There have been reports that 2006 will start with a new year bang possibly on the 5th of January or thereafter (6th of January) when a new SOBER variant is suspected to be released by the same group that caused the recent SOBER outbreak last November.
The reports may have been based on the analysis that the recent SOBER will download an executable file (one also named as Sober.exe) possibly on either the 5th or 6th of January 2006 from certain URLs that are hard-coded and encrypted within the SOBER.AG worm. Moreover, the “predefined” URLs are not even the exact sites that may used – an algorithm based on the date is used to generate the exact URLs that will be used on the target date itself.
Is this some form of a pre-warning “greeting” from the SOBER creators? The 87th anniversary of the Nazi party falls also on the 5th – is this another notable fact? (If one can remember, we reported a past SOBER variant that was capabale of spewing tens of thousands of spammed emails with Nazi-ridden and anti-Semetic messages last May 2005) From the monitoring standpoint, the executable file that will be downloaded can be anything from a minor update to a full-blown new SOBER variant.
Nevertheless, the Trend Micro Incident Response Team has been on the alert and on continuous watch over the URLs used by SOBER and other forecasted behavior that may be manifested by this worm.
We will be posting some possible URLs that may be used by the worm. This is to aid prevention of a possible outbreak that may happen in January – that is, if we don’t prepare now…
View the report from iTObserver.
The reports may have been based on the analysis that the recent SOBER will download an executable file (one also named as Sober.exe) possibly on either the 5th or 6th of January 2006 from certain URLs that are hard-coded and encrypted within the SOBER.AG worm. Moreover, the “predefined” URLs are not even the exact sites that may used – an algorithm based on the date is used to generate the exact URLs that will be used on the target date itself.
Is this some form of a pre-warning “greeting” from the SOBER creators? The 87th anniversary of the Nazi party falls also on the 5th – is this another notable fact? (If one can remember, we reported a past SOBER variant that was capabale of spewing tens of thousands of spammed emails with Nazi-ridden and anti-Semetic messages last May 2005) From the monitoring standpoint, the executable file that will be downloaded can be anything from a minor update to a full-blown new SOBER variant.
Nevertheless, the Trend Micro Incident Response Team has been on the alert and on continuous watch over the URLs used by SOBER and other forecasted behavior that may be manifested by this worm.
We will be posting some possible URLs that may be used by the worm. This is to aid prevention of a possible outbreak that may happen in January – that is, if we don’t prepare now…
View the report from iTObserver.
Update (Jovs, 10 December 2005 09:01:15)
We have received the report from the service team that the downloading will begin after January 5, 2006 (The 87th anniversary of the Nazi party).