After springing back to life in recent weeks, the prolific Sober worm appears set to strike yet again in the first hours of 2006. Fortunately, an early warning may save security pros a lot of time and trouble.
VeriSign Inc. subsidiary and security intelligence specialist iDefense reported this week that it has discovered hard-coded commands within the recent Sober-X variant that intended to launch the next wave of Sober assaults on Jan. 5, 2006.
According to iDefense, the planned attack was discovered by reverse-engineering the Sober-X variant discovered in mid-November.
Ramses Martinez, director of malicious code operations with iDefense, said that starting on Jan. 5, the worm would begin generating a series of dynamic URLs specific to domains in Germany and Austria. From those domains it would attempt to download the next portion of code to carry out the attack.
"We don't know what the code is going to do, so it may be anything," Martinez said. "Based on the functionality and experiences we've had with Sober, we assume that it will be used for sending spam, but it's really impossible to know for sure."
Sober has unquestionably been the most publicized worm of 2005. Dozens of variants, many of which have been mass-mailers, have been on the loose at various points throughout the year.
One such outbreak happened in May, when the Sober-N worm dropped the Sober-Q Trojan on compromised machines and began spewing messages touting German nationalism. Interestingly, the Sober strike slated for Jan. 5 would be the 87th anniversary of the founding of Germany's Nazi party.
More recently, in addition to the mid-November variants, just after Thanksgiving antivirus firms discovered that the latest iteration, Sober-Z, was spreading spam so quickly that it accounted for a staggering one in 14 e-mails traveling across the Internet.
The early warning though may have largely mitigated any potential damage. Allysa Myers, virus research manager with Santa Clara, Calif.-based McAfee Inc.'s AVERT Research Center, said that it remains to be seen whether the upcoming Sober variant will still be able to download itself on Jan. 5.
"Any number of things could be put into that file location between now and then," Myers said. "It's likely that between now and the fifth, the site where it's trying to get downloads from will be taken down."
Martinez agreed, saying that several antivirus firms along with German authorities and ISPs are working diligently to track down the source of this and past Sober variants.
Though Sober has received copious media attention due to its many iterations, Myers said it shouldn't be considered as great of a threat as some other worms, most notably the IRCbot.
"IRCbot has been spreading much of the spam this year and has been used for all sorts of criminal purposes," she said. "It's been used for DoS attacks against Web sites, for extortion purposes and for sending spam, all sorts of nasty things."
Still, Martinez said this discovery shows that Sober and other types of mass-mailer worms are still a threat.
"It's been said that they are a thing of the past, but they really aren't," Martinez said. "As we saw in the past few weeks, they can still have a pretty big impact. Although e-mail worms aren't as big of a threat to the enterprise as they were two years ago, they can still cause enough disruption to affect them, and we're going to see these things for a while to come."