Newest Sober Attack Predicted By Police

Three more bilingual Sober worms are on the loose, according to alerts from various anti-virus firms.
Three more the bilingual Sober worms are on the loose, numerous anti-virus firms warned Tuesday, a day after German police warned that an attack was imminent.

The trio -- called Sober.u, Sober.v, and Sober.w by most security vendors -- are firmly in the Sober tradition: mass-mailed threats with the payload embedded in an attached file. Like earlier Sobers, these come in both English- and German-language versions.

According to Moscow-based Kaspersky Labs, the three are repacked versions of the same worm. Hackers often take a known exploit and repack it using one of the more than 1,000 repackers -- essentially compression and archiving programs -- to evade detection. "They take a file that can be detected, and repack it so that it's no longer recognizable," said Shane Coursen, a senior technical consultant with Kaspersky.

"There's nothing revolutionary about these versions," added Coursen, "other than the level of seeding." By early Tuesday, more than 175,000 copies of the new Sober worms had been spotted, he said. "That's way above average for Sober."

One other aspect sets these editions apart from past Sober variations. Late Monday, apparently before the appearance of the three new Sobers, police in Bavaria, a southern German state, warned of an attack expected Tuesday.

The alert was the result of a year-long investigation, said the press release issued by the Bayerisches Landeskriminalamt in Munich. No additional details, said the police, would be issued at this time.

"The German police may know something," theorized Coursen, "or it could have been based on, let's say, another branch of the German government being hit earlier than other victims by this one Sober."

Coursen was hesitant to take a stab at whether the German police have someone (or someones) in their sights, but said it was possible that they have tapped into one of the servers spewing out Sober-infected spam, or perhaps have infiltrated the gang, assumed to be German, which creates the various Sober worms.

"We'll just have to wait and see what happens in the next couple of days," he said.

The last major attack of the two-year-old Sober family was in early October, when a large seeding raised anti-virus vendors' threat levels. That attack, however, quickly died down.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing