F-Secure cracks Sober's URL-generating algorithm

By Justin Mann on December 9, 2005, 1:45 PM
The continuing troublesome Internet Sober worm, of which many variants have been found, has recently had its hood peeked under by F-Secure, the same company that contacted Sony concerning the flaw in their DRM technology we've all heard so much about. F-Secure has revealed that they were able to reverse engineer the method the worm uses to self-update, enabling them to predict exactly what URLs the worm will check on particular days. The worm uses a random URL based on this algorithm to check for “updates” to its code, the majority of which do not exist. The author, however, can simply calculate a URL for a particular day and make sure that domain exists.

They gave various example URLs, in particular the URLs it will check on January 5th, and this sort of information will allow companies and users to prevent the worm from being able to update itself from their particular computer or networks. That's more of a band-aid then a fix, which would be removing the actual infection, but for administrators on company or other large networks where direct machine control isn't possible (such as at a university or ISP), this is a way to help reduce further infections.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.