Sober's Attack May Be Nothing To Sweat

In December 2005, a pair of security companies dug deep into the code of that month's Sober wave -- the most recent of a two-year-old malicious code clan -- only to discover that the attacker had scheduled his next attack, and embedded the date inside the worm. That same week, other researchers cracked the algorithm Sober.z used to generate URLs for the sites it would use to update itself and then launch a new round of infections.

The trigger date: midnight UT (Universal Time).

Rather than basing its attack on the already-compromised PC's local time, Sober.z is to synchronize its attack globally by connecting to NTP (Network Time Protocol) servers. The attack could come at any time after midnight UT. But midnight UT is 7 p.m. in New York, 6 p.m. in Chicago and Dallas, 5 p.m. in Denver, and 4 p.m. in San Francisco.

"The attack, if it comes, could come anytime after the afternoon and the evening of the 5th," said Ken Dunham, director of the rapid response team for Reston, Va.-based security intelligence gatherer iDefense.

But Dunham, and others, aren't expecting much to happen today, or if users are lucky, in the days ahead.

"In November, there were five different Trojans seeding Sober," said Dunham. "But we've not seen any Trojans in the run up to today. That's might mean the attacker or attackers are lying low."

After the December discovery of the next attack date and the decoding of the URLs from which new versions would be downloaded, Sober received considerable attention both in the media and in the security business. Anti-virus vendors, in fact, have long ago rolled out signatures to account for Sober.z -- although not any next-generation since no samples have been seen -- and even Microsoft added detection for it to its Windows Malicious Software Removal Tool, which frequently lags behind third-party AV detectors in sniffing out the newest threats.

"With all the publicity and the police getting involved, maybe we won't see anything because of that pressure," Dunham said.

"We don't think much will happen," added Mikko Hypponen, the chief research officer of Helsinki-based F-Secure, in a statement on the company's blog.

Down the road, there's an outside chance, Dunham said, that the Sober author(s) have been scared off for good. He used Sobig, a 2003 worm, as an example.

"When Sobig.f came out, it made a major impact. Everyone heard about it, there was a bunch of mitigation, it slowed down corporate mail systems. But since then, we haven't seen another Sobig yet.

"Maybe the Sober guys will look for something a little less hot to work on," he said.

Enterprises, Dunham added, should monitor TCP port 37, a little-used port but the one Sober relies on for communications, starting Thursday. "If there's any questionable activity [on port 37], administrators might want to take a close look at it."

For more information about Sober, users can check out the Sober security advisory Microsoft posted Tuesday on its Web site.