A security headache is brewing as the payload of various Sober worms is activated tonight.
According to security experts that broke the worm's encrypted code, 5 January 2006 is the date set for it to download code from various Web addresses on the Net. As such, at the stroke of midnight, the worm's author may or may not choose to turn on various websites and causes widespread problems across the Internet.
The date coincides with the 87th anniversary of the founding of the precursor to the Nazi Party, and previous Sober worms have been used to turn infected computers into spam machines, spewing out right-wing German propaganda.
The impact may be significant: at one point at the end of last year, one in 14 e-mails were estimated to be carrying the worm.
But security companies are watching. "Nothing's posted yet [on the websites]," said Sophos senior security consultant Carole Theriault. Mikko Hypponen, chief research officer for F-Secure was cautious: "It's possible he may stay well clear. It's more likely he'll lay low than engage in activation." Nevertheless, they are keeping a close eye on the situation.
The Sober worm variants are written in both German and English. The German propaganda only spreads to e-mail inboxes with a .de address and is "invisible to the rest of the world," Hypponen said. While most hackers produce malware for some kind of monetary benefit, the Sober author appears interested in only two things - working towards his next attack and releasing his propaganda.
The best way for users to protect themselves is to use anti-virus software. "If you don't have antivirus, get some," Theriault said. "If you have some, ensure it's up to date and clean up your computer." Hypponen stressed that users must double-check that their anti-virus software is really running and being regularly updated. He pointed out that many worms, not just Sober, when they attack computers typically switch off both anti-virus and firewall protection.
Hypponen doesn't hold out much hope that this time around authorities will catch the hacker, whom he refers to as "a lone gunman", mostly likely resident in Germany or Austria.
During November's Sober-Z attack, authorities had the same kind of information they have this time in terms of the likely websites the hacker would go to, but he escaped detection. "He's been playing a game of cat and mouse [with the authorities] for over two years," Hypponen said. "I really do hope they'll be able to track him down."