Re: FW: Virus alert
On Sun, 31 Aug 2003, Tim Chown wrote: On Sat, Aug 30, 2003 at 05:25:19PM -0400, Dean Anderson wrote: The Virus writer obviously went to some trouble to pick valid addresses. It stands to reason that they expect that someone is getting mail to these addresses. It also stands to reason that the abuser expects those persons to get Virus notifications. I don't think so; isn't it more likely the writer wants the infection to spread, and the best chance for that is that the recipient sees a From: address that they recognise and trust, rather than [EMAIL PROTECTED], so they look at the content where they otherwise would be wary? Your comments are true in general, but I don't think they take into consideration the differences between this virus and the ones that go through the address book. One can (more) easily get such valid, trusted, familiar addresses from the address book. Many virues do just that, probably with just the purpose you mentioned. However, this virus is different. It is using 'valid' addresses that aren't found in address books--addresses that wouldn't be familiar to anyone, but are still valid. There must be a reason why they would go to such trouble... --Dean
Re: FW: Virus alert
On Sat, 30 Aug 2003 00:00:45 EDT, shogunx said: On Sat, 30 Aug 2003, Dean Anderson wrote: Open source kernels aren't immune. They just aren't at focus this time. If a worm is executing visual basic code, then i think i am pretty darn immune. Google for the Lion worm, and quit smirking. Like he said, the gun isn't pointed at you THIS time. pgp0.pgp Description: PGP signature
Re: FW: Virus alert
So far I have not seen one case of someone I know informing me that I have sent a message to them with a virus included. They have all been from strangers, which is one reason they get trapped by my filters. As best I can tell, all the to and from addresses are randomly selected. Cheers...\Stef At 0:52 +0100 8/31/03, Tim Chown wrote: On Sat, Aug 30, 2003 at 05:25:19PM -0400, Dean Anderson wrote: The Virus writer obviously went to some trouble to pick valid addresses. It stands to reason that they expect that someone is getting mail to these addresses. It also stands to reason that the abuser expects those persons to get Virus notifications. I don't think so; isn't it more likely the writer wants the infection to spread, and the best chance for that is that the recipient sees a From: address that they recognise and trust, rather than [EMAIL PROTECTED], so they look at the content where they otherwise would be wary? I don't see a problem with notifications where the virus is known not to forge the sender. Tim
Re: FW: Virus alert
On Sat, Aug 30, 2003 at 05:25:19PM -0400, Dean Anderson wrote: The Virus writer obviously went to some trouble to pick valid addresses. It stands to reason that they expect that someone is getting mail to these addresses. It also stands to reason that the abuser expects those persons to get Virus notifications. I don't think so; isn't it more likely the writer wants the infection to spread, and the best chance for that is that the recipient sees a From: address that they recognise and trust, rather than [EMAIL PROTECTED], so they look at the content where they otherwise would be wary? I don't see a problem with notifications where the virus is known not to forge the sender. Tim
Re: FW: Virus alert
On Sat, 30 Aug 2003, Dean Anderson wrote: Open source kernels aren't immune. They just aren't at focus this time. If a worm is executing visual basic code, then i think i am pretty darn immune. Have fun with the sandwich. ;-) It was wonderful. --Dean On Fri, 29 Aug 2003, shogunx wrote: On Sat, 30 Aug 2003, Dean Anderson wrote: How beautiful to be immune behind an open-source kernel;) The rest of the world worries. I eat a sandwich. Scott sleekfreak pirate broadcast world tour 2002-3 live from the pirate hideout http://sleekfreak.ath.cx:81/
Re: FW: Virus alert
On Fri, 29 Aug 2003 19:30:44 CDT, David Frascone [EMAIL PROTECTED] said: 'course, I probably get 25 e-mails a day telling me that I sent someone Sobig, which would be pretty impressive, since I run Suse :) I should be so lucky. I'm averaging almost that many AV-scanner alerts bouncing to me an *hour*. And inbound Sobig-F are above 1 per minute. I still say we should have put this in the security considerations in RFC1341: If you think you know how to secure active objects in e-mail, you are probably very mistaken. There be serious and nasty dragons here. (with apologies to the authors of 'xterm'). On the other hand, maybe we didn't do THAT badly - I can only think of one vendor that really didn't pay attention pgp0.pgp Description: PGP signature
Re: FW: Virus alert
Can't we just hack the mailman configs to dump mails with X-sender value of outlook or outlook express? That would solve the problem, no;) Scott On Fri, 29 Aug 2003 [EMAIL PROTECTED] wrote: On Fri, 29 Aug 2003 19:30:44 CDT, David Frascone [EMAIL PROTECTED] said: 'course, I probably get 25 e-mails a day telling me that I sent someone Sobig, which would be pretty impressive, since I run Suse :) I should be so lucky. I'm averaging almost that many AV-scanner alerts bouncing to me an *hour*. And inbound Sobig-F are above 1 per minute. I still say we should have put this in the security considerations in RFC1341: If you think you know how to secure active objects in e-mail, you are probably very mistaken. There be serious and nasty dragons here. (with apologies to the authors of 'xterm'). On the other hand, maybe we didn't do THAT badly - I can only think of one vendor that really didn't pay attention sleekfreak pirate broadcast world tour 2002-3 live from the pirate hideout http://sleekfreak.ath.cx:81/
Re: FW: Virus alert
On Thu, 28 Aug 2003 22:14:26 EDT, shogunx said: Can't we just hack the mailman configs to dump mails with X-sender value of outlook or outlook express? That would solve the problem, no;) Well, the only problem with that idea is that we explicitly do *NOT* have a Your clue must be -THIS- tall to ride the IETF list policy... ;) pgp0.pgp Description: PGP signature
Re: FW: Virus alert
I still say we should have put this in the security considerations in RFC1341: It's pretty difficult to miss the ones that are already there - which certainly would have been sufficient to stop Sobig had they been heeded.
RE: FW: Virus alert
Can't we just hack the mailman configs to dump mails with X-sender value of outlook or outlook express? That would solve the problem, no;) Well, the only problem with that idea is that we explicitly do *NOT* have a Your clue must be -THIS- tall to ride the IETF list policy... ;) The Sobig worm includes its own SMTP code, and places arbitrary values in the header fields. The source address is forged, and so are various other fields, including X-Mailer. The worm finds target source and destination addresses by reading files on the user's disk, not by using a specific Outlook or OE API. It propagates by social engineering, when users open some executable attachments. User can do click on attachments with many mailers, not just Outlook and OE. In fact, the latest versions of Outlook automatically strip such attachments. -- Christian Huitema
RE: FW: Virus alert
On Fri, 29 Aug 2003, Christian Huitema wrote: Can't we just hack the mailman configs to dump mails with X-sender value of outlook or outlook express? That would solve the problem, no;) Well, the only problem with that idea is that we explicitly do *NOT* have a Your clue must be -THIS- tall to ride the IETF list policy... ;) The Sobig worm includes its own SMTP code, and places arbitrary values in the header fields. You mean to say that there is a full MTA tucked away in there? The source address is forged, and so are various other fields, including X-Mailer. Perhaps you misunderstood my intentions. My intentions accociated with this post had nothing to do with the worm. The worm finds target source and destination addresses by reading files on the user's disk, not by using a specific Outlook or OE API. It propagates by social engineering, when users open some executable attachments. Since when is social engineering a desktop activity. The last time I checked, social engineering was along the lines of thank you for the shiny new job, now i'm going to hide a rouge server on your network. User can do click on attachments with many mailers, not just Outlook and OE. In fact, the latest versions of Outlook automatically strip such attachments. I'm glad I don't have to click on my mail. -- Christian Huitema sleekfreak pirate broadcast world tour 2002-3 live from the pirate hideout http://sleekfreak.ath.cx:81/
RE: FW: Virus alert
Can't we just hack the mailman configs to dump mails with X-sender value of outlook or outlook express? That would solve the problem, no;) Well, the only problem with that idea is that we explicitly do *NOT* have a Your clue must be -THIS- tall to ride the IETF list policy... ;) The Sobig worm includes its own SMTP code, and places arbitrary values in the header fields. You mean to say that there is a full MTA tucked away in there? Yes. Maybe not a full MTA, but definitely enough to format messages and execute SMTP. The common assumption is that Sobig was written by one or several criminals, with the purpose of installing a network of mail relays zombies, and then to sell the services of this network of zombies to spammers. The same SMTP agent is probably also used to send spam from the zombies. If you compare the headers of mail generated by the worm and those of random spam, you will find that they are very similar. There is another link between Sobig and spam. It appears that these networks of zombies are used in denial of service attacks against anti-spam services. By the way, the worm does not only include its own SMTP service. It seems to also include its own DNS code, probably in order to get the MX records of its targets. This DNS agent is parameterized to start any look-up at the A-root, with the side effect of overloading this root server. -- Christian Huitema
Re: FW: Virus alert
Christian Huitema wrote: By the way, the worm does not only include its own SMTP service. It seems to also include its own DNS code, probably in order to get the MX records of its targets. This DNS agent is parameterized to start any look-up at the A-root, with the side effect of overloading this root server. Does this mean we can stop the virus and associated spam just by switching off the A root? -zefram
