Next Sober Attack Slated For Jan. 5

January 5, 2006, was the date embedded in the most recent Sober variants, said Ken Dunham, a senior engineer with Reston, Va.-based VeriSign iDefense, a security intelligence firm.

"We did reverse engineering on the variants, and found this date in the code," said Dunham. "The way this works is that at a pre-determined time, computers already infected with Sober will connect with specified servers and download a new payload, which will likely be spammed out in the millions, as was the last version."

Embedded dates for spreading new malware aren't new. Sobig used it to dramatic effect in 2003, when new versions were pumped out regularly, as old ones were automatically deactivated on set schedules.

Nor is this the first time a Sober date has been sniffed out, theorized Dunham. On November 14, the Bayerisches Landeskriminalamt--police in the southern German state of Bavaria--warned of a Sober attack the next day; the prediction proved on the mark. At the time, Bavarian police didn't elaborate on how they knew of the impending attack.

"Then, we thought maybe the police had gotten inside the group that made Sober and might be close to an arrest," said Dunham. "But now it's likely that they found a date coded inside an earlier version of the worm."

Sober, which boasts more than 30 variants, debuted more than two years ago, and is characterized by bilingual messages (English or German) that are mass-mailed in huge quantities, but don't carry a destructive payload.

The worm's creator doesn't appear to be motivated by money. Instead, he (or she) -- who is assumed to be German--has a political agenda, said Ramses Martinez, iDefense's director of malicious code operations. "There hasn't been one variant that did anything but send out right-wing German spam."

Early versions of Sober were more upfront about the political agenda of the author(s), with messages directing recipients to neo-Nazi sites hosted in Germany, but for several months the messages have been politics-free. "That&'s a good question," said Martinez when asked why the worm maker hasn't pushed politics. "But we can't get inside his head."

Recent editions of the worm, however, have been timed to coincide with German political events. The release of Sober.z on Nov. 22, for instance, matched the inauguration of Germany's first female chancellor, Angela Merkel.

That's what led iDefense to conclude that the Jan. 5 date coded inside Sober.z was pointing toward the 1918 founding of the "Freier Ausschuss fr einen Deutschen Arbeiterfrieden" (Free Committee for a German Workers' Peace). Later that year, a Munich branch of that group was renamed "Deutsche Arbeiterpartei" (German Workers' Party, abbreviated DAP). The DAP was the formal forerunner of the "Nationalsozialistische Deutsche Arbeiterpartei" (NSDAP), or Nazi Party.

"Sobers have always had a right-wing slant," said Dunham, who also noted that the next day, Jan. 6, 2006, is the date of a major German political convention. "The author's made technical changes in this last variant, so the worm is very efficient at spreading by spamming the world."

The practice of combining malicious code with political causes is often dubbed "hacktivism," and while it doesn't pose the same kind of risk as do worms, Trojans, and spyware that are after money or identities, it can bring networks to their knees.

"During the Nov. 22 outbreak, one anti-virus gateway provider trapped 94 million samples in a 24-hour period," said Martinez. "The worm also had a significant impact on MSN's Hotmail servers. The amount of spam these generate can clog up the Internet."

Although it's not clear why the author(s) of Sober don't use the vast number of spammed messages to more openly push a political agenda--"All of us are still researching that," said Martinez-- it's clear to iDefense that politics is the worm's raison d'etre.

"It doesn't download any code that has a keylogging component or IRC component," said Martinez.

And the very public spread of Sober--the November attack made news worldwide--matches hacktivism.

"When you want money, you go covert," said Dunham. "But when you're talking politics, you go overt."