Sober worm infections cue up January attack

By Matt Whipp

Posted on 8 Dec 2005 at 16:36

Security company iDefense claims a further attack triggered by Sober worm infections will occur 6 January 2006, based on code within the last variant unleashed at the end of last month.

The US company says that it reverse-engineered and decrypted elements of the worm's code and discovered that it is scheduled to download further code from the Internet on that date - a date which coincides with the 87th anniversary of the founding of the Nazi party. Past variants of the Sober worm have also included Nazi messages.

'This discovery emphasizes the ever-present and often underestimated threat of "hacktivism" - combining malicious code with political causes,' said Joe Payne, Vice President, VeriSign iDefense Security Intelligence Services. 'Exposing this latest variant required technical and geopolitical analysis that connected the dots to give enterprises and home users plenty of time to shore up their defenses.'

The slew of variants sent out last month triggered the epidemic of the year for virus infections, causing most antivirus vendors to issue their top-level risk alerts.

The timing of these versions was also significant, as it coincided with the inauguration of Germany's first female chancellor. Again, the attack scheduled for next year comes a day before a major German political convention meeting.

The author, or authors, are thought to be German: the Sober worm uses text in both English and German, depending on the domain of the email address to which it is being sent.

And German authorities having been tracking down those responsible for some time now.

The Bavarian police accurately predicted at least one variant of November's Sober outbreak, both in terms of timing and content, based on evidence gathered from their investigation.

Yet the Sober authors seem to have little concern for those closing the net on them. Recent versions of the virus have claimed to come from the German Bundeskriminalamt police, as well as the FBI, the CIA and the UK's National High-Tech Crime Unit (NHTCU). So if Sober wasn't on their radar before, it is now.

Given that it is now known from which servers Sober will download new code for the programmed attack in January, it is highly likely that these will quickly be shut down.

This will of course mean that another outbreak of Sober will be needed in order to seed enough infections for future attacks.