The latest variant of the Sober worm caused havoc in November by duping users into executing it by masking itself as e-mails from the FBI and CIA. The Sober worm includes code which allows itself to be updated surreptitiously, thereby morphing itself enough to avoid eradication by anti-virus software.
It’s been known for some time that another update to the Sober worm would occur on January 5th, and anti-virus companies have been working hard to keep that from happening. According to an article in CNet News, antivirus firm F-Secure revealed on Thursday that it had cracked the algorithm used by the worm, and could now calculate the exact URLs the worm would check on a particular day.
“Sober has been using an algorithm to create pseudo random URLs which will change based on dates. Ninety-nine percent of the URLs simply don’t exist…However, the virus author can pre-calculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It’s run globally on hundreds of thousands of machines,” Mikko Hypponen, chief research officer at F-Secure, explained / wrote in his blog.
According to F-Secure’s calculations, on Jan. 5, 2006, all computers infected with the latest variant of Sober will look for an updated file located in the following list of domains:
Hypponen advised administrators to ensure any infected PCs can’t upgrade automatically by blocking access to these domains. So make sure your IT person or outside support company blocks access to these domain addresses prior to the date in question.
Meanwhile, in another “area of town” on the WWW, a seller on eBay using the name “fearwall” put up for auction “one (1) brand new vulnerability in the Microsoft Excel application.” The bidding started Wednesday evening at $0.01.
According to the description, the vulnerability was discovered on Dec. 6 and all the details were submitted to Microsoft. The software maker indicated that it may fix the flaw in one of its upcoming patch releases, according to the eBay seller’s information.
“Since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product),” the seller wrote.
The vulnerability lies in the way Excel validates data when handling documents. Exploiting the flaw will compromise a user’s PC, according to the eBay post.
There’s was even a special offer for Microsoft employees: a 10 percent discount. “To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout.”
Although initially thought to be a hoax, the bidding had reached about $60 when eBay pulled the item late Thursday, because it contravened its guidelines by encouraging illegal activity. Microsoft is aware of the reported flaw and has been working with eBay on the matter, an eBay company representative said in a statement.
So much for thinking it might be a hoax. According to an article on CNet News, Microsoft is not aware of any attacks that attempt to use the reported vulnerability, the software maker said. The company will continue to investigate the issue and may provide a fix as part of its monthly patching process or issue a security advisory, the Microsoft representative said.
Last but not least, do you want to speed up your antivirus scans? After years of anecdotal data from Diskeeper customers about the reduction in virus-scan times attributed to defragmentation, Diskeeper Corporation decided to investigate. They tested the four antivirus software packages that make up 90 percent of the market. After testing on different system configurations, they found major improvements in scan timesâ€”as high as 61 percent. You can download a free whitepaper about the testing here. (Free registration is required.) Note that the study may be somewhat self-serving, as Diskeeper Corporation sells defrag software.