Security firm F-Secure says it has cracked the code used by the Sober worm, potentially blocking the worm from receiving updates.
Sober has mutated constantly since October 2003, when the first variant was picked up, and now there are more than 20 other types. The latest version, Sober.Y, was responsible last month for the biggest outbreak of the year and still accounts for about 40% of all infections detected by F-Secure.
One of the critical features that has made Sober dangerous is its ability to download new variants, instantly infecting large numbers of machines. Another new variant is expected to reactivate itself on 5 January.
According to F-Secure the downloading pattern was confusing for security experts because the URL used was created by a secret algorithm. Sober has been using an algorithm to create apparently random URLs, which will change based on date, with the virus author precalculating the URL for any date, registering the right URL, and then uploading the program.
F-Secure believes its cracking of the algorithm will allow it to figure out which URLs the worm variants will attempt to download from, allowing the hosting providers to block the sites, and give system administrators a list of sites they should block at the corporate firewall.
At least someone seems to be making progress in getting on top of this worm, which intermittently creates havoc. It’ll be intriguing to see what happens when the latest incarnation of Sober arrives in January.