Random Entry: AAh the end.
< Netcat now Malware | Squidoo Information Security Lense >

Sober URL Prediction

Now this is more like it. F-Secure have cracked the URL generating hash in Sober.Y

Basically Sober can self-update from a URL. The author knew she couldn't use one URL to post the updated versions of Sober as that would be discovered and taken down pretty quickly. Instead she made Sober sync with an atomic clock and generate unique URLs based on the time. These URLs can be pre-computed for a certain time by the Sober author who can then register them quickly and have the infected machines update themselves.

Given that we know what days Sober activates, you too can block the URLs. They are posted at f-secure's blog.

This is exactly the kind of additional remediation malware researchers should be providing. Thanks F-Secure.

UPDATE: LURHQ has more on the many variants activation dates.

Thursday, December 8. 2005
Posted by Dominic White in Security
Comments (0) | Trackbacks (0)

Last modified on 2005-12-09 16:58

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry