The New Year may bring yet another threat from the Sober family of worms, according to security researchers who say a recently discovered variant of the worm contains code that could unleash a new round of attacks on Jan. 5, 2006.
Security firm iDefense, which is owned by VeriSign, said a variant of Sober found in November contains encrypted code that will command infected computers to download unknown code from Web servers on Jan. 5, 2006.
The date is significant, the firm said, because it marks the anniversary of the founding of the Nazi party in 1919 and coincides with the start of a major political convention in Germany.
The firm said the attack could have “a significantly detrimental effect on Internet traffic, as e-mail servers are flooded with politically motivated spam e-mails from potentially tens of millions of e-mail addresses.”
Joe Payne, vice president of iDefense’s Security Intelligence Services division, said the code seemed to represent an example of “hacktivism,” which seeks to combine computer security threats with political causes.
Payne noted that Sober is already one of the most widespread and “prolific” worms during 2005 and actually was first found in the wild in 2003. That first version of the worm was traced to German-speaking authors, though the worm has been created to send messages in both German and English, depending up on the recipient’s e-mail address.
iDefense said it broke the hidden code in Sober and reverse engineered the worm variant after it was discovered in mid-November.
Mikko Hypponen, chief research officer for Finnish anti-virus firm F-Secure, said in his blog that the worm appears programmed to try to download unknown code from servers located at 14 different Web addresses.
He also said that the worm has been written with an algorithm that enables what he calls “pseudorandom” addresses to be generated based on the date, making it more difficult for addresses to be protected against the worm.
“The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly,” Hypponen wrote on his blog.
The threats may not materialize, since F-Secure and others have warned the service providers that control the root addresses identified so far. But the variant may be written to log into URLs that only go live at the time the downloads are set to occur, making prevention of the connection difficult.
Hypponen speculated that the downloads may consist of pro-Nazi propaganda or may simply be meant to deluge other computers with e-mail messages, slowing the Internet in the process.
If the attack materializes, it will only add to the already record-breaking run of terror of the Sober worm and its many variants — F-Secure has identified more than 20 different versions and iDefense some 30 variants.
Overall, Sober worms are seen as the leading Web-based security threat during 2005. Security firm Sophos Inc. identified the Sober-Z variant as the most prevalent complaint during November.
That variant posed as an e-mail message from the FBI or CIA and accounted for 43 percent of all virus reports to the anti-virus company during November, according to Sophos researcher Carole Theriault.
“Since we saw the first Sober worm back in October 2003, its author has tried to improve upon tried-and-tested tricks to dupe computer users into launching infected attachments,” Theriault said.
The authors of the worm are acting increasingly bold and fearless, she noted, and may cause more law enforcement resources to be dedicated to finding and stopping them. “Mocking the feds is a sure-fire way of goading the authorities,” she added.