question... (1)

The Amazing Fish Boy (863897) | more than 8 years ago | (#14217782)

And that's why you're not infected. We're targeting the people who are.

Clicking "Next" at a random popup is a bad habit to encourage. Not to mention they may think they are ads.

Re:My Question... (0)

Anonymous Coward | more than 8 years ago | (#14217593)

They probably concluded that the virus writer is smart enough to hide his tracks anyway. After all, anyone could find out where the worm is loading new code from simply by tracing the connections as they are happening, and from there it would be easy to check out who has registered the domain and where.

Re:My Question... (0)

Anonymous Coward | more than 8 years ago | (#14217635)

Umm... maybe they made this discovery a long time ago and he's already OwNEd...
And I think that you have misused the term fascist.

Re:My Question... (2, Insightful)

m50d (797211) | more than 8 years ago | (#14217785)

So people know things to look for when analysing other viruses?

unless they don't actually know (1)

FlippyTheSkillsaw (533983) | more than 8 years ago | (#14217799)

nothing to see

Mod the parent down (4, Informative)

Alex Zepeda (10955) | more than 8 years ago | (#14217825)

Read the F-Secure blog [f-secure.com] .

Or read my previous comment [slashdot.org] .

F-Secure didn't simply crack the algorithm yesterday.

uhh... (1, Redundant)

sl8r (104278) | more than 8 years ago | (#14217564)

why would they publicize this? Wouldn't it be prudent to wait for the 5th January, run the same algorithms and check the URLs, and nab the perpetrator?

Re:uhh... (2, Interesting)

PhreakOfTime (588141) | more than 8 years ago | (#14217693)

Close.

The actual prudent thing to do would be to use said algorithm and see what domain is generated on the 5th of January 2006, before the date even arrives. Alert ICANN registrars of the situation. Monitor that domain name, and watch for the second it gets assigned an IP. When the particular domain begins to point to a global IP address, then you can nab the perp.

As a bonus, in the above scenario, you dont have to wait for all the compromised machines to bog down yet another unsuspecting network on the 5th of January 2006. win-win. well, that dude that gets caught doesnt win...

Disinfection (2, Interesting)

ivan kk (917820) | more than 8 years ago | (#14217566)

So they've figured out the algo, and while I haven't RTFA, i assume the domains don't exist yet either.

If that's true, what's to stop say symantec predicting a domain for a particular date, taking the domain, and putting a disinfection program up.

Re:Disinfection (4, Insightful)

Sinus0idal (546109) | more than 8 years ago | (#14217590)

Because even though they might be doing something they deem to be nice, running code on someone elses computer without permission is still illegal.

Re:Disinfection (1)

Hellasboy (120979) | more than 8 years ago | (#14217769)

Not everything unlawful is unethical and in this instance, I side with the ethical thing to do.

Re:Disinfection (1)

m50d (797211) | more than 8 years ago | (#14217771)

They didn't run anything. They served up a file in the normal way in response to a normal http request. No trickery, no buffer overflows or anything like that. If someone chooses to download and execute the file that's their business.

Re:Disinfection (2, Interesting)

HappyMeal (867072) | more than 8 years ago | (#14217640)

Actually, TFA points out the domains (and they do exist):

http://people.freenet.de/

http://scifi.pages.at/

http://home.pages.at/

http://free.pages.at/

http://home.arcor.de/

I do wish they hadn't publicized it... might have scared off the guy or convinced him to really hide identity when registering.

Also some risk that sites around the world might indiscriminately block traffic to/from these sites, rather than specific URLs there. :(

Though, I guess, your point regarding disinfection is well taken. :)

Re:Disinfection (1)

1u3hr (530656) | more than 8 years ago | (#14217665)

Actually, TFA points out the domains (and they do exist):

The domains do, but not the URLs. These look like free hosts, anyone can register and put up a simple page without having to supply any ID.

RTFA (4, Informative)

igb (28052) | more than 8 years ago | (#14217809)

The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

Calculate the exact URLs (5, Interesting)

jannic (152373) | more than 8 years ago | (#14217581)

"According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day." - wouldn't that be possible by just running the worm in a sandboxed computer, with the computer's clock set to some future date? Of course, understanding the code may reveal other hidden features, but if you only want to know what the worm will do tomorrow, you can just try it out.

