iDefense Exposes Sober Worm Variant Timed with Nazi Party's 87th Anniversary
Widespread Worm is Scheduled to Launch Jan. 5, 2006
iDefense reports that the next planned attack of 2005's most prolific e-mail worm family, Sober, is scheduled to start on Jan. 5, 2006 based on commands hard-coded within the worm. The attack date coincides with the 87th anniversary of the founding of the Nazi party. Additionally, the attack could have a significantly detrimental effect on Internet traffic, as e-mail servers are flooded with politically motivated spam e-mails from potentially tens of millions of e-mail addresses.
In addition to the Nazi party anniversary, the Jan. 5 trigger on the Sober variant appears to also be timed to coincide with a major German political convention meeting the next day, Jan. 6. In the past, VeriSign iDefense Security Intelligence Services has seen mass distribution of propaganda timed with political events to increase the worm's notoriety, and help to further circulate it.
"This discovery emphasizes the ever-present and often underestimated threat of 'hacktivism' - combining malicious code with political causes," said Joe Payne, Vice President, VeriSign iDefense Security Intelligence Services. "Exposing this latest variant required technical and geopolitical analysis that connected the dots to give enterprises and home users plenty of time to shore up their defenses."
The Sober family appears to be authored by a German speaker or group of German speakers, and is composed of nearly 30 variants dating to October 2003. Infected e-mails propagate as attachments with a social engineering component, enticing readers to open malicious files with messages using information on current events. Sober is also a bilingual worm, sending German-language messages to German e-mail addresses, and English-language messages to other addresses.
iDefense discovered the next phase of the multi-phased Sober attack by reverse engineering and breaking encrypted code in the most recent Sober variant. This variant first began spreading through the Internet on or about Nov. 16, 2005. The computers infected by the Nov. 16 variant began sending another version on Nov. 22, 2005, a date that coincided with the inauguration of Germany's first female chancellor - to additional computers posing as e-mails from the FBI, the UK National High-Tech Crime Unit (NHTCU), German Bundeskriminalamt (BKA) and the CIA. This Nov. 22 variant is designed to download an unknown payload of code on Jan. 5, 2006. iDefense intelligence experts report that this particular variant has already infected millions of systems as a prelude to the Jan. 5 attack, scanning computers' address books to send hundreds of millions of messages claiming to be from various government entities.
Have Your Say on the Nazi Worm!