Re: Virus alert
On 31/8/03 23:34, Dean Anderson wrote: Your comments are true in general, but I don't think they take into consideration the differences between this virus and the ones that go through the address book. One can (more) easily get such valid, trusted, familiar addresses from the address book. Many virues do just that, probably with just the purpose you mentioned. However, this virus is different. It is using 'valid' addresses that aren't found in address books--addresses that wouldn't be familiar to anyone, but are still valid. There must be a reason why they would go to such trouble... I think this virus wasn't just designed to spread, I think it was designed to remain alive on each machine it infected. If you send out emails to a user's address book from that user, they will quickly get emails from their friends saying I think you've got a virus Bob, I just got this weird email from you. Or they will receive bounces/vacation-messages for emails they know they didn't send. Faking the From address means that replies will go to someone completely random. Since that means the sender will be a stranger, you might as well grab as many To addresses as possible rather than just restricting yourself to the user's address book. Faking the From address also adds another vector for infection in that people start getting bounces saying Sorry I was unable to deliver your message. They open these to figure out what the original message was and get infected. Now the virus can use a vast network of unwitting relays to further spread and mask its location. I have received dozens of emails from helpful systems and people notifying me that I have the virus - and I have a Mac. I could crawl through the headers on the bounces to determine the machine that has actually been infected and has my email address, but once I've got an IP number I have no easy way to turn that into an email address for the user. The disinformation strategy clearly worked, so I expect to see more of this style of virus in the future. Many have suggested that the purpose of the virus may have been to setup a large zombie spamming network - I'm not sure if it was this time, but I'm pretty sure it will be next time. Jonathan
Re: Virus alert
I think this virus wasn't just designed to spread, I think it was designed to remain alive on each machine it infected. Hmm. Good points supporting this... Could be. I have received dozens of emails from helpful systems and people notifying me that I have the virus - and I have a Mac. I could crawl through the headers on the bounces to determine the machine that has actually been infected and has my email address, but once I've got an IP number I have no easy way to turn that into an email address for the user. Once you have an IP number, you can look up the responsible party in one of the registries (whois.arin.net, whois.ripe.net, whois.apnic.net, etc--there are sub registries for Latin America and such, but they aren't too hard to find.) Then you send an email with your logs or headers to the abuse contact and/or the administrative contact. They will know how to deal with the problem. The disinformation strategy clearly worked, so I expect to see more of this style of virus in the future. Many have suggested that the purpose of the virus may have been to setup a large zombie spamming network - I'm not sure if it was this time, but I'm pretty sure it will be next time. Interesting, but we already have large zombie Type 3 spamming networks...
Re: Virus alert
On 2/9/03 22:49, Dean Anderson wrote: [...] but once I've got an IP number I have no easy way to turn that into an email address for the user. Once you have an IP number, you can look up the responsible party in one of the registries (whois.arin.net, whois.ripe.net, whois.apnic.net, etc--there are sub registries for Latin America and such, but they aren't too hard to find.) Then you send an email with your logs or headers to the abuse contact and/or the administrative contact. They will know how to deal with the problem. Yes, I know how to do this, but the point is that it's not *easy*. And even if I can be bothered doing all this, it will end up in a queue for the postmaster at the ISP who may or may not end up actually trawling the logs to figure out which user it was and notify them. More likely than not, the user will never realise they are harbouring the virus. Jonathan
Re: Virus alert
On Fri, Aug 29, 2003 at 07:23:29PM -0400, [EMAIL PROTECTED] wrote: On Sat, 30 Aug 2003 00:10:50 +0200, A. Kremer [EMAIL PROTECTED] said: --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19-8-2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19-8-2003 And every single copy of Sobig-F goes out with the header: X-MailScanner: Found to be clean What's wrong with this picture? Well, as the group that made MailScanner, we take the presence of that line as a great compliment by the virus writer :) Aside: MailScanner (which is open source and free) is one of few gateway spam/virus detectors that can cater for those virii that forge email From: headers so that warnings do not erroneously go back to the forged sender. See www.mailscanner.info if you're interested. Tim
RE: Virus alert
Title: Bericht Perhaps you are right, but I don't see any harm in warning people about possible viruses on their computer, even if it seems to be unnecessary. :) -Oorspronkelijk bericht-Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Fam. van den BergVerzonden: vrijdag 29 augustus 2003 23:54Aan: [EMAIL PROTECTED]Onderwerp: FW: Virus alertUrgentie: Hoog All, Today I recieved 2 mails with the following subjects: Wicked screensaver Thank you! The sender was [EMAIL PROTECTED], according to the header. This may indicate that this ietf mailinglist is infected with the sobig f virus. I recommend that all the participiants on this list update their virusscanner and scan their computer for viruses. With kind regards, A. van den Berg, Netherlands ---Incoming mail is certified Virus Free.Checked by AVG anti-virus system (http://www.grisoft.com).Version: 6.0.512 / Virus Database: 309 - Release Date: 19-8-2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19-8-2003
RE: Virus alert
Ok... I sent this warning because I was concerned about possible unwanted effects on the list. Excuse me for the inconvenience. It won't happen again. -Oorspronkelijk bericht- Van: David Morris [mailto:[EMAIL PROTECTED] Verzonden: zaterdag 30 augustus 2003 0:11 Aan: A. Kremer Onderwerp: RE: Virus alert I do ... sending such warnings just multiplies the effect of the virus. On Sat, 30 Aug 2003, A. Kremer wrote: Perhaps you are right, but I don't see any harm in warning people about possible viruses on their computer, even if it seems to be unnecessary. :) -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Fam. van den Berg Verzonden: vrijdag 29 augustus 2003 23:54 Aan: [EMAIL PROTECTED] Onderwerp: FW: Virus alert Urgentie: Hoog All, Today I recieved 2 mails with the following subjects: Wicked screensaver Thank you! The sender was HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED], according to the header. This may indicate that this ietf mailinglist is infected with the sobig f virus. I recommend that all the participiants on this list update their virusscanner and scan their computer for viruses. With kind regards, A. van den Berg, Netherlands --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19-8-2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19-8-2003 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19-8-2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 19-8-2003