Sober
Quote from http://isc.sans.org/diary.php?storyid=925 :
You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.
Go to the "URL Paths" function of your HTTP proxy and add the following urls:
home.arcor.de/dixqshv/*
people.freenet.de/wjpropqmlpohj/*
people.freenet.de/zmnjgmomgbdz/*
people.freenet.de/mclvompycem/*
home.arcor.de/jmqnqgijmng/*
people.freenet.de/urfiqileuq/*
home.arcor.de/nhirmvtg/*
free.pages.at/emcndvwoemn/*
people.freenet.de/fseqepagqfphv/*
home.arcor.de/ocllceclbhs/*
scifi.pages.at/zzzvmkituktgr/*
people.freenet.de/qisezhin/*
home.arcor.de/srvziadzvzr/*
people.freenet.de/smtmeihf/*
home.pages.at/npgwtjgxwthx/*
people.freenet.de/idoolwnzwuvnmbyava/*
people.freenet.de/mhfasfsi/*
people.freenet.de/nkpphimpfupn/*
people.freenet.de/ozumtinn/*
people.freenet.de/bnfyfnueoomubnw/*
people.freenet.de/kbyquqbwsku/*
people.freenet.de/mlmmmlmhcoqq/*
scifi.pages.at/ikzfpaoozw/*
home.pages.at/ecljoweqb/*
free.pages.at/wgqybixqyjfd/*
home.arcor.de/ykfjxpgtb/*
home.arcor.de/oodhshe/*
home.arcor.de/mtgvxqx/*
home.arcor.de/tucrghifwib/*
home.arcor.de/ftpkwywvkdbuupw/*
You can also use the webblocker exception list for this.
Remember to set the action to deny and alarm. This way the traffic will be blocked and you will be notified.
If you are not based in a German language country you can off course also just block:
people.freenet.de/*
scifi.pages.at/*
home.pages.at/*
free.pages.at/*
home.arcor.de/*
You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.
Go to the "URL Paths" function of your HTTP proxy and add the following urls:
home.arcor.de/dixqshv/*
people.freenet.de/wjpropqmlpohj/*
people.freenet.de/zmnjgmomgbdz/*
people.freenet.de/mclvompycem/*
home.arcor.de/jmqnqgijmng/*
people.freenet.de/urfiqileuq/*
home.arcor.de/nhirmvtg/*
free.pages.at/emcndvwoemn/*
people.freenet.de/fseqepagqfphv/*
home.arcor.de/ocllceclbhs/*
scifi.pages.at/zzzvmkituktgr/*
people.freenet.de/qisezhin/*
home.arcor.de/srvziadzvzr/*
people.freenet.de/smtmeihf/*
home.pages.at/npgwtjgxwthx/*
people.freenet.de/idoolwnzwuvnmbyava/*
people.freenet.de/mhfasfsi/*
people.freenet.de/nkpphimpfupn/*
people.freenet.de/ozumtinn/*
people.freenet.de/bnfyfnueoomubnw/*
people.freenet.de/kbyquqbwsku/*
people.freenet.de/mlmmmlmhcoqq/*
scifi.pages.at/ikzfpaoozw/*
home.pages.at/ecljoweqb/*
free.pages.at/wgqybixqyjfd/*
home.arcor.de/ykfjxpgtb/*
home.arcor.de/oodhshe/*
home.arcor.de/mtgvxqx/*
home.arcor.de/tucrghifwib/*
home.arcor.de/ftpkwywvkdbuupw/*
You can also use the webblocker exception list for this.
Remember to set the action to deny and alarm. This way the traffic will be blocked and you will be notified.
If you are not based in a German language country you can off course also just block:
people.freenet.de/*
scifi.pages.at/*
home.pages.at/*
free.pages.at/*
home.arcor.de/*
posted by Placebo at 2:01 PM
0 Comments:
Post a Comment
<< Home