Network News

X My Profile
View More Activity

Latest Sober Worm to Spawn Nazi Hate E-Mails

New research into the cryptic computer code that spawned a recent global outbreak of the latest Sober worm variant indicates that the most prolific e-mail worm ever launched may be little more than a staging ground for an attempt to revive the Nazi party in Germany.

IDefense, a Reston, Va.-based computer security company recently snatched up by Internet infrastructure giant Verisign Inc., published findings today indicating that the millions of computers sickened by Sober iterations released since Nov. 16 are intended to force infected PCs to blast out spam e-mails advocating neo-Nazi propaganda.

The most recent versions of Sober masqueraded as e-mails from the FBI and the CIA, claiming that the government has discovered that the recipient has visited "illegal" Web sites. The text asks the user to open an attachment to answer some official questions.

Recipients that open the attached file soon find their computer infected with malware that can disable security and firewall programs and blast out similar e-mails to any address book contacts.

Most e-mail worms have an economic motive and are designed to ensnare infected machines in robot networks or "botnets" that allow attackers to control them for a variety of nefarious purposes, from password stealing to "distributed denial of service attacks" that render targeted Web sites unable to process legitimate traffic.

But the Sober worm has served primarily as an instrument of "hacktivism," a type of online crime that advocates a particular ideology or political agenda. Earlier this year, a Sober variant forced infected computers to spew out spam e-mails calling for the reinstatement of the Nazi party, which is banned in Germany.

According to iDefense, the latest versions of Sober contain a secret code indicating that infected machines will download updated instructions for a spam run on Jan. 5, which happens to coincide with the 87th anniversary of the founding of the Nazis in the Bavarian city of Munich.

It is interesting to note that Finnish anti-virus company F-Secure alerted Bavarian police to similar findings several months back. F-Secure found that computers infected with previous Sober variants were designed to regularly query a bevy of Web sites to download additional instructions or software updates.

F-Secure managed to crack the encryption code that Sober used to identify those sites, which included a small subset of providers that offered free Web hosting services in exchange for displaying small advertisements. F-Secure found that for any given date in the future, it could reliably predict the Web sites that would serve as download servers for new versions of the Sober worm.

The company noted, however, that the sites were not yet registered or operational, a shortcoming they guessed would be remedied before the Sober worm's authors decided to launch their next iteration.

IDefense president Joseph Payne said he hoped law enforcement action could help stymie the launch of the next Sober variant or its fascist-themed spam run.

"I'd hope that by [Jan. 5] authorities have pretty much managed to beat this into the ground to ensure that the sites we've identified are shut down and that this whole thing fizzles out by then," Payne said. But he cautioned that whoever is behind the Sober worm has shown a remarkable ability to evade law enforcement.

The latest version impersonated e-mails not just from the highest echelons of U.S. law enforcement, but from similar investigative branches in Britain and Germany.

"It takes a pretty brazen person to draw the attention of the world's leading law enforcement agencies. ... This is a person or group that is dead set on getting their message across," Payne said.

By Brian Krebs  |  December 7, 2005; 11:23 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: SunnComm Patches Flaw in Its Sony Software
Next: Sony Issues Tool to Remove Flawed Software

Comments

Doe you really believe that there are motions in Germany to revive the Nazi-Party, just because a few crazy people pass a worm around with insane content?
I'm afraid you're overdoing it, for whatever reason.

Posted by: wdk | December 8, 2005 10:34 AM | Report abuse

Could you please be a bit more specific when referring to "computer". For example, "Recipients that open the attached file soon find their computer infected with malware...", implies that any computer can become infected when the reality is that this only applies to Windows computers. If you are running a Linux or Mac machine then this virus, and 90+ percent of other viruses, worms, trojans, etc. have no effect.

Posted by: RG | December 8, 2005 11:19 AM | Report abuse

If I were forced to bet on the authorship of of this virus, I'd wager that the actual authors are pointing at a hated group (the Nazis) to help keep the light off themselves. The authors might even be avid anti-Nazis trying to win propaganda points.

