Another Sober Worm Set to Strike

The next variant of the Sober worm is set to attack computers already infected by previous versions of the malware. The new attack will occur at the stroke of midnight GMT as January 5 turns into January 6, according to European antivirus software vendors. Since Internet service providers and local police are closely monitoring Web sites likely to be used in the attack, security experts believe that the hacker may choose not to engage in any malicious activity this time around.

"Nothing's posted yet [on the Web sites]," says Carole Theriault, senior security consultant with Sophos PLC in the United Kingdom. "It's possible he may stay well clear." Mikko Hypponen, chief research officer for F-Secure in Finland, agrees with Theriault. "It's more likely he'll lay low than engage in activation," Hypponen said in a phone interview Wednesday. Nevertheless, the companies and their peers around the world are keeping a close eye on the situation in case the hacker does choose to launch an attack.

The last major Sober attack, Sober-Z, occurred in late November. At one point, approximately one in every fourteen e-mail messages on the Internet carried it, according to Sophos.

Spreading Propaganda

Previous Sober variants have turned users' computers into "spam machines," spewing out right-wing German propaganda, according to Theriault. The upcoming attack could be something that "makes a big song and dance on machines or something very subtle," she says. Hypponen warns that with all the interest centering on the likely timing of the attack, the hacker may forgo any malicious activity until the attention dies down.

Sober worm variants have been written in both German and English. The German propaganda spreads only to e-mail inboxes that have a .de address while remaining "invisible to the rest of the world," Hypponen says. Though most hackers produce malware for monetary benefit, the Sober author seems interested in only two things--working toward a future attack and releasing propaganda--according to Hypponen.

Many previous Sober variants have spread via e-mail messages purporting to be from the U.S. Federal Bureau of Investigation, the U.S. Central Intelligence Agency, or other law enforcement agencies, or in messages claiming to offer video clips of Paris Hilton and Nicole Richie, stars of The Simple Life, a U.S. reality TV show. After malicious code in an attachment is executed, the worm spreads by sending itself to other e-mail addresses contained on the infected PC.

The best way to protect yourself against an attack is with antivirus software, according to the experts. "If you don't have antivirus, get some," Theriault says. "If you have some, ensure it's up to date and clean up your computer." Hypponen stresses that users must double-check that their antivirus software is running and receiving regular updates. He points out that many worms--not just Sober--switch off both antivirus and firewall protection when they attack computers.

The Lone Gunman?

Hypponen doesn't expect authorities to catch the hacker--whom he refers to as "a lone gunman" and thinks is probably a resident of Germany or Austria--this time around. During November's Sober-Z attack, authorities had much the same information they have now regarding the Web sites the hacker was most likely to go to, but he escaped detection. "He's been playing a game of cat and mouse [with the authorities] for over two years," Hypponen says. "I really do hope they'll be able to track him down."

Back in December, iDefense broke the encrypted code in a variant of the Sober worm and discovered that January 5, 2006, was the date set for the variant to download unknown pieces of code from various Web addresses. The date coincides with the 87th anniversary of the founding of the precursor to the Nazi Party.

Hypponen notes that initial reports about the exact timing of the attack put it during January 5 GMT, but F-Secure researchers subsequently double-checked the date and found that, according to the Sober code, activation of any malware is due to occur after January 5.