Analysis of new Sober variant

The new Sober variant retains many of the same characteristics as the earlier ones,
and is easily prevented from 1) installing or 2) carrying out its payload.

From the Symantec site:

-----------------------------------
Name of attachment: Zip file name Varies, but will contain the following file:
File-packed_dataInfo.exe
-----------------------------------

NOTE: Whitelist-protection will prevent inadvertent or unauthorized extracting (copying) of the file.

inadvertent --> user clicks on file w/o thinking, sees alert, and says, "do I really want to do this"

unauthorized --> other user of the computer (eg, other family member) w/o principal user's permission

Example from a previous Sober variant (file name is different in this variant):

http://www.rsjones.net/img/sober_1.gif

--------------------------------------------
Should the user be persuaded into authorizing the file to extract and run,
anti-virus may or may not alert. If not, W32.Sober.X@mm performs the following actions:

Displays a message with the following text:

Error in packed Header
--------------------------------------------

http://www.rsjones.net/img/sober_2.gif

----------------------------------------
Copies itself as the following files:

%Windir%\WinSecurity\services.exe

Checks the network connection of the compromised computer, and the current date,
by connecting to one of the following NTP servers on TCP port 37:
-----------------------------------------

NOTE: The directory created for services.exe, and the NTP servers are different in this variant,
but the action is the same. Your firewall will alert the outbound attempt to Port 37
if your Port rules are configured correctly:

http://www.rsjones.net/img/sober_3.gif

At this point, the alert user will

1) notice that services.exe is not the correct Windows file,

2) or at least ask, why is something trying to connect out to this site, anyway?

3) and then realize that something is amiss and close the on-line connection.


Now, the worm is prevented from carrying out the payload:

----------------------------------------
Attempts to send a copy of itself to the email addresses gathered using one
of the SMTP servers selected above.
-------------------------------------------

regards,

-rich
________________
~~Be ALERT!!! ~~

 

A more complex analysis is available at Eset's website http://www.eset.com/msgs/sobery.htm

 

Hello Marcos,

Thanks for posting that link.

I don't have the tools to do a complete analysis, for my interest is in learning how these worms can be prevented from installing, or, containing the damage locally.

isc.sans.org reports today that mail servers monitored by a fellow handler caught over 46,000 instances of Sober.y in the last 24 hours.

There is really no need for that amount of spreading of the worm if proper firewall protection were in place.

regards,

-rich
________________
~~Be ALERT!!! ~~