MoMusings

Last weeks SPAM assault from Sober.q should now be over. However as of Monday the 23rd of May Sober.q changes its mode, from spamming to downloading an unknown new component which it will execute; allowing it to carry out its unknown assigned task.

At this time nothing is known as to what this new component is, or what it may do.

So, what do we actually know about this new mode?

Sober.q queries a list of NTP servers which it has encoded withing itself to synchronize the time. If the date is 23rd May 2005 or later it changes its behaviour; instead of mass mailing right-wing SPAM e-mails, it attempts to download and execute a file from one of the following domains:

• people.freenet.de
• scifi.pages.at
• free.pages.at
• home.pages.at
• home.arcor.de

The directory part of the URL that will be used to download the unknown new component is made up of a pseudo-random string. It is based on the date returned from the NTP servers.


The following is a list of the NTP servers which are monitored:

• Rolex.PeachNet.edu
• clock.psu.edu
• ntp3.fau.de
• utcnist.colorado.edu
• sundial.columbia.edu
• time-a.timefreq.bldrdoc.gov
• ntp-sop.inria.fr
• rolex.usg.edu
• time.xmission.com
• ntp.massayonet.com.br
• ntp-1.ece.cmu.edu
• time.nist.gov
• ntp.lth.se
• cuckoo.nevada.edu
• ntp-2.ece.cmu.edu
• time.kfki.hu
• ntp.pads.ufrj.br
• time-ext.missouri.edu
• os.ntp.carnet.hr
• timelord.uregina.ca
• ntp2b.mcc.ac.uk

Conclusions:

Well, something may or may not happen on Monday due to Sober.q downloading and executing new code and/or instructions. We could see more SPAM [political, gambling, body part enlargement, watch, mortgage, software, drugs, stocks or pr0n related] DDoS attacks, another mass-mailing member of the Sober family installed, an Instant Messaging worm, a bot, another trojan, or it may all come to nothing as we’ve seen before…..However, I somehow doubt this, this time…..Batten down the hatches, I suspect we’re in for a bumpy ride!

So, what is your guess as to what we will see [or not see] when Sober.Q changes mode?

Links:

Sober.Q Description [F-Secure]
The Register

I’ll try and updated this entry as new information becomes available…..stay tuned!

Update May23rd 09:30 GMT+1: The update phase has started as expected, however so far there is nothing for Sober.q to download.

Update May23rd 13:30 GMT+1: Still nothing for Sober.q to download, at this time.

Update May24th 09:30 GMT+1: No sign at this time of Sober.q finding anything to download, however this new cycle will continue, using new date related psuedo-random links each day until Thursday this week, before going back to its existing right-wing SPAM mode.