![sober[1]](https://scimyst.com/wp-content/uploads/2025/01/sober[1].jpg "The Algorithm of the \"Assassin\" Sober Has Been Broken 41")
F-Secure Corp, a leading cybersecurity company, has announced that it has successfully dismantled the algorithm used in the Sober worm. This breakthrough promises to enable antivirus programs to completely block all variants of the Sober worm.
The Sober worm has wreaked havoc across the Internet since October 2003, with approximately 20 different variants. The latest variant, according to F-Secure, is Sober.Y (known as CME-681 by US-CERT), which has infected over 40% of the machines that have been identified with the worm and virus by F-Secure.
One of the most dangerous features of Sober is its ability to automatically download new variants and rapidly infect other computer systems. According to cybersecurity firm iDefense, the new Sober.Y variant will self-update with new variants from a website named Jan.5 and will begin spreading on January 5, 2006.
For a long time, antivirus researchers have faced challenges in analyzing virus samples to identify the distribution addresses of the worm. This difficulty arose because the URLs used in the Sober variants were generated from a secret algorithm. Sober employed this algorithm to create random URLs based on dates.
These URLs typically point to websites in Germany and Australia, as the servers there allow hosting of free websites. The worm’s creator simply needed to calculate the URL in advance for any given date. Whenever he wanted to execute a program on an infected machine, he could register a legitimate URL, upload his program, and quickly infect hundreds of thousands of computers globally.
Sober uses a list of 15 websites that contain different characters based on dates, registered with free web service providers, such as a strangely named site like Jan.5. Every 14 days, this list changes to include 15 new websites, with the previous name now becoming Jan.6.
F-Secure claims it has successfully dismantled the algorithm that Sober used. This makes it easier and simpler to identify the actual URLs from which new variants of the worm will be downloaded. Once the URLs that distribute the worm are identified, web server administrators can immediately block these sites and add them to the access restrictions in their companies’ firewalls.
F-Secure also revealed that the company had actually dismantled Sober’s algorithm back in May 2005. However, it did not make this information widely known until now in order to monitor the activities of the Sober creator.
Minh Phúc
