On Thursday 04 September 2003 11:49 pm, rikona wrote: > Hello Bryan, > > Thursday, September 4, 2003, 2:47:49 PM, you wrote: > > BP> It is trivial to spoof the machine name when sending out mail but > BP> spoofing the IP address is NOT trivial. > > If the virus sets up a stack that is *completely* independent, could > it use a different, spoofed IP address? Say, for example, one that was > in the headers of the infected machine email files - real, verifiable, > but not the address from which it was actually sent. [66.32.127.184]
Again, coming in from an ISP, which most of us do, this is not a trivial feature. You need to use an IP that is accepted on the network and reverse DNS needs to support the what you use. So, the virus would need to know in advance, which IP's are accepted on the network, grab one of those that are accepted and trusted and also that is not already assigned to another machine, and then use that IP to mask the originating entry. If this was a person, I would say that it would be possible, although still very difficult. There is ultimately only one modem, only one hardware port for the traffic and two stack fighting over ownership. Ultimately we have to have two way traffic, so however we spoof, we still need to have packets routed back to us, so we can't totally fake the connection. For a virus, which by definition has to be fairly small and not "intelligent", I would say not. Even then, while we may not know exactly which IP the traffic originated from, we would still definitely be able to narrow down to the IP range because networks will not, unless they are VERY misconfigured, accept traffic from just any source and even if they did, they have to be routable, reachable and dns recognized desitinations. If I spoof an IP address that is assigned to another range, the packets would be routed back to incorrect netspace when they returned and I would never receive a response. For instance, if I spoof 217.68.23.432 on a 67.0.0.1/24, the packets will go to the 217.68.23/? range rather than returning to my true address because DNS will route them to the wrong place. So I have to use an IP on the accepted range and I have to have DNS route the packets back to me. Now, if I can overwrite DNS and appropriate a range on the local servers, I can spoof much more easily but again, this is not a trivial task. We have to assume that the entire network was setup by complete incompetents for that to be possible. With most people using hardware devices by companies like Cisco, that is a fairly big assumption. If you have read Cuckoo's Egg, and other hacker accounts, you will remember that the way that most hacker's hide their real origination is by compromising multiple machines and then relaying through multiple machines across disparate regions, counting on the inability for any one person to be able to follow the entire chain and get everyone's cooperation to track the true originating source. Viruses simply are not that smart. > > BP> I suppose it is possible that the SoBig.F virus was designed to > BP> seek out and relay through compromised or open proxies but if > BP> that is the case, it is the first that I have heard of it. > > I seem to recall that it did, but I have not paid that much attention > to this virus. >From what I have read, it does not. It does open a port that spammers can use to relay from, but it does not, in and of itself, relay or use proxies. Based on the reports here, I would say there appear to have been at least 3 compromised machines, one in adelphia netspace (I never saw that one), One from Pacbell DSL and one in Brazil (I did not see that one either but I deny all Brazil netspace by default so I wouldn't see that one unless it was mailed to the list itself, and then the virus filter probably caught it). I figure at least one or more of those were probably infected by the first message from the list. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
