When the latest variant of the Sober worm appeared online, anti-virus vendors were aware that the worm communicates with its author, but they did not know the exact way. On Thursday, anti-virus firm F-Secure said it had cracked the algorithm that was being used by the worm to download its payloads.
According to F-Secure, the author did not use constant URL addresses inside the virus body because authorities would easily be able to block it. Instead, the worm is programmed to use a pseudo-URL generator that will change based on the date.
Mikko Hypponen, chief research officer at F-Secure, wrote on the company’s Blog: “…Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don´t exist.”
“However, the virus author can pre-calculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It´s run globally in hundreds of thousands of machines.”
The latest variant of the worm is coded to activate on January 5, 2006. F-Secure suggest companies to block the list of addresses at the corporate firewall. The list of URL addresses is available at F-Secure’s Blog.