Sunday, December 11, 2005

New updates of Sober.X (CME-681) scheduled Jan 5, 2006

A high number of infections of this worm are beginning to cause concern amongst security professionals on various forums, due to the discovery of updating routines within the worm. Infected machines will, on the 5th Jan 2006, attempt to download 'something' from various (not yet active) pages on the internet. Whereas details about these addresses is somewhat vague, I advise that you monitor or block internet traffic (over TCP 80 and 90) to the following internet addresses. These addresses are NOT yet functional. Also ... these addresses are randomly generated by the worm, using an internal algorythm to point at the right web address at a specific time. These addresses are the best fit domain/URL to monitor or to block.
- people.freenet.de
- scifi.pages.at
- home.pages.at
- free.pages.at
- home.arcor.de
Internal addresses that are attempting to connect with these domains may be infected with this malware. However, this may be legitimate traffic - but nonetheless worthy of investigating. I'm not sure if we really will face some problems after that day... but it's true that still a lot of infections are still around us.