RE: FW: Virus alert
By the way, the worm does not only include its own SMTP service. It seems to also include its own DNS code, probably in order to get the MX records of its targets. This DNS agent is parameterized to start any look-up at the A-root, with the side effect of overloading this root server. Does this mean we can stop the virus and associated spam just by switching off the A root? I would suggest that you engage in serious testing before trying anything like that! -- Christian Huitema
RE: FW: Virus alert
From: Christian Huitema [EMAIL PROTECTED] ... Yes. Maybe not a full MTA, but definitely enough to format messages and execute SMTP. ... What do you mean by execute SMTP? Does it interpret and respond to SMTP response codes to its SMTP commands or just open a TCP connection and send a largely constant handful of lines of text before the first header line? The samples I've captured have pretty rudimentary SMTP envelopes. ... By the way, the worm does not only include its own SMTP service. It seems to also include its own DNS code, probably in order to get the MX records of its targets. ... That would be far more impresssive, although given the many resolver libraries available, nothing to write home about. Vernon Schryver[EMAIL PROTECTED]
Re: FW: Virus alert
On Fri, 29 Aug 2003, David Frascone wrote: With the current virii usually forging the from field with random addresses from its victim's address book, I turned off my virus scanner's warning to the senders . . I only send a polite note to the intended recipient. Don't do that. That is quite likely what the Virus writer wants you to do: Stop notifying people about infections. The worst that happens is that people get notifications, and update their anti-virus, which finds nothing. The best that happens is that the headers included in such a notification reveal the IP address of an infected zombie. Also, in the current cases, I don't think the addresses aren't taken from address books. I'm getting responses to addresses that haven't been used for email and addresses that haven't been used in years. Certainly, these aren't in anyone's address book. In one case, the address is on a little used web site (but even spammers rarely spam it, and in another, its in a reasonably public area, but not used) The Virus writer obviously went to some trouble to pick valid addresses. It stands to reason that they expect that someone is getting mail to these addresses. It also stands to reason that the abuser expects those persons to get Virus notifications. Most probably, virus notifications tend to frustrate the purposes of the Virus operator, since the infected will not stay infected. It seems possible that the virus operators are trying to manipulate people to stop sending or responding to virus notifications. In past cases, the forged from address was the target of the abuse: the abuser hoped to have people block mail with the common from address, thus getting some measure of revenge on that person. Most people have filtering on From: addresses for this reason. The best thing to do in response to such an attack is to do things that frustrate purposes the abuser, catch the abuser, or nothing at all. Never succumb to what might be a desired manipulation--That only encourages more abuse. --Dean
Re: FW: Virus alert
On Sat, 30 Aug 2003, Dean Anderson wrote: How beautiful to be immune behind an open-source kernel;) The rest of the world worries. I eat a sandwich. Scott On Fri, 29 Aug 2003, David Frascone wrote: With the current virii usually forging the from field with random addresses from its victim's address book, I turned off my virus scanner's warning to the senders . . I only send a polite note to the intended recipient. Don't do that. That is quite likely what the Virus writer wants you to do: Stop notifying people about infections. The worst that happens is that people get notifications, and update their anti-virus, which finds nothing. The best that happens is that the headers included in such a notification reveal the IP address of an infected zombie. Also, in the current cases, I don't think the addresses aren't taken from address books. I'm getting responses to addresses that haven't been used for email and addresses that haven't been used in years. Certainly, these aren't in anyone's address book. In one case, the address is on a little used web site (but even spammers rarely spam it, and in another, its in a reasonably public area, but not used) The Virus writer obviously went to some trouble to pick valid addresses. It stands to reason that they expect that someone is getting mail to these addresses. It also stands to reason that the abuser expects those persons to get Virus notifications. Most probably, virus notifications tend to frustrate the purposes of the Virus operator, since the infected will not stay infected. It seems possible that the virus operators are trying to manipulate people to stop sending or responding to virus notifications. In past cases, the