Sober Worm Algorithms Finnished

    December 9, 2005
    WebProNews Staff

The scheme used by the virus writer behind the Sober worms to determine where it will connect on the Internet has been cracked by the Finnish security firm.

Another huge outbreak of the Sober worm has been scheduled to happen on January 6th, 2006. However, thanks to Mikko Hyppnen and Finnish security firm F-Secure, admins everywhere now have the information to take steps and block infected machines from hitting a URL where a new version of Sober can be obtained and installed.

F-Secure has had the information since May 2005. “(W)e informed the local police in Germany as well as the affected ISPs (in May). But we didn’t want to talk about it publicly then – we didn’t want to fill in the virus writer on this. But he must know this by now,” Hyppnen wrote.

An algorithm in Sober generates pseudorandom URLs based on the date. 99 percent of the URLs created don’t exist. The URLs, which point to free hosting servers in Germany and Austria, can be determined by Sober’s creator ahead of time.

Then he can create the URL at the free hosting site at the right date to get the latest version of the worm onto any infected machine that can connect to the URL.

That list changes every 14 days, and a change has already been scheduled in existing versions of Sober on January 6th. Admins who block connections at the firewall to,, and should thwart any undetected Sober-infected machines on their networks, according to the report.

Previous outbreaks of Sober have delivered millions of Nazi propaganda messages to inboxes worldwide. Putting that to an end would be a tremendous benefit to users everywhere.

David Utter is a staff writer for WebProNews covering technology and business.