Topic: Experts unconcerned by imminent Sober attack

[Clive]

Tom Espiner
ZDNet UK
January 04, 2006, 14:15 GMT
 
The next Sober attack is due this week, but it shouldn't be a problem for those who have taken the necessary steps
  
The Sober attack predicted to occur on 6 January should not be a problem for systems administrators, antivirus experts said on Wednesday.

As reported last month, machines that were infected by Sober in November have the potential to download malicious code from certain Web sites and then launch a new wave of viruses later this week.

But experts from antivirus companies F-Secure, Websense and MessageLabs all agreed that this Sober attack is unlikely to have a major effect, as systems administrators and antivirus companies have had time to prepare.

F-Secure raised the possibility that there may not even be an attack, as ISPs could block access to the malicious Web sites.

"There might be no attack at all. As everybody knows about the attack, the virus writer may lay low and attack at a later date," said Mikko Hyppönen, director of antivirus research at F-Secure. "The ISPs involved can actively block malicious postings. It's more likely the attacker will lay low or be blocked, rather than succeed."

Websense agreed that the Sober attack would not have a major effect.

"Sober has been mitigated pretty well. I would be really surprised if there's still a problem. I don't see it being a big issue," said Dan Hubbard, senior director of security and research at Websense.

Systems administrators should block the URLs of Web sites with malicious links (see the list at the end of this article) but not the domains hosting the Web sites, F-Secure recommended.

"We have listed URLs that we are recommending systems administrators block. We don't recommend blocking the whole domain, as 99 percent of the pages on these free Austrian and German domains are OK. You should just block the problem URLs," said Hyppönen.

Blocking the URLs should not cause any technical problems for system administrators, F-Secure said.

"If systems administrators block these URLs at their gateways, it's not going to break anything," said Hypponen.

Mark Toshack, manager of antivirus operations at MessageLabs, agreed with Hyppönen.

"Mikko's absolutely spot on. If just a few URLs are blocked, users can still browse the rest of those domains freely," Toshack said.

Antivirus vendors should be able to mitigate the effects of the potential attack, said MessageLabs.

"You'd hope everybody knows about the upcoming attack. All of the antivirus vendors know, and have updated their products to block signatures or detect malicious Web sites. Hopefully this will bottleneck the threat, and choke it off," said Toshack.

But some users may still be affected by an attack. "You will get a few people who aren't running any antivirus software on their desktop, and a percentage of people clicking on unknown Web sites," Toshack added.

MessageLabs advised systems administrators to acquaint themselves with information regarding Sober, and urged IT professionals to remind teleworkers to be cautious of emails that use social engineering to try to trick them.

"Systems administrators should make sure they've read up on all of the information on Sober coming from antivirus vendors ? get well versed. Make sure your firewall is updated to block those specific URLs. Tell users to watch out for malicious links, especially those working from home who may be outside the firewall," Toshack said.

F-Secure advises systems administrators to block these URLs to prevent Sober from downloading anything on and after 6 January:

home.arcor.de/dixqshv/
people.freenet.de/wjpropqmlpohj/
people.freenet.de/zmnjgmomgbdz/
people.freenet.de/mclvompycem/
home.arcor.de/jmqnqgijmng/
people.freenet.de/urfiqileuq/
home.arcor.de/nhirmvtg/
free.pages.at/emcndvwoemn/
people.freenet.de/fseqepagqfphv/
home.arcor.de/ocllceclbhs/
scifi.pages.at/zzzvmkituktgr/
people.freenet.de/qisezhin/
home.arcor.de/srvziadzvzr/
people.freenet.de/smtmeihf/
home.pages.at/npgwtjgxwthx/


The list will change every 14 days. After 19th of January the list becomes:

people.freenet.de/idoolwnzwuvnmbyava/
people.freenet.de/mhfasfsi/
people.freenet.de/nkpphimpfupn/
people.freenet.de/ozumtinn/
people.freenet.de/bnfyfnueoomubnw/
people.freenet.de/kbyquqbwsku/
people.freenet.de/mlmmmlmhcoqq/
scifi.pages.at/ikzfpaoozw/
home.pages.at/ecljoweqb/
free.pages.at/wgqybixqyjfd/
home.arcor.de/ykfjxpgtb/
home.arcor.de/oodhshe/
home.arcor.de/mtgvxqx/
home.arcor.de/tucrghifwib/
home.arcor.de/ftpkwywvkdbuupw/