Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

F-Secure Cracks Sober virus algorithm


  • Please log in to reply

#1
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts

First Sober variant was found in October 2003. Since then, we've found over 20 different variants.

Most of these variants contain a routine that activates the virus at later date. After this the virus will try to periodically download and run a file from several websites. This is the way most new Sober variants are distributed: the author uploads a new version and all the infected machines will suddenly get infected with the new variant.

Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 5th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever. The virus even synchronizes the machines via atom clocks so the activation will not happen before January 5th, even if the clock of the computer is incorrect.

So, what URL is the virus using? This is the tricky part. The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly. So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don't exist.

However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally in hundreds of thousands of machines.

The Sober virus author can precalculate the URLs. We wanted to be able to do the same thing. So we cracked the algorithm. This enabled us to calculate the download URLs for any future date....................


Read the rest of the information here
  • 0

Advertisements


#2
HarryMay

HarryMay

    Member

  • Member
  • PipPipPip
  • 180 posts
Very interesting.I read thru some other sec.s on that site and was kind of baffled at the root of what was being said(didn't finish my education),But overall I find the subject matter rather stimulating.I remember watching my little bro.back in the late eighties building machines and often asking about sourcecodes and algorythms,wich I still don't fully get.Thanx for introducing me to a site that I can go to when I just want to contemplate just what my puter is up to.Cheers,mate.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP