iDefense Exposes Sober Worm Variant Timed with Nazi Party’s 87th Anniversary Widespread Worm is Scheduled to Launch January 5, 2006 RESTON, VA. – December 7, 2005 – iDefense, the cyber security intelligence provider and a VeriSign company (Nasdaq: VRSN), reports that the next planned attack of 2005’s most prolific email worm family, Sober, is scheduled to start on January 5, 2006 based on commands hard-coded within the worm. The attack date coincides with the 87th anniversary of the founding of the Nazi party. Additionally, the attack could have a significant detrimental effect on internet traffic, as email servers are flooded with politically motivated spam emails from potentially tens of millions of e-mail addresses.
In addition to the Nazi party anniversary, the January 5 trigger on the Sober variant appears to also be timed to coincide with a major German political convention meeting the next day, January 6, 2006. In the past, VeriSign iDefense Security Intelligence Services has seen mass distribution of propaganda timed with political events to increase the worm’s notoriety, and help to further circulate it.
“This discovery emphasizes the ever-present and often underestimated threat of ‘hacktivism’ – combining malicious code with political causes,” said Joe Payne, vice president, VeriSign iDefense Security Intelligence Services. “Exposing this latest variant required technical and geopolitical analysis that connected the dots to give enterprises and home users plenty of time to shore up their defenses.”
The Sober family appears to be authored by a German speaker or group of German speakers, and is comprised of nearly 30 variants dating to October 2003. Infected e-mails propagate as attachments with a social engineering component, enticing readers to open malicious files with messages using information on current events. Sober is also a bi-lingual worm, sending German-language messages to German email addresses, and English-language messages to other addresses.
(more)
iDefense discovered the next phase of the multi-phased Sober attack by reverse engineering and breaking encrypted code in the most recent Sober variant. This variant first began spreading through the Internet on or about November 16, 2005. The computers infected by the November 16 variant began sending another version on November 22, 2005 - a date that coincided with the inauguration of Germany’s first female chancellor - to additional computers posing as emails from the FBI, The United Kingdom’s National High-Tech Crime Unit (NHTCU), German Bundeskriminalamt (BKA) and the CIA. This November 22 variant is designed to download an unknown payload of code on January 5, 2006. iDefense intelligence experts report that this particular variant has already infected millions of systems as a prelude to the January 5 attack, scanning computers’ address books to send hundreds of millions of messages claiming to be from various government entities.
The VeriSign iDefense Security Intelligence Services team provides data that helps protect some of the world’s largest networks in government, financial and retail markets. Its daily intelligence reports on emerging and established cyber threats – including actionable mitigation steps – are considered essential reading by certain industry security personnel, and help drive customers’ proactive network defense strategies.
iDefense analysts perform open-source research on Internet criminal activity in 13 languages and track Internet cybercrime in more than 30 countries. iDefense publishes weekly on hacker groups, cyber crime, software vulnerabilities, phishing schemes and malicious code (viruses, worms, Trojans, spyware and keyloggers).
About iDefense and VeriSign iDefense, a VeriSign company, provides information security intelligence to the U.S. government and Global 2000 companies, including leaders in financial services, energy, transportation and telecommunications. The company provides customized, actionable, timely and relevant intelligence detailing potential threats, vulnerabilities and security issues directly to C-level executives, general counsels, auditors, senior security managers and staff, and system administrators. Further information is available at www.idefense.com or (703) 480-4602. VeriSign, Inc. (Nasdaq: VRSN), operates intelligent infrastructure services that enable and protect billions of interactions every day across the world’s voice and data networks. Additional news and information about the company is available at www.verisign.com.
Media Contacts:
Investors Contact:
Brendan P. Lewis VeriSign brlewis@verisign.com (650) 426-4470
Tom McCallum VeriSign 650-426-3744 tmccallum@verisign.com
Adam Parken Corporate Ink Public Relations (for iDefense) aparken@corporateink.com (617) 969-9192
### Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as the inability of VeriSign to successfully market its services, including VeriSign iDefense Research; customer acceptance of the services as provided by VeriSign; increased competition and pricing pressures; and the inability of VeriSign to successfully develop and market new products and services and customer acceptance of any new products or services. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2004 and quarterly reports on Form 10-Q. VeriSign undertakes no obligation to update any of the forward-looking statement after the date of this press release.
###