The next wave of attacks from this year’s most prolific email worm family, Sober, is scheduled to start on Jan. 5, 2006, analysis of source code has revealed. The attack date coincides with the 87th anniversary of the founding of the Nazi party.
Security experts predict that the scheduled attacks could have “a significant detrimental effect on internet traffic,” as email servers are flooded with politically motivated spam emails from potentially tens of millions of email addresses.
In addition to the Nazi party anniversary, the Jan. 5 trigger on the Sober variant appears to also be timed to coincide with a major German political convention the next day, Jan. 6, VeriSign iDefense Security Intelligence Services noted.
“This discovery emphasizes the ever-present and often underestimated threat of ‘hacktivism’ — combining malicious code with political causes,” said Joe Payne, vice president, VeriSign iDefense Security Intelligence Services.
“Exposing this latest variant required technical and geopolitical analysis that connected the dots to give enterprises and home users plenty of time to shore up their defenses.”
The Sober family appears to be authored by a German speaker or group of German speakers and is comprised by nearly 30 variants dating to October 2003. Infected emails propagate as attachments with a social engineering component, enticing readers to open malicious files with messages using information on current events. Sober is also a bi-lingual worm, sending German-language messages to German email addresses, and English-language messages to other addresses.
iDefense discovered the next phase of the multi-phased Sober attack by reverse engineering and breaking encrypted code in the most recent Sober variant. This variant first began spreading through the internet on Nov. 16, 2005. The computers infected by the Nov. 16 variant began sending another version on Nov. 22 – a date that coincided with the inauguration of Germany’s first female chancellor – to additional computers posing as emails from the FBI, the U.K.’s National High-Tech Crime Unit (NHTCU), German Bundeskriminalamt (BKA) and the CIA.
This Nov. 22 variant is designed to download an unknown payload of code on Jan. 5. iDefense reported that this particular variant has already infected millions of systems as a prelude to the Jan. 5 attack, scanning computers’ address books to send hundreds of millions of messages claiming to be from various government entities.