Internet security provider VeriSign iDefense reports that the next planned attack of 2005’s most prolific email worm family, Sober, is scheduled to start on 5 January 2006, coinciding with the 87th anniversary of the founding of the Nazi party.

Based on commands hard-coded within the worm, the attack date has been set and could have a significant detrimental effect on internet traffic, as email servers are flooded with politically motivated spam emails from potentially tens of millions of email addresses. 

In addition to the Nazi party anniversary, the 5 January trigger on the Sober variant appears to also be timed to coincide with a major German political convention meeting the next day - 6 January 2006.  In the past, VeriSign iDefense says, mass distribution of propaganda has been timed with political events to increase the worm’s notoriety, and help to further circulate it.

“This discovery emphasises the ever-present and often underestimated threat of ‘hacktivism’ – combining malicious code with political causes,” said Joe Payne, vice president, VeriSign iDefense Security Intelligence Services.  “Exposing this latest variant required technical and geopolitical analysis that connected the dots to give enterprises and home users plenty of time to shore up their defenses.”

The Sober family appears to be authored by a German speaker or group of German speakers, and is comprised of nearly 30 variants dating to October 2003.  Infected emails propagate as attachments with a social engineering component, enticing readers to open malicious files with messages using information on current events.   Sober is also a bi-lingual worm, sending German-language messages to German email addresses, and English-language messages to other addresses.

iDefense discovered the next phase of the multi-phased Sober attack by reverse engineering and breaking encrypted code in the most recent Sober variant. This variant first began spreading through the Internet on or about 16 November 2005. The computers infected by the 16 November variant began sending another version on 22 November 2005 - a date that coincided with the inauguration of Germany’s first female chancellor - to additional computers posing as emails from the FBI, The United Kingdom’s National High-Tech Crime Unit (NHTCU), German Bundeskriminalamt (BKA) and the CIA. This 22 November variant is designed to download an unknown payload of code on 5 January 2006.  iDefense intelligence experts report that this particular variant has already infected millions of systems as a prelude to the 5 January attack, scanning computers’ address books to send hundreds of millions of messages claiming to be from various government entities.