The Sober worm saga is set to take another fascinating twist on Monday. Every hour compromised computers will start downloading mystery information from websites selected by the author using a complicated algorithm based on time.
"The author has tried to obfuscate where it will download code from," said Mikko Hypponen, director of antivirus research at Finnish company F-Secure. "It's easy to pinpoint three domains, but there is also a very sophisticated algorithm based on time. We cracked the code. It was not trivial, but certainly do-able."
Hypponen and other antivirus researchers indicated the Sober.p and Sober.q variants are an example of the increasing sophistication and organisation of virus writers.
"This particular writer has developed a very nice framework," said Dmitri Alperovitch, research engineer at Ciphertrust. Alperovitch also pointed out virus researchers expected activity from the Sober.p virus on 27 April, but nothing happened until 14 May.
What happens next with Sober is still unclear. One police contact told SC that it could be used for a DDoS attack. Hypponen said such an attack is possible but unlikely.
"Sober hasn't been used for DDoS in the past," he said. "I expect we'll see a spam trojan or a new Sober variant."
Last week SC reported Sober.q was being used to spread right-wing messages.