How could the Bavarian police know about Sober.T or V?

  • Thread starter Thread starter Gabriela Salvisberg
  • Start date Start date
G

Gabriela Salvisberg

How could the Bavarian police know, when they published this yesterday
(Monday)...
http://www.polizei.bayern.de/blka/aktuell/presse.htm
(or see http://www.f-secure.com/weblog/)

That this will happen today (Tuesday):
http://www.f-secure.com/v-descs/sober_t.shtml

I've got two of them after midnight. Some of it:

Subject: Hi, Ich bin's
X-Mailer: OfficeSmtp-V2.7.5971

Text:
"Hier ist die Liste die du haben wolltest.
Du solltest dich aber auch eintragen!

OK, bis dann"
Attackment [tm] name: Liste.zip (about 130 KB)

Or was it just a coincidence?

Gabriela
 
Gabriela Salvisberg said:
How could the Bavarian police know, when they published this yesterday
(Monday)...
http://www.polizei.bayern.de/blka/aktuell/presse.htm
(or see http://www.f-secure.com/weblog/)

That this will happen today (Tuesday):
http://www.f-secure.com/v-descs/sober_t.shtml
Click to expand...

What about this, does this sound reasonable?
The worm probably was out in the wild for several days in advance to its
predefined attack date, to make sure it makes a bigger attack. So the police
had something to experiment on, like this:
- Infect an otherwise virgin test computer with the worm.
- Advance the computer date by one day, two, three and so on and check at
what date the worm goes to work and if it phones home.
- Try to get the home server disconnected and hope it is not in Korea, China
or the former Soviet Union.
- Inform the anti-virus companies. If you/they are quick, the worm will be
found after the next scanner update and before it becomes active.

Turan
 
On that special day, optikl, ([email protected]) said...
Someone tipped them off? Like a bragging author?
Click to expand...

Or one of his classmates, as has happened with the sasser author. I
wonder which german holidays are supposed to start at November 15th,
though, because all former viruses were launched as soon as the
holidays started, especially in North Rhine and Westfalia.

I can't see any. And Fuehrer's Birthday (which I loathe) is in April.
He is obviously a Neonazi, and made Sober worms download "Updates"
which don't spread, but spam mails with right extremist messages. If
anybody knows whether an "important anniversary" is imminent in the
rightist universe, please tell.


Gabriele Neukam

(e-mail address removed)
 
He is obviously a Neonazi, and made Sober worms download "Updates"
which don't spread, but spam mails with right extremist messages.
Click to expand...

That was the Sober version before an election (European elections 2004 or
North-Rhine-Westphalia 2005?). As far as I know it is relatively easy to
re-write a Sober worm for a new payload. Up to now there is no information
that Sober T or newer has a right-wing background or payload.

I got several right-wing Sober mails during that election campaign, but not
a single one this time. So perhaps we are talking about a different author
this time?

Turan
 
Gabriele Neukam wrote:
If
anybody knows whether an "important anniversary" is imminent in the
rightist universe, please tell.
Click to expand...
I stay away from that universe, myself.
 
Now I have some more information from the LKA. It's not much different
from said:
What about this, does this sound reasonable?
The worm probably was out in the wild for several days in advance to its
predefined attack date, to make sure it makes a bigger attack. So the police
had something to experiment on, like this:
- Infect an otherwise virgin test computer with the worm.
- Advance the computer date by one day, two, three and so on and check at
what date the worm goes to work and if it phones home.
Click to expand...

As I understood from what my colleage said (who talked directly to the
LKA), they analysed existing Sober infected PCs and disassembled the
files that were downloaded to it. There they found the source code of
some kind of "time bomb" that would trigger on Nov 15 with sending out
that new variant. This would very much explain it.

So they still don't know who's behind Sober. At least they say so.

Gabriela
 
Back
Top