Latest Sober Worm to Spawn Nazi Hate E-Mails
New research into the cryptic computer code that spawned a recent global outbreak of the latest Sober worm variant indicates that the most prolific e-mail worm ever launched may be little more than a staging ground for an attempt to revive the Nazi party in Germany.
IDefense, a Reston, Va.-based computer security company recently snatched up by Internet infrastructure giant Verisign Inc., published findings today indicating that the millions of computers sickened by Sober iterations released since Nov. 16 are intended to force infected PCs to blast out spam e-mails advocating neo-Nazi propaganda.
The most recent versions of Sober masqueraded as e-mails from the FBI and the CIA, claiming that the government has discovered that the recipient has visited "illegal" Web sites. The text asks the user to open an attachment to answer some official questions.
Recipients that open the attached file soon find their computer infected with malware that can disable security and firewall programs and blast out similar e-mails to any address book contacts.
Most e-mail worms have an economic motive and are designed to ensnare infected machines in robot networks or "botnets" that allow attackers to control them for a variety of nefarious purposes, from password stealing to "distributed denial of service attacks" that render targeted Web sites unable to process legitimate traffic.
But the Sober worm has served primarily as an instrument of "hacktivism," a type of online crime that advocates a particular ideology or political agenda. Earlier this year, a Sober variant forced infected computers to spew out spam e-mails calling for the reinstatement of the Nazi party, which is banned in Germany.
According to iDefense, the latest versions of Sober contain a secret code indicating that infected machines will download updated instructions for a spam run on Jan. 5, which happens to coincide with the 87th anniversary of the founding of the Nazis in the Bavarian city of Munich.
It is interesting to note that Finnish anti-virus company F-Secure alerted Bavarian police to similar findings several months back. F-Secure found that computers infected with previous Sober variants were designed to regularly query a bevy of Web sites to download additional instructions or software updates.
F-Secure managed to crack the encryption code that Sober used to identify those sites, which included a small subset of providers that offered free Web hosting services in exchange for displaying small advertisements. F-Secure found that for any given date in the future, it could reliably predict the Web sites that would serve as download servers for new versions of the Sober worm.
The company noted, however, that the sites were not yet registered or operational, a shortcoming they guessed would be remedied before the Sober worm's authors decided to launch their next iteration.
IDefense president Joseph Payne said he hoped law enforcement action could help stymie the launch of the next Sober variant or its fascist-themed spam run.
"I'd hope that by [Jan. 5] authorities have pretty much managed to beat this into the ground to ensure that the sites we've identified are shut down and that this whole thing fizzles out by then," Payne said. But he cautioned that whoever is behind the Sober worm has shown a remarkable ability to evade law enforcement.
The latest version impersonated e-mails not just from the highest echelons of U.S. law enforcement, but from similar investigative branches in Britain and Germany.
"It takes a pretty brazen person to draw the attention of the world's leading law enforcement agencies. ... This is a person or group that is dead set on getting their message across," Payne said.
Posted by: wdk | December 8, 2005 10:34 AM | Report abuse
Posted by: RG | December 8, 2005 11:19 AM | Report abuse
Posted by: Greybeard | December 8, 2005 11:51 AM | Report abuse
Posted by: AWTD | December 8, 2005 11:54 AM | Report abuse
Posted by: reality | December 8, 2005 1:29 PM | Report abuse
Posted by: jatm | December 8, 2005 2:26 PM | Report abuse
Posted by: jatm | December 8, 2005 2:29 PM | Report abuse
Posted by: jatm | December 8, 2005 3:01 PM | Report abuse
Posted by: jatm | December 8, 2005 5:48 PM | Report abuse
Posted by: dfk | December 8, 2005 8:17 PM | Report abuse
Posted by: cindy bin 2006 | December 9, 2005 1:00 AM | Report abuse
Posted by: DB | December 13, 2005 10:00 PM | Report abuse
Posted by: mike | December 21, 2005 6:50 PM | Report abuse
Posted by: laboo | December 28, 2005 7:01 AM | Report abuse
The comments to this entry are closed.