iDefense Exposes Sober Worm Variant Timed
with Nazi Party’s 87th Anniversary
Widespread Worm is Scheduled to Launch January 5, 2006
RESTON, VA. – December 7, 2005 – iDefense, the cyber security
intelligence provider and a VeriSign company (Nasdaq: VRSN), reports
that the next planned attack of 2005’s most prolific email worm family,
Sober, is scheduled to start on January 5, 2006 based on commands hard-coded
within the worm. The attack date coincides with the 87th anniversary
of the founding of the Nazi party. Additionally, the attack could
have a significant detrimental effect on internet traffic, as email
servers are flooded with politically motivated spam emails from potentially
tens of millions of e-mail addresses.
In addition to the Nazi party
anniversary, the January 5 trigger on the Sober variant appears to also
be timed to coincide with a major German political convention meeting
the next day, January 6, 2006. In the past, VeriSign iDefense
Security Intelligence Services has seen mass distribution of propaganda
timed with political events to increase the worm’s notoriety, and help
to further circulate it.
“This discovery emphasizes
the ever-present and often underestimated threat of ‘hacktivism’ – combining
malicious code with political causes,” said Joe Payne, vice president,
VeriSign iDefense Security Intelligence Services. “Exposing this
latest variant required technical and geopolitical analysis that connected
the dots to give enterprises and home users plenty of time to shore
up their defenses.”
The Sober family appears to
be authored by a German speaker or group of German speakers, and is
comprised of nearly 30 variants dating to October 2003. Infected
e-mails propagate as attachments with a social engineering component,
enticing readers to open malicious files with messages using information
on current events. Sober is also a bi-lingual worm, sending
German-language messages to German e-mail addresses, and English-language
messages to other addresses.
iDefense discovered the next
phase of the multi-phased Sober attack by reverse engineering and breaking
encrypted code in the most recent Sober variant. This variant first
began spreading through the Internet on or about November 16, 2005.
The computers infected by the November 16 variant began sending another
version on November 22, 2005 - a date that coincided with the inauguration
of Germany’s first female chancellor - to additional computers posing
as emails from the FBI, The United Kingdom’s National High-Tech Crime
Unit (NHTCU), German Bundeskriminalamt (BKA) and the CIA. This November
22 variant is designed to download an unknown payload of code on January
5, 2006. iDefense intelligence experts report that this particular
variant has already infected millions of systems as a prelude to the
January 5 attack, scanning computers’ address books to send hundreds
of millions of messages claiming to be from various government entities.
The VeriSign iDefense Security
Intelligence Services team provides data that helps protect some of
the world’s largest networks in government, financial and retail markets.
Its daily intelligence reports on emerging and established cyber threats
– including actionable mitigation steps – are considered essential reading
by certain industry security personnel, and help drive customers’ proactive
network defense strategies.
iDefense analysts perform open-source
research on Internet criminal activity in 13 languages and track Internet
cybercrime in more than 30 countries. iDefense publishes weekly
on hacker groups, cyber crime, software vulnerabilities, phishing schemes
and malicious code (viruses, worms, Trojans, spyware and keyloggers).
About iDefense and VeriSign
iDefense, a VeriSign company, provides information security intelligence
to the U.S. government and Global 2000 companies, including leaders
in financial services, energy, transportation and telecommunications.
The company provides customized, actionable, timely and relevant intelligence
detailing potential threats, vulnerabilities and security issues directly
to C-level executives, general counsels, auditors, senior security managers
and staff, and system administrators. Further information is available
at www.idefense.com
or (703) 480-4602. VeriSign, Inc. (Nasdaq: VRSN), operates intelligent
infrastructure services that enable and protect billions of interactions
every day across the world’s voice and data networks. Additional news
and information about the company is available at www.verisign.com.
For more information, contact:
Corporate Ink Public Relations (for iDefense): Adam Parken, aparken@corporateink.com,
(617) 969-9192
VeriSign Media Relations: Brendan P. Lewis, brlewis@verisign.com,
(650) 426-4470
VeriSign Investor Relations: Tom McCallum, tmccallum@verisign.com,
650-426-3744
###
Statements in this announcement other than historical
data and information constitute forward-looking statements within the
meaning of Section 27A of the Securities Act of 1933 and Section 21E
of the Securities Exchange Act of 1934. These statements involve risks
and uncertainties that could cause VeriSign's actual results to differ
materially from those stated or implied by such forward-looking statements.
The potential risks and uncertainties include, among others, the uncertainty
of future revenue and profitability and potential fluctuations in quarterly
operating results due to such factors as the inability of VeriSign to
successfully market its services, including VeriSign iDefense Research;
customer acceptance of the services as provided by VeriSign; increased
competition and pricing pressures; and the inability of VeriSign to
successfully develop and market new products and services and customer
acceptance of any new products or services. More information about potential
factors that could affect the company's business and financial results
is included in VeriSign's filings with the Securities and Exchange Commission,
including in the company's Annual Report on Form 10-K for the year ended
December 31, 2004 and quarterly reports on Form 10-Q. VeriSign undertakes
no obligation to update any of the forward-looking statement after the
date of this press release.
# # #
