05 Jan A Sober night Costin Raiu
23 Nov Sober.y increased activity Costin Raiu
16 Nov Sober steals your passwords Roel
15 May Sober.q has become active Roel
14 May Some info on Sober.q Roel
14 May Sober.p strikes again Roel
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
As we've stated elsewhere, Sober.y is programmed to start updating itself after 00:00 hrs (GMT) on 6th January - that's tonight.
Although everyone in the antivirus world is watching with baited breath, the anticipated epidemic may not hit for a while. Some of the sites which could host the malicious binary files may be shut down successfully before the trigger time. Additionally, it's up to the bad guys to choose the real activation date by placing (or not) the update on the net.
In short, no-one can tell exactly what the impact of 6th January on virus history will be.
We always recommend that users be on the lookout for suspicious activity. Given the uncertainty about exactly when Sober will start updating, this is going to be even more important for the next couple of days, or even weeks.
We're on the lookout, high alert, and will keep you posted.
Sober variants are well known for complex replication patterns and payloads. They have also been using spoofed e-mail addreses in the "From:" field, pretending to come from the FBI; reason enough for many unsuspecting users to fall victim to the worm. Sober.K, discovered on February 21 2005, was the first to pretend that.
Sober.y, which is currently the most popular variant, started spreading actively on Monday, November 21. Although it was released last week, it didn't really pick up speed unless Monday, thanks to the help from a couple of other variants in the family, one of the complex replication patterns mentioned above.
Interesting enough, while we have plenty of reports from our mailpots distributed around the world, very few of them originate in Russia. This happened in the past, most of the time with the peak of reports originating in Germany. Overall, Sober.y is still behind Mytob.bi in absolute number of samples for the past 24 hours, but its rate of increase is higher, meaning it will probably become number one in the next day or so.
The outbreak is major, but according to our statistics, it's no match for say, Sober.a back in 2003. One of the reasons for this is that generic protection, as well as the speed of reaction of antivirus companies has improved a lot since then, too.
For the last 24 hours or so we've seen a number of new Email-Worm.Win32.Sober variants, some of which we have got an alert out for.
We went from Sober.u to Sober.z about four hours ago.
These Sobers are pretty much the same like before, for instance they still use exclusive lock and the possibility to download files.
What's interesting is that these Sobers also drop not-a-virus:PSWTool.PassView.162 onto the system.
As the name suggests this program is a tool which is able to show certain passwords.
In this case the program can show the passwords stored by Internet Explorer and Outlook.
As nor Sober nor PSWTool.PassView.162 can send out the obtained info from PassView, it is likely that the file(s) that Sober is (possibly) going to download will have this ability.
Naturally we're closely monitoring the situation and we will keep you updated in case something interesting comes along.
In the meantime Sober.q has become active, instead of sending copies it's sending spam messages now.
This is quite the opposite from the message the Sober author included in his latest creation.
These spam messages link to right winged articles.
So in a way we're seeing the same story as with Sober.g again.
Sober.g downloaded Sober.h, Sober.h in turn also sent out spam.
I can remember that the Netherlands were completely flooded by those emails back then, judging from the numbers that Sober.p generated just before it stopped it probably won't be that much different this time.
After some analysis it seems that Sober.q hasn't yet begun spreading, yet.
Probably the author only wants the Worm to start spreading when enough computers have been infected with it.
That way it may prove more effective, but it also opens up a bigger window of oppertunity for the anti-virus vendors to respond.
The other interesting thing about Sober.q is that it contains a message. It's a message in German in which the author refers to some online articles which state he is a spammer. He states that he is not a spammer, but might turn into one.
It's not the first time the Sober author has enclosed a message into his creations, a previous message was aimed at the anti-virus vendors.
We have just detected a new Email-Worm.Win32.Sober variant, we detect it as Sober.q.
Sober.q is being downloaded by Sober.p infected computers, from there on it will start spreading. Another outbreak is not unlikely, we are watching the situation closely.
An urgent update has just been shipped.
A few days ago we mentioned the protection mechanism that Sober uses to keep anti-virus programs from detecting it. Such mechanisms are actually fairly common these days.
They are frequently used by adware and adware related Trojans. These techniques have evolved over time and are getting very sophisticated. So antivirus vendors are having to work hard to combat these new methods.
There's a range of interesting examples.
When some AdWare companies realised that antivirus solutions could easily delete their software, they first resorted to multiple processes guarding each other.
If either process/file is deleted, the other one would automatically respawn it. This technique is still being used in an enhanced form.
Of course there's the Sober approach: protecting a file in such a manner that it can't be scanned. For instance, some versions of Trojan-Downloader.Win32.Istbar do this, and have an additional mechanism which aims to prevent the process memory from being scanned.
A version of AdWare.Isearch effectively re-introduced an old technique.
It makes use of a .sys driver which write-protects its files. This means that an antivirus can detect the files, but not delete them. These .sys drivers are also used to hide malware and its activities - resulting in the very popular rootkits.
There are many more examples of ways how malware tries to protect itself. It's very clear that such techniques are placing pressure on security vendors to push the envelope in detection.
The use of .sys drivers has been increasing over the past few months. We are now at a point where open source IRCBots are also using this functionality to hide their presence in infected systems and this is a very worrying trend.
Sober.p currently is not spreading. After days of sending out emails, it's now checking for updates at predefined locations, which indicates that more malware is likely to follow.
But one week after Email-Worm.Win32.Sober.p's initial sighting it seemed more prevalent than ever. Why is this?
Firstly, the worm's continued spread shows that there still aren't enough companies running antivirus solutions on their mail servers as they could have stopped the spreading days ago.
Secondly, from a social engineering point of view it's pretty good. The bilingual messages - English and German - always seem to have a certain amount of success - almost all Sober variants have hit Germany and the countries surrounding it very hard.
This time Sober also takes advantage of the World Cup football which will be held in Germany in 2006. However, my personal email addresses were bombarded with Sober.p emails, yet I didn't receive a single sample regarding the World Cup.
Other email worms which have used similar social engineering tactics haven't been this successful by a long shot. I think Sober.p's real success is due to something else, namely its protection mechanism.
As with previous Sober variants, Sober.p makes use of a certain mechanism to lock out any I/O access to its files.
In other words: Other programs can't access Sober's files. Not even applications running under SYSTEM account can access them while Sober is resident in memory.
This mechanism has been improved over time - earlier variants of Sober couldn't stop SYSTEM from accessing its files.
And what's the result? Very simple; if something can't be scanned, then malicious code can't be detected. This rules out the chance of Sober being detected while running an on-demand scan. So what now? This is where the quality of an anti-virus's memory scanner comes in.
First the solution needs to detect Sober running in memory, then it has to kill the processes.
This is where some antivirus programs are failing; either they don't have a memory scanner, or the scanner has limited functionality which isn't able to kill the processes.
If you aren't aware of infection, how can you take measures against it? With Sober's protection mechanism making it able to outsmart some antivirus scanners, it's likely we haven't seen the last of this family yet.