Re:Calculate the exact URLs (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14217623)

It is illegal to purposely set a computer clock to a false date, whatever the reason.

Re:Calculate the exact URLs (1)

HeadDown (639182) | more than 8 years ago | (#14217669)

With the algorithm revealed, it'd be possible to "predict" the future domains for a year or so forward in an automated fashion. Then you monitor the registrars for registration requests for those domains, and you have a fairly decent idea when the next wave is going to hit, and it might even provide a lead to the domain owner. Or you could "just" have those domains blocked from registration, for example.

Re:Calculate the exact URLs (5, Informative)

pe1chl (90186) | more than 8 years ago | (#14217687)

The URLs are not domain names registered in DNS, but page names on "free homepage" services.
So they would have to get in contact with the providers of those services instead (arcor.de, pages.at)

Re:Calculate the exact URLs (1)

h3rmanni (797836) | more than 8 years ago | (#14217675)

The worm uses NTP servers to check the date. Can't fool it by just resetting the clock on the computer.

Re:Calculate the exact URLs (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14217695)

But you can set up a fake NTP source, which is (or ought to be) a piece of cake for any security company.

Re:Calculate the exact URLs (2, Interesting)

mallumax (712655) | more than 8 years ago | (#14217700)

For once RTFA
The virus even synchronizes the machines via atom clocks so the activation will not happen before January 5th, even if the clock of the computer is incorrect.
If the virus writer is smart enough to generate pseudo random urls of which 90% are false, he is smart enough not to trust the computer clock.

Re:Calculate the exact URLs (0)

Anonymous Coward | more than 8 years ago | (#14217717)

Uh, spoof the time server check too? Duh.

RTFA (0)

Anonymous Coward | more than 8 years ago | (#14217830)

Seriously, the article's not that long. And if you read it, you'd know why the worm won't reveal future dates. Hint: it has to do with atomic clocks, and time synchronization.

(Yes, yes, it could still, technically, be sandboxed. But doing it this way makes determining URLs that much easier.)

What if it's not "AN" author? (0, Troll)

core plexus (599119) | more than 8 years ago | (#14217611)

With foil hat firmly on, I think what if it's not an author, but something more insidious?

Call me paranoid, and this may just be a press release to drive traffic to a company, but I see the day coming when small packages pack a big punch.

I'm actually a bit suprised it hasn't happened yet.

Caption This [suvalleynews.com]

Simple (1, Redundant)

Placido (209939) | more than 8 years ago | (#14217614)

Register one of the URLs and post some code which, when executed, stops the worm executing. Rinse. Repeat.

Applications? (5, Insightful)

FhnuZoag (875558) | more than 8 years ago | (#14217617)

Can we use this discovery to distribute a cure?

I.e. we register one of the websites that Sober checks, and put a Sober removal tool on it. Come that day, Sober would download the file and delete itself without any user interaction.

Problem solved.

Re:Applications? (0, Offtopic)

grungefade (748722) | more than 8 years ago | (#14217705)

I just dont get the slashdot rating system. This idea has been posted many times before this one, and this one gets a better rating "5 Interesting". Now I dont feel so bad for having bad karma for so long.

Re:Applications? (4, Funny)

Skapare (16644) | more than 8 years ago | (#14217739)

Better yet, have it install Ubuntu and solve the longer term problem, too. :-)

Re:Applications? (0)

Anonymous Coward | more than 8 years ago | (#14217806)

Linux ist for girly men. Us beefcakes use Windows

roflcopter (4, Funny)

Anonymous Coward | more than 8 years ago | (#14217634)

Hay guys I have a gr8 idea, why dont they just put a prog at the urls the virus checks, which an infected coputer can run and it will delete the virus!!

+5 informative

This is why worm/virus makers... (0)

Anonymous Coward | more than 8 years ago | (#14217639)

...should be forced to use open source.

Re:This is why worm/virus makers... (0, Redundant)

CriminalNerd (882826) | more than 8 years ago | (#14217696)

Sony did the same thing and look what good it did them!

I don't see why they need to post their discoveries. They could have done that AFTER the writer is caught...

Re:This is why worm/virus makers... (0)

Anonymous Coward | more than 8 years ago | (#14217810)

Maybe because it's not their job to catch virus writers? their job is to catch viruses. Shouldn't all information be available.

