Posted on 05/12/2005 1:17:33 PM PDT by holymoly
It uses a new technique to avoid virus software scans
The longevity of the current Sober worm may be largely due to a new technique it uses to evade virus scans, according to antivirus firm Kaspersky Lab Ltd.
The worm, variously labeled Sober.P, Sober.S, Sober.O and Sober.V by different companies, continues to circulate in large numbers; it made up 84% of all virus traffic as of Monday, according to Lynnfield, Mass.-based virus lab Sophos PLC.
While researchers have attributed its success to the fact that it circulates in both English and German, and to its use of free World Cup tickets as a lure to users, social engineering is only part of the equation, according to Kaspersky Lab.
The newest variant uses a refined mechanism for blocking input/output access to its files by other programs, Kaspersky senior research engineer Roel Schouwenberg said in an alert this week. Previous variants used a similar technique but didn't succeed in blocking programs running in a computer's System account.
Sober.P does what the others didn't do and blocks the System account as well, Schouwenberg said. That means no other programs, including antivirus scanners, could detect Sober.P while it was resident in memory, he said.
"If something can't be scanned, then malicious code can't be detected. This rules out the chance of Sober being detected while running an on-demand scan," he said in the alert, posted on Kaspersky's "Analyst's Diary" site.
While this mechanism doesn't stop an antivirus program from blocking Sober.P from infecting a computer in the first place, once a computer is infected, it makes it more difficult to fix, Schouwenberg explained, saying, "If you aren't aware of infection, how can you take measures against it?"
Some antivirus products lack the features needed to root out such an infection, namely a memory scanner and the ability to kill the worm's processes, Schouwenberg said.
I've just purchased a new keyboard to deal with this. ;)
Our mail server uses GFI mailsecurity, which has four different scnning engines. Two of them have mustiple instances of Sober in the log files.
I wonder what would happen if we didn't have all four scanners.
(Denny Crane: "Sometimes you can only look for answers from God and failing that... and Fox News".)
Microsoft should quit the software business and go into making Swiss cheese and pegboard - they seem to be certified experts in making things with holes in them.
Well, if they started selling vacuums, there'd be at least one product in their lineup that didn't s----.
If Palladium ever becomes established, anyone who gets the keys will be able to install undetectable viruses and other malware.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
