Experts: Sober time bomb's under control
Variant of worm that clogged e-mail servers is expected to attack this week, but antivirus specialists aren't worried.
As reported last month, machines that were infected by Sober in November have the potential to download malicious code from certain Web sites and then launch a new wave of viruses on Jan. 5 or 6.
But experts from antivirus companies F-Secure, Websense and MessageLabs all agreed on Wednesday that this Sober attack is unlikely to cause many problems, because systems administrators and antivirus companies have had time to prepare for it.
Hitlist
F-Secure advises systems administrators to block these URLs to prevent Sober from downloading any software.
On and after Jan. 6:
home.arcor.de/dixqshv/
people.freenet.de/wjpropqmlpohj/
people.freenet.de/zmnjgmomgbdz/
people.freenet.de/mclvompycem/
home.arcor.de/jmqnqgijmng/
people.freenet.de/urfiqileuq/
home.arcor.de/nhirmvtg/
free.pages.at/emcndvwoemn/
people.freenet.de/fseqepagqfphv/
home.arcor.de/ocllceclbhs/
scifi.pages.at/zzzvmkituktgr/
people.freenet.de/qisezhin/
home.arcor.de/srvziadzvzr/
people.freenet.de/smtmeihf/
home.pages.at/npgwtjgxwthx/
The list will change every 14 days. After Jan. 19, the list becomes:
people.freenet.de/idoolwnzwuvnmbyava/
people.freenet.de/mhfasfsi/
people.freenet.de/nkpphimpfupn/
people.freenet.de/ozumtinn/
people.freenet.de/bnfyfnueoomubnw/
people.freenet.de/kbyquqbwsku/
people.freenet.de/mlmmmlmhcoqq/
scifi.pages.at/ikzfpaoozw/
home.pages.at/ecljoweqb/
free.pages.at/wgqybixqyjfd/
home.arcor.de/ykfjxpgtb/
home.arcor.de/oodhshe/
home.arcor.de/mtgvxqx/
home.arcor.de/tucrghifwib/
home.arcor.de/ftpkwywvkdbuupw/
Source: F-Secure
F-Secure raised the possibility that there might not even be an attack, as Internet service providers could block access to the malicious Web sites.
"There might be no attack at all. As everybody knows about the attack, the virus writer may lay low and attack at a later date," said Mikko Hypponen, director of antivirus research at F-Secure. "The ISPs involved can actively block malicious postings. It's more likely the attacker will lay low or be blocked rather than succeed."
Websense agreed that the Sober attack likely won't have a major effect.
"Sober has been mitigated pretty well. I would be really surprised if there's still a problem. I don't see it being a big issue," said Dan Hubbard, the senior director of security and research at the company.
The worm time bomb is contained in a variant of Sober that hit systems in November, clogging e-mail servers and stalling messages sent to Microsoft's Hotmail and MSN e-mail services.
Sober worms typically are delivered in an e-mail with a malicious attachment that, when opened, infects a vulnerable PC. A recent attack used messages that pretended to come from the FBI or to contain video of Paris Hilton. It accounted for more than 40 percent of all viruses reported to Sophos at one point in November, the British antivirus company said.
The worm is set to download instructions from a number of sites hosted on the systems of free Web space providers. These are located mostly in Germany and Austria, F-Secure said last month.
Systems administrators should block the URLs of Web sites with malicious links but not the domains hosting the Web sites, F-Secure recommended Wednesday.
"We have listed URLs that we are recommending systems administrators block. We don't recommend blocking the whole domain, as 99 percent of the pages on these free Austrian and German domains are OK. You should just block the problem URLs," Hypponen said.
Blocking the URLs should not cause any technical problems for system administrators, he added. "If systems administrators block these URLs at their gateways, it's not going to break anything," Hypponen said.
Mark Toshack, the manager of antivirus operations at MessageLabs, agreed. "Mikko's absolutely spot-on. If just a few URLs are blocked, users can still browse the rest of those domains freely," Toshack said.
Antivirus vendors should be able to mitigate the effects of the potential attack, MessageLabs said.
"You'd hope everybody knows about the upcoming attack. All of the antivirus vendors know and have updated their products to block signatures or detect malicious Web sites. Hopefully, this will bottleneck the threat and choke it off," Toshack said.
But some systems may still be affected. "You will get a few people who aren't running any antivirus software on their desktop and a percentage of people clicking on unknown Web sites," Toshack predicted.
MessageLabs advised systems administrators to acquaint themselves with information regarding Sober and urged IT professionals to remind telecommuting workers to be cautious of e-mails that might use social engineering to try to trick them.
"Systems administrators should make sure they've read up on all of the information on Sober coming from antivirus vendors--get well-versed. Make sure your firewall is updated to block those specific URLs. Tell users to watch out for malicious links, especially those working from home who may be outside the firewall," Toshack said.
Microsoft on Wednesday published a security advisory to help people protect their systems against the expected outbreak and other future attacks connected to Sober. In December, the company added detection of Sober worms to its Malicious Software Removal Tool and Windows Live Safety Center.
Tom Espiner of ZDNet UK reported from London. CNET News.com staff contributed to this report.