Jump to content

Happy New Year - Worm_sober.ag


Recommended Posts

There have been reports that the new year will start with a bang possibly on the 5th of January or 6th of January, when a new SOBER variant is suspected to be released by the same group that caused the recent WORM_SOBER.AG outbreak in November.


The reports may have been based on the analysis that WORM_SOBER.AG will download an executable file Sober.exe) possibly on either January 5, 2006 or January 6, 2006 from certain URLs that are hard-coded and encrypted within the SOBER.AG worm. These "predefined" URLs are not the exact sites that may used - an algorithm based on the date is used to generate the exact URLs that will be used on the target date itself.

Link to comment
Share on other sites

F-Secure cracked the code. The list is as follows
Then the solution is simple and the threat can be stopped before it gets here...lock up those domain names and nothing can be downloaded.


However, the list will change every 14 days,


And with the above solution this is stopped also since the only change thats made is to the subfolder name used...the subdomains and top level domains remain the same.


Yes I realize these are not US controled domains...but this is a threat to the whole world and the country that controls those domains should be able to be convinced to do something about it.

Link to comment
Share on other sites

Ok, after looking at the domains in question, locking the domain may not be as simple as I assumed. These sites are free web hosting companies and locking them would affect their business. But just allowing hackers to use their service for this type of activity would also affect their bottom line with all the legal problems that would follow.


Hopefully they will come up with some other solution before the actual date arrives.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...