Re: [Full-Disclosure] kaspersky-labs webserver or listserver com

Fri, 08 Nov 2002 02:48:54 -0800 

Andreas Tirok <[EMAIL PROTECTED]> wrote:

> Ka <[EMAIL PROTECTED]> wrote:
> > Just received an email with some virus components
> > from kaspersky-labs.com. .o)
> > 
> > Possible            Exploit.IFrame.FileDownload 
> > and a README.EXE with       I-Worm.Bridex 
> > 
> > Here are the headers:
> > 
> > - ------------------------- BEGIN HEADERS -----------------------------
> > Received: from webserver2.kaspersky-labs.com (unknown [195.161.113.178])
> >         by mail.vegaa.de (Postfix) with ESMTP id A9F37174019
> >         for <[EMAIL PROTECTED]>; Thu,  7 Nov 2002 22:51:28 +0100 (CET)
> > Received: by webserver2.kaspersky-labs.com (Postfix)
> >         id 33AB920047; Fri,  8 Nov 2002 00:22:31 +0300 (MSK)
> > Delivered-To: [EMAIL PROTECTED]
> > Received: from webserver2.kaspersky-labs.com (unknown [148.235.6.199])
> looking for                                              +++++++++++++
> 
> dig -x 148.235.6.199

Yeah...

> ; <<>> DiG 8.3 <<>> -x

<<snip dig output that proves 148.235.6.199 isn't k-l.com>>

> Isn't webserver2.kaspersky-labs.com

So, the SMTP envelope FROM: was "forged" and this was not commented 
on by the receiving server...  Win32/Braid forges outgoing mail 
addresses so that should not be entirely surprising, and the real 
sending IP is in Mexico and other aspects of the message suggest that 
should not be surprising.

However, what you missed is that the "last" Received" header is:

> > Received: from webserver2.kaspersky-labs.com (unknown [195.161.113.178])
> >         by mail.vegaa.de (Postfix) with ESMTP id A9F37174019
> >         for <[EMAIL PROTECTED]>; Thu,  7 Nov 2002 22:51:28 +0100 (CET)

and I think if you do your dig-ing again against 195.161.113.178 
you'll find that it and webserver2.kaspersky-labs.com are one and 
the same machine (though, IIRC from doing it earlier, there is no 
reverse DNS from 195.161.113.178 to webserver2.kaspersky-labs.com).

I know folk at Kaspersky Labs are aware something is going on, but I 
am still receiving messages through webserver2.kaspersky-labs.com 
mail that it should not be sending.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to