 |
 |
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Home  Virus threats Security News Meet the Sobers: Malware Family of ... |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Security NewsMeet the Sobers: Malware Family of the YearThu, 22 December 200522 Decembre, 2005 - More than two years have passed since the first Sober outbreak fell upon the boundless realm of the Internet. Since the latest family member continues to stir trouble worldwide, it might be interesting to have a closer look at Sober under the magnifying glass. Sober is not the only malware family in recent virus history and its success does not rely on a large number of variants. Internet users who have paid some attention to malware outbreaks in the last two years have also noted other ill-reputed names: Bagle, Netsky, Mydoom, Mytob, some of which have outdone Sober in terms of family members. On the following pages, we will try to make an accurate chronicle of the significant Sober variants, an overview of their respective outbreaks, demeanor, vicious practices and the secret ingredients of their recipe for success.
Sober.A began to spread by email at the end of October 2003, posing as a security fix: in order to trick users into opening the infected attachment, it pretended to be a security patch meant to protect people against cyber threats. The first Sober version introduced the number one peculiarity of the entire family: the email messages arrived in English and German. When sending itself, the worm filtered the domains in order to reach German-speaking users separately. This means that it sent the German messages only to the email addresses hosted on .de (Germany), .at (Austria), and .ch (Switzerland) domains. Similar to all the other Sober variants to come, this first version used its own SMTP engine and therefore did not depend on the victim’s mail client for further replication. At the end of 2003, a new vicious Sober version was found in the wild: Sober.C showed up on the Internet during the weekend before Christmas and used the same English-German rotation in order to reach as many computer users as possible. Another significant element is that Sober.C did not just use good old email as means of propagation, but also Peer-to-Peer networks, such as KaZaA and e-Donkey. Due to their large popularity and potential: it replaced files in the file sharing directories with copies of itself. Moreover, it displayed a fake Windows error message, a trait that would be replicated by many upcoming versions. Furthermore, the worm blocked the normal read access for its files, by using the "exclusive rights" mode, so that these files could not be opened with normal read rights. More importantly, this trick prevented virus scanners from scanning the files. The worm ran in two instances, meaning it worked simultaneously twice in the system. These two instances were protecting each other: if one of the processes was terminated, the other detected its absence and another process was initiated to substitute the finished one. Thus, the user had no chance of terminating both processes at the same time, using the Windows Task Manager. Sober.C was a true havoc-maker, especially in Germany, where more than two thirds of the email traffic consisted of infected messages. Its wide variety of subject headings made its manual identification difficult just as much as it increased the worm’s social engineering. Sober.C emails in German referred to law enforcement or illegal mp3 issues, which were stirring much attention due to extensive media coverage at that moment in time. These tricks were very convincing, taking advantage of the users’ worries about legal actions and thus making them click on the infected attachments. Sober.M emerged in February 2005, being rated as a low to medium threat by antivirus specialists. However, it managed to spread a lot, once more due to its social-engineering tricks, of which two are really noteworthy. The FBI message claimed that the recipient had visited an illegal website and, as a result, they had to fill in a "questionnaire", which was, in fact, the worm itself. The other tricky message pretended to carry adult content staring the empire heiress Paris Hilton. It was definitely not the first malware to make use of a public figure in order to trick computer users, but the virus author rather chose to allude to the first-page story of the moment: Hilton’s affair and the existence of a scandalous clip.
Sober.P began spreading on May 2, 2005 and its social engineering trick worked with many users, given that the worm posed as the soccer organization FIFA, which informed the recipients by email that they had won free tickets for the soccer World Cup, scheduled to take place in 2006 in Germany. The real online ticket sale was supposed to start a few days after this Sober variant was spread and the worm’s author might have exploited the anxiety and interest of soccer fans. Moreover, the popularity of this sport throughout the world ensured the worm’s success, as it managed to spread enormously, reaching more than 40 countries and traveling inside millions and millions of email messages. It topped malware charts after spreading both massively and for a long period of time. Its success made the FIFA World Cup Organizing Committee to even issue an official press release on the matter, reminding users the common procedure for the acquisition of tickets. It was of no surprise to see that FIFA is another organization that does not handle such issues by electronic mail. The newly introduced and interesting technique was that it contained a dropper feature. It was programmed that one day after the worm first spread, it decrypted a new startup code hidden at the end of the worms binary, dropped it to hard disk, made a copy of itself, encrypted that copy with a random key and appended that copy to the dropped startup code – effectively creating a new “variant” on the fly. These two Sober variants appeared right after their prior versions, Sober.G and Sober.P; they did not spread by email, but were downloaded into Sober.G and Sober.P-infected computers respectively. It may seem strange to have non-self spreading members of the Sober family, but the H and Q versions lacked any self-replication functions, being rather spam engines than actual worms. Both were used for sending right-wing extremist messages, mostly to German speakers. Among the messages sent by Sober.H, some made the headlines for their striking content, which expressed harsh discontent towards the increasing number of immigrants in Germany ("What Germany needs are German children"). The wide propagation of Sober.P, especially in German-speaking countries, ensured the massive spamming of offensive content by Sober.Q, ranging from "Multi-Kulturell = Multi-Kriminell" messages, to even worse ones, including: 'Dresden Bombing Is To Be Regretted Enormously', 'Armenian Genocide Plagues Ankara 90 Years On', 'Dresden 1945' and 'Turkish Tabloid Enrages Germany with Nazi Comparisons'. As an interesting detail, the racist messages were phrased and formatted like quotes from the news media, but it was a mere trick and not actual headlines.
This Sober variant was the number one topic in November: after a massive seeding of other Sober versions, Sober.Y held the front page for many days in a row. This bilingual menace has turned into the largest malware outbreak of the year, after being seeded by family members, that is, Sober versions T, U, V, W, X, AA. AntiVir antivirus researchers informed that Sober.Y was in fact contained inside these prior variants, hidden in a rather complex encryption mode. Aside from this unusual tactic, its recipe for success was ensured by a classic ingredient: social engineering. Sober.Y arrived attached to email messages, claiming to be sent by crime-fighting entities, chief among which the FBI and the CIA for English speakers and BKA - Bundeskriminalamt (Germany's Federal Criminal Police Office) for German ones. AntiVir virus researchers have disassembled the worm’s code, simulated Sober’s anticipated actions in January and tried to make a positive identification through behavior analysis. It turned out that Sober does have a specific routine to carry out in a few weeks time, but not on January 5, as specialists had previously claimed, but on the sixth. In other words, all systems previously infected by Sober.Y will start an update process simultaneously, be it midnight in London, 1:00 am in Paris and Berlin, or 3:00 am in Moscow. For its update routine, Sober connects to a series of URLs, from where it downloads certain files. Virus researchers have found that this list changes every 14 days and that it includes 15 URLs. Should the update cycle continue, the worm would have to check no less than 25 different lists by the end of the year, corresponding to 375 URLs hosted on the following domains: people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at, home.arcor.de. At the moment, there are no exact URLs, but the virus author may create them just a few minutes before the content is uploaded and prior to the update being triggered on the Sober-infected systems. However, AntiVir researchers are constantly monitoring the above-mentioned domains and any information regarding Sober-intended URLs will be disclosed promptly. End notes on Sober: a couple of features to remember them by Social engineering It is not a unique trait, as social engineering usage has proved to be quite popular among virus writers. However, the Sober family produced some of the best social engineering tricks ever because many versions have resorted to convincing gimmicks, which made people click on infected attachments. Posing as law enforcement organizations was a very clever move, as many users fell for the trick. The common fear of legal actions made people drop their suspicions before emails apparently sent by the FBI, CIA or BKA. Furthermore, the FIFA scheme was incredibly successful and the wide propagation of Sober.P (also known as the FIFA-Sober) stands as a clear evidence for the high number of soccer fans that fell into that trap.
Sober worms became famous for spreading themselves through emails written in English or German. These targeted messages were meant to reach users separately based on the criterion of language: the worms were able to filter the destination domains and therefore managed to send German texts to mailboxes hosted on Germany, Austria and Switzerland domains. Sober is widely known by a series of tricks that can be resumed as follows: time synchronization, trigger dates, activation and expiration dates, as well as update routines. When installed into a system, the Sober worm connects to various NTP (Network Time Protocol) servers in order to check the time, instead of relying on the local system time. Thus, it can synchronize its actions, meaning the trigger, activation and update dates. For instance, Sober.Y was designed to be triggered on October 29, activated on November 29 and updated on January 6 2006. This plot means that Sober variants check the trigger date and have some ‘sleep’ period, when they just remain inactive on the system (in the example above, it is possible that Sober.Y slept for an entire month, laying low on the system between October 29 and November 29). By using the already mentioned NTP protocol, the worm checks the time and then goes into action (sending emails, updating by accessing certain URLs on the Internet). In other words, its actions are carried out simultaneously in the entire world, regardless of the local hour on the infected computers, thus increasing its impact and effects. Some Sober versions (the right-wing spammers for instance) even had expiration dates, after which they stopped sending emails. Other versions checked the system for previous Sober variants, which would deactivate once the new worm was installed. All Sober variants include an encrypted list of filenames and registry keys of other malware in order to remove them during the ‘install’ mode. Sober also became known for accessing specific URLs in order to download certain files. In Sober’s precisely scheduled manner, these generated URLs are also time-dependent, as they continue to modify before the worm actually accesses them. This carefully planned process makes it difficult for Sober enemies (such as antivirus vendors) to effectively stop its Internet updating, if aware of it. As a closing line, however few and short-lived Sober worms may be, they all share some basic behavior features. Although the Sobers were clearly outnumbered by the Netskys, the criterion of impact prevailed over the idea of quantity. Their persuasive social engineering tricks should make unwary Internet users become more suspicious and careful when opening email attachments that offer all sort of presents and winnings or claim to have been sent by official institutions. Furthermore, if we are to consider the systematic modus operandi of Sober’s author(s), future versions are expected to choose their message topics from the media spotlighted stories of the moment. As for the current Sober.Y outbreak, the H+BEDV Labs will reveal the 390 URLs that should be accessed by the worm starting from on January 6. Said list will be made available on the www.antivir.de website, so that administrators can block the access to those URLs from the network and thus thwart the malware’s next action. About H+BEDV Datentechnik H+BEDV Datentechnik GmbH is specialized in developing cross-system business security solutions since 1988. Its clients include leading national and international enterprises, both for-profit and non-profit, as well as various educational institutions and public entities. Besides its extensive product portfolio for Microsoft Windows systems, the company is a growing technological leader in the growth market for Linux operating systems. H+BEDV Datentechnik GmbH already offers high-performance solutions for file servers, Web servers, mail servers and workstations. The AntiVir scanner was again awarded the Virus Bulletin 100% Award in 2005 and has a current certification by the German quality assurance authority TÜV. In addition to its own distribution channels, H+BEDV Datentechnik GmbH has a comprehensive network of resellers in Europe and throughout the world. The company also works closely with the German Federal Office for Information Security (BSI). Company Contact: Press Contact:
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Print this page
.gif)