Well known URLs (4, Funny)

g-san (93038) | more than 8 years ago | (#14217646)

one is supposedly http://it.slashdot.org/comments.pl?sid=170643&thre shold=1&mode=thread&commentsort=0&op=Reply [slashdot.org]

It posts trollish looking messages and chats to you in IM. :)

Personally, I usually just chill while connected with ethereal running, then connect back to the PCs backdoored by the viruses that are trying to infect my honeypot on tcp/135. Then a simple netstat will show you an established tcp connection back to the IRC server the virus is using to announce itself to the author (not to mention about 500 connections SYN-SENT or ESTABLISHED to PCs being infected/probed, also a good source for other infected, backdoored PCs. You do know what is attacking you and what tcp backdoor it runs, right?) You can usually spot that connection, it has a high TCP destination port, whereas the normal vector port is 135/137/139. It's really sad to see thousands of PCs aleady announcing themselves to the author on that IRC channel as, "Hey come on over, I am running W2k|2XP. I am XP200453." And there is no one there to give me +OP privs!!! Batrastards!!! I could echo 'you are hacked please visit windowsupdate.com'> the startup folder all I want for days to each one of them to no avail... or echo ''you are a moron, too stupid to own a computer, put it back in the box and yadayadayada....

I wonder what I would do with a beowulf cluster of networks of hacked (i.e. unpatched windows) PCs. probably echo the same message in the same fashion as above, yet, alas, I am seriously lacking in motivation and spare time. (q.q.v 4. Pr0F1T!!!)

so little time, so many IP addresses, so many ignorant users.... so many clever, clever coders...

Re:Well known URLs (1)

ScottKin (34718) | more than 8 years ago | (#14217777)

Any chance you could reveal to us what IRC Networks you are seeing when the worm/virus does it's callback-notification to the user/author/abuser/scum-of-the-earth?

Maybe some IRC admins might be lurking and by advising them that their network is being used as the communications channel could help in the further sleuthing of this activity?

--ScottKin

the easy answer is... (0)

Anonymous Coward | more than 8 years ago | (#14217671)

to not use software that is so easy to get foreign code to execute on. I feel a warm Slackware moment coming...ahhhhhhh.

What's meant by "authorities"? (2, Interesting)

raehl (609729) | more than 8 years ago | (#14217680)

Isn't the authorities being able to block a URL a problem? If authority means "Software I've willingly installed on my computer to block malicious URLs", then good, fine and dandy. If authorities means the government, I'm not so keen about that possibility.

Re:What's meant by "authorities"? (1)

Shimbo (100005) | more than 8 years ago | (#14217796)

Isn't the authorities being able to block a URL a problem?

I see no harm in the police going to the relevant ISP and asking them either not to register the username 'dfgdfbvbb', or to provide them information on the registrant. If the ISP wants a warrant for the latter, that's fine too.

Now work backwards? (3, Insightful)

BoldAndBusted (679561) | more than 8 years ago | (#14217688)

Hmm... If they can predict forward in time what sites Sober will seek, can not they also look backward in time to see what sites the worm sought in the past ? If so, could they not then check the registration records for each of those sites and... find the author?

Re:Now work backwards? (1)

LuckyStarr (12445) | more than 8 years ago | (#14217743)

Do you really believe the author used real names and real IP-Addresses to register the sites?

Re:Now work backwards? (1)

BoldAndBusted (679561) | more than 8 years ago | (#14217761)

Do you really believe the author used real names and real IP-Addresses to register the sites?

Nope. But, it might provide a trail to try to follow, no?

Sophistication (4, Interesting)

squoozer (730327) | more than 8 years ago | (#14217694)

I have often wondered why we haven't seen the emergence of worms with truly spectacular levels of sophistication. Nearly every worm / virus is small presumably so that it can spread quickly in limited bandwidth situations. The limited size means limited sophistication and sometimes flaws in the design or operation.