Authorship on the web is often a hard thing to prove. Don't go pointing fingers just because the group being named is despicable and where the real author whoever they are have reason to hide.

Posted by: Greybeard | December 8, 2005 11:51 AM | Report abuse

This thing would only be scary if Germany had a terrorist attack just before January 5. Otherwise, it would just be annoying and of not much use to those who wish to see their party advance.

Will German neo-Nazis pay non-whites to commit a horrendous crime? Stranger things have happened.

Posted by: AWTD | December 8, 2005 11:54 AM | Report abuse

Yes, I really do believe that there are people who want to revive the nazi party.

I even believe there are people in the US who want to do that.

Don't let fear cloud your judgement. Facts are facts regardless of how scary they are.

Posted by: reality | December 8, 2005 1:29 PM | Report abuse

These types of attacks are depend on capturing the imagination and interest of the target. Just like a circus magician, you are only being fooled because you want to be.

If the sober worm triggers from people responding to nazi propaganda, then that only means there are a lot of victims that find that propaganda intriguing.

Think of a mirror, and then you might realize the truth in what is reflected back.

Posted by: jatm | December 8, 2005 2:26 PM | Report abuse

These types of attacks are depend on capturing the imagination and interest of the target. Just like a circus magician, you are only being fooled because you want to be.

If the sober worm triggers from people responding to nazi propaganda, then that only means there are a lot of victims that find that propaganda intriguing.

Think of a mirror, and then you might realize the truth in what is reflected back.

Posted by: jatm | December 8, 2005 2:29 PM | Report abuse

These types of attacks are depend on capturing the imagination and interest of the target. Just like a circus magician, you are only being fooled because you want to be.

If the sober worm triggers from people responding to nazi propaganda, then that only means there are a lot of victims that find that propaganda intriguing.

Think of a mirror, and then you might realize the truth in what is reflected back.

Posted by: jatm | December 8, 2005 3:01 PM | Report abuse

These types of attacks are depend on capturing the imagination and interest of the target. Just like a circus magician, you are only being fooled because you want to be.

If the sober worm triggers from people responding to nazi propaganda, then that only means there are a lot of victims that find that propaganda intriguing.

Think of a mirror, and then you might realize the truth in what is reflected back.

Posted by: jatm | December 8, 2005 5:48 PM | Report abuse

In response to RG... I run an exclusively Linux operation (desktop, servers) and while I am more confident in this solution I am not complacent.

The people who create these worms are also competent people who, if required, will find a way to 'social engineer' even the most avid non-Windows 'freak'.

The superiour attitude exhibited in your commment will lead to your infection. Stay alert.

Posted by: dfk | December 8, 2005 8:17 PM | Report abuse

If mere spam could determine elections, viagra would be our president for life and the free iPod would be the VP.

Posted by: cindy bin 2006 | December 9, 2005 1:00 AM | Report abuse

Ok, lets not forget what we have here politics aside.
1. A very annoying worm.
2. A group that feels inadiquate about themselves and "thinks" they need to acomplish a devious act to get noticed.
Don't you think it is time for advanced users out there to stand up to this garbage a develop some way to aid the internet community and humanity at large by attempting to thwart these efforts?

Posted by: DB | December 13, 2005 10:00 PM | Report abuse

Seems to me that giving someone a virus will not endear one to the Nazi cause - the virus is more likely to be 'reverse pyschology' and comes from anti-nazi origins.

Think about it!

Posted by: mike | December 21, 2005 6:50 PM | Report abuse

I'm not seeing anything in either IDefense's statement or any other source of evidence to back up your title that Sober will "Spawn Nazi Hate E-Mails".

Seems to me we're getting a bit febrile about the alleged Nazi link. AFAIK the previous Sober e-mail content was not Nazi in nature.

Posted by: laboo | December 28, 2005 7:01 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company