Sober Virus (and reminiscing about VirusX)

This is one clever virus.  Here’s the summary on Slashdot:

The algorithm used by the Sober worm to ‘communicate’ with its author has been cracked. According to F-Secure, it can now calculate the exact URLs the worm would check on a particular day. Mikko Hyppönen, chief research officer at F-Secure, explained that the virus author has not used a constant URL because authorities would easily be able to block it. From the article: “Sober has been using an algorithm to create pseudorandom URLs which will change based on dates. Ninety nine percent of the URLs simply don’t exist…however, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It’s run globally on hundreds of thousands of machines,” Hyppönen said. Sober is expected to launch itself again on January 5, 2006.”


I wrote a virus checker for the Amiga a long time ago called VirusX, and it was always fun getting new viruses.  They were much simpler back then, but taking a system and running this foreign code on it, and then trying to figure out what it was doing, was always an interesting exercise.


Viruses were much simpler in the Amiga days, and the system itself was much easier to inspect.  There was no memory protection, so if you wanted to see if the virus was in memory you could just look through memory.  The jump table for a library was easy to find and most viruses worked by hooking library functions so I’d written some tools to check the jump tables for revectored system functions and inspect other common attack vectors; I didn’t release these tools so they made it easy for me to spot what the virus authors were up to without tipping them off to how I was finding them.


Now, viruses now are so complex, and there are so many of them, that it’s gone way beyond something that could be a fun project for one individual.