To the best of my knowledge no one has developed a worm with fully pluggable attack verctors and pay loads and automatic updating. An attack from such a worm would be all but unstoppable because there would always be a huge user base from which to start an attack. The attack would go like this:

  1. Author writes the first version of the virus and deliberately infects machines. This version doesn't spread on it's own. This version doesn't need to be terribly good it just needs to infect 1000 machines or so, be upgradeable and form the initial core of the virus P2P system (maybe that should be V2V?).
  2. Author refines virus and releases a new version. Some of the 1000 initial infections are still infected and upgrade themselves. They go on to infect other boxes automatically. Each box will try and upgrade and infect new boxes.
  3. Hole exploited by the stage two virus is closed. Many are lost.
  4. Author writes new exploit module and uploads it to virus network which them re-infects lost boxes and new boxes.
  5. Virus scanners get to understand core virus and destroy numerous infections.
  6. Author releases new version into the virus network which upgrades currect installs. And so it goes on.
  7. ???
  8. Profit!

Perhaps someone is already doing this, I don't know. It seems like a natural evolution for viruses though. A sort of virus P2P system so that the virus network can respond to attacks. You could even build viruses that knew the network was under attack and hid or destroyed themselves.

BTW I'm not a virus writter.

At least Viruses dont spontaneously mutate (1)

voss (52565) | more than 8 years ago | (#14217764)

If you think upgradeable viruses are bad...wait until you see computer
viruses self-mutate and evolve. Laugh if you want...it will come one of these
days.

Re:Sophistication (1)

andersa (687550) | more than 8 years ago | (#14217786)

In any case this version of Sober is truely the nastiest I have seen hitting my server as of yet. First recognized by ClamAV on the 21st of november. I havent got a precise count but it's got to be at least 400 emails in quaranteene up to now, and they just keep coming in. Excluding phishing emails that are also blocked by ClamAV it probably at least a 400% increase in average amount of quaranteened mails per day.

This is a new one... (4, Insightful)

Slashcrap (869349) | more than 8 years ago | (#14217704)

I find myself in the unusual and possibly unique situation of agreeing with other people on Slashdot.

It would have been better not to release this information. Now the author knows the game is up. Unless they have already traced him from some of the previous URLs, which I doubt.

So why release it then? The AV company just couldn't resist jumping up and down and showing everybody how clever they are. AV is more about marketing than technology anyway.

The thing is, I bet this algorithm wasn't even that hard to reverse engineer. I mean, I'm not saying that I could have done it and I'm sure most of you couldn't either. But to someone skilled in the black arts of disassembly and debuggery (if that isn't a word it should be), it would probably have been fairly trivial. At the end of the day, Virus authors usually aren't that bright. You can obfuscate and encrypt your code as much as you want but at some point it still has to executed. Most of the techniques are well known and I doubt this idiot invented any new ones.

Re:This is a new one... (4, Informative)

Alex Zepeda (10955) | more than 8 years ago | (#14217812)

I'm curious if you bothered to read F-Secure's blog:

So we cracked the algorithm. This enabled us to calculate the download URLs for any future date. In fact, we did this already in May 2005, and we informed the local police in Germany as well as the affected ISPs. But we didn't want to talk about it publically then - we didn't want to fill in the virus writer on this. But he must know this by now.

Something to think about.

uh.. (2, Insightful)

nexcomlink (930801) | more than 8 years ago | (#14217746)

How do they or anyone of us know it's going to be expected on that date? Nobody can predict an outbreak because there is never a set time for one. If the virus author can change the date he would. Like they say always expect the unexpected and what was expected is deemed to be better or worse than it was intended to be.

New life form (1)

La Gris (531858) | more than 8 years ago | (#14217778)

As the get 'smarter', someday, computer virus and worms may become life forms. It's no magic these have been called lifre formes already.

Tis is an unreported, unknown new life form Sir. We should not destroy or interfere with itx existance due to The Prime Directive.

Next weeks article: (1)

Kuvter (882697) | more than 8 years ago | (#14217781)

"Drunk's code cracked."

Why not... (-1, Redundant)

Sarastrobert (800232) | more than 8 years ago | (#14217784)

...just make a Sober removal program and upload it onto one of the URLs on the right day? I am sure authorities should have no problems getting help from the responsible ISP in doing that.

Hopefully (1)

beast6228 (472737) | more than 8 years ago | (#14217807)

Hopefully Sober gets drunk on New Years Eve and doesn't become Sober Until after the 5th. Even better yet, maybe Sober will get alcohol poisoning and die.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>