IT professionals -- already worried about malicious code targeting the Microsoft Windows Meta File glitch -- may have another reason to fret this week: If some security firm's' predictions hold, the prolific family of Sober worms will launch a new attack starting Thursday.
Many AV firms have already updated their signatures to counter the threat.
The new Sober attack was predicted last month by iDefense Security Intelligence Services, a division of Mountain View, Calif.-based VeriSign Inc. At the time, iDefense said it had discovered hard-coded commands within the recent Sober-X variant that were programmed to launch the next wave of Sober assaults on Thursday, Jan. 5, 2006.
Tuesday, iDefense spokesman Jason Greenwood said nothing has changed since the organization issued last month's warning. He said all intelligence still points to a new Sober assault this week.
"Things are pretty much as they were," he said. "The big question is what will happen after Jan. 5. On Jan. 6 the worms will look for a specific set of Web site URLs. But those sites haven't been activated yet. The question is whether the people behind this will activate those sites."
The danger will not be over if nothing happens by week's end. "If nothing happens on Jan. 6, the worm is programmed to stay dormant for 14 days," Greenwood said. "After 14 days it is programmed to look for a different set of sites. The process will repeat every 14 days."
The good news, he said, is that AV signatures countering the threat have been widely deployed. "The biggest risk," he said, "will be for home users unaware that this exists."
iDefense discovered the planned attack by reverse-engineering the Sober-X variant discovered in mid-November. Starting Jan. 5, it warned, the worm will start generating a series of dynamic URLs specific to domains in Germany and Austria. From those domains it will attempt to download the next portion of code to carry out the attack.
Sober was among the most publicized worms of 2005. Dozens of variants, many of which were mass-mailers, were on the loose at various points throughout the year. One such outbreak happened in May, when the Sober-N worm dropped the Sober-Q Trojan on compromised machines and began spewing messages touting German nationalism. Interestingly, the Sober strike slated for Jan. 5 would be the 87th anniversary of the founding of Germany's Nazi party.
Another surge in Sober activity began in mid-November. At one point just after Thanksgiving, antivirus firms discovered that the latest iteration, Sober-Z, was spreading spam so quickly that it accounted for an astonishing one in 14 e-mails traveling across the Internet.
News Editor Eric B. Parizo contributed to this report.