Experts: Next Sober worm on the way, may not do harm

The next variant of the Sober worm is set to attack computers already infected by previous Sober at the stroke of midnight GMT as Jan. 5 turns into Jan. 6.

The next variant of the Sober worm is set to attack computers already infected by previous versions of the malware at the stroke of midnight GMT as Jan. 5 turns into Jan. 6, according to European antivirus software vendors. Given that both Internet service providers and local police are closely monitoring Web sites likely to be used in the attack, security experts believe the hacker may choose not to engage in any malicious activity this time around.

"Nothing's posted yet [on the Web sites]," Carole Theriault, senior security consultant with Sophos, said on Wednesday. "It's possible he may stay well clear." Mikko Hypponen, chief research officer for F-Secure, agreed with Theriault. "It's more likely he'll lay low than engage in activation," he said. Nevertheless, the companies and their peers around the world are keeping a close eye on the situation in case the hacker does choose to launch an attack.

The last major Sober attack, Sober-Z, occurred in late November. At one point, an estimated one in 14 e-mails on the Internet carried it, according to Sophos.

Previous Sober variants have turned users' computers into "spam machines," spewing out right-wing German propaganda, according to Theriault. The upcoming attack could be something that "makes a big song and dance on machines or something very subtle," she added. Hypponen warned that it's possible with all the interest centering around the likely timing of the attack that the hacker may opt to delay any malicious activity for a little while until the attention dies down.

The Sober worm variants are written in both German and English; the German propaganda only spreads to e-mail inboxes with a .de address and is "invisible to the rest of the world," Hypponen said. While most hackers produce malware for some kind of monetary benefit, the Sober author appears interested in only two things -- working towards his next attack and releasing his propaganda -- according to Hypponen

Many of the previous Sober variants have spread by appearing to be e-mails from the U.S. Federal Bureau of Investigation or the U.S. Central Intelligence Agency or other law enforcement agencies or offers of video clips of Paris Hilton and Nicole Richie, stars of U.S. reality TV show "The Simple Life." After malicious code in an attachment is executed, the worm spreads by sending itself to other e-mail addresses contained on the infected PC.

The best way for users to protect themselves against any potential attack is to ensure they have antivirus software, according to the experts. "If you don't have antivirus, get some," Theriault said. "If you have some, ensure it's up to date and clean up your computer." Hypponen stressed that users must double-check that their antivirus software is really running and being regularly updated. He pointed out that many worms, not just Sober, when they attack computers typically switch off both antivirus and firewall protection.

Hypponen doesn't hold out much hope that this time around authorities will catch the hacker, whom he refers to as "a lone gunman," mostly likely resident in Germany or Austria. During November's Sober-Z attack, authorities had the same kind of information they have this time in terms of the likely Web sites the hacker would go to, but he escaped detection. "He's been playing a game of cat and mouse [with the authorities] for over two years," Hypponen said. "I really do hope they'll be able to track him down."

Back in December, iDefense broke the encrypted code in a variant of the Sober worm and discovered that Jan. 5, 2006, was the date set for the variant to download unknown pieces of code from various Web addresses. The date coincides with the 87th anniversary of the founding of the precursor to the Nazi Party.

Hypponen notes that there were initial conflicting reports about the exact timing of the attack putting it during Jan. 5 GMT, but he said that F-Secure researchers have double-checked the exact date and, according to the Sober code, activation of any malware is due to occur after Jan. 5.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

China Martens

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?