Sober Worm Hides From Antivirus Scanners - InformationWeek

Sober Worm Hides From Antivirus Scanners

The ability to cloak itself means that antivirus programs must have the means to detect Sober running in memory, then kill those processes. But some of these applications either lack a memory scanner or have a scanner with limited functionality.

One of the reasons why the Sober.p worm continues to spread is because of the way it hides from some anti-virus scanners, a Russian security firm said Wednesday.

Sober.p--also called Sober.s, Sober.o, and Sober.v by various anti-virus companies--includes a mechanism that prevents other programs from accessing its files, said Moscow-based Kaspersky Labs. That presents problems for some anti-virus software.

The tactic has been seen in previous Sobers, said Kaspersky, but it's been refined so that no applications, not even those running under a SYSTEM account, can access them.

"If something can't be scanned, then malicious code can't be detected," Kaspersky said in an online alert. "This rules out the chance of Sober being detected while running an on-demand scan."

Instead, the anti-virus software must have the means to detect Sober running in memory, then kill those processes.

"This is where some anti-virus programs are failing," added Kaspersky. "Either they don't have a memory scanner, or the scanner has limited functionality which isn't able to kill the processes."

Several anti-virus vendors have posted free detection and deletion tools, however, that are able to see through Sober's cloak of invisibility. Panda Software, for instance, offers QuickRemover.

Microsoft's Windows Malicious Software Removal Tool, which was updated Tuesday as part of the regular monthly security bulletin release, also sniffs out Sober.p.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
The Staying Power of Legacy Systems
Mary E. Shacklett, Mary E. Shacklett,  4/15/2019
Q&A: Red Hat's Robert Kratky Discusses Essentials of Docs
Joao-Pierre S. Ruth, Senior Writer,  4/15/2019
How Cloud Shifts Security Balance of Power to the Good Guys
Guest Commentary, Guest Commentary,  4/11/2019
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll