The wriggling saga of the Sober worm is a cautionary tale worthy of a revisit during Cybersecurity Awareness Month. It’s a good reminder that once malware is on the loose, it’s hard to catch—and that it often undergoes a metamorphosis making it even more slippery.
First spotted in October 2003, Sober was a typical worm, arriving via email attachment. The malware employed social engineering to persuade the unwitting email recipient to click on the attachment. Opening the attachment resulted in the creation of several executables and registry key modification, so said executables would launch upon startup. Sober, like malware of its ilk, also sent itself via email to everyone in the computer’s address book.
Sober worm tailors its message to its audience
Written in Visual Basic, Sober is thought to have originated in Germany, and while its basic format remained the same, what changed about it during its various appearances in 2003, 2005 and again in 2007 was the social engineering it employed. English-speaking recipients generally received scare tactics—someone has stolen your account information, you have visited illegal websites, etc. In November 2005, the FBI even put out an alert regarding Sober letting people know the “illegal website” emails were a hoax.
German speakers received the enticing message they had won 2006 World Cup tickets and to click on the attachment for more information. And, of course, some Sober emails promised videos of mid-2000s celebrities Paris Hilton and Nicole Richie.
As Sober variants continued to emerge, its creators took a curious step in May 2005 and programmed Sober to stop. The program contained code prompting it to follow instructions posted on certain websites, and the instructions told Sober to stop spreading.
The morals of this Sober-ing tale are as true now as they were almost 20 years ago: Don’t click on attachments from unknown sources. Be wary of emails attempting to scare you or that claim you have won a prize. And resist the temptation to watch a risqué video.
Photo: wk1003mike / Shutterstock