Sober Worm Has Nazi Connection

The worm's campaign is expected to resume Jan. 5, 2006, the anniversary of the Nazi party.

By Jim Wagner | Posted Dec 8, 2005
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

The infamous Sober worm is set to rear its ugly head again in a New Year's activity that has security officials expecting the worst.

Security experts at iDefense reverse-engineered the latest Sober variant and discovered the code will automatically download some unknown code on Jan. 5, 2006, the anniversary of the founding of the Nazi party and the eve of a major German political convention.

"This discovery emphasizes the ever-present and often underestimated threat of 'hacktivism' -- combining malicious code with political causes," Joe Payne, iDefense vice president of security intelligence services, said in a statement.

The latest Sober variant has already made its mark in the security world and with the millions of e-mail users who've received the damaging e-mails.

Last month the Federal Bureau of Investigation (FBI) warned users not to open an attachment in e-mails purportedly coming from the agency. The attachment in question was, in fact, the Sober.z worm ready to infect computers and deliver its payload.

This isn't the first time the FBI has been the target of a Sober attack. In February the Sober.k worm used the same methods found in last month's messages, a warning the FBI had tracked user visits to illegal Web sites and requested they open the attached file.

Like other worms, Sober.z disables the security software that could prevent its spread, scans the user's PC for e-mail addresses, delivers a copy of itself to that address and hides code within the user's PC. U.K.-based security vendor Sophos lists it the top virus of November, with nearly 43 percent of virus reports received by the company attributed to Sober.z.

In essence, the Sober e-mail attacks last month are merely a prelude to the true attack, which is to download the file. iDefense officials predict the next wave could have a "significantly detrimental" effect on Internet traffic as e-mail servers attempt to keep up with the expected messages.

Allysa Myers, virus research manager at McAfee's Anti Virus Emergency Response Team, said the download component is pretty common in Sober variants and its likely the Jan. 5, 2006, date will be a relative non-event. Researchers have had enough time, she said, to contact the ISPs hosting the Web sites the code is supposed to download from, negating the upcoming attack. It will all depend on what sites haven't been shut down by that date, Myers said.

"This sort of thing we run into an awful lot, there's a lot of viruses that have tried this technique," she said. "There's a lot of communication between the security industry and ISPs; there's protocols in place to take care of this sort of thing.

Preventing the expected January attack requires end users to take precautions, whether through buying a commercial anti-virus product or thinking twice before opening an attachment.

"The Sober family may seem as hard to exterminate as a colony of cockroaches, but they can be stopped from infesting a network if users remain vigilant when facing unsolicited emails," Carole Theriault, Sophos senior security consultant, said in a statement.

Anti-virus vendors have come out with updates to the latest Sober variants and recommend users update their software's service to remove the threat. Symantec (W32.Sober.X@mm) and McAfee (W32/Sober@MM!M681) have more information on the Sober variant and how to look for it on user computers.

Article courtesy of internetnews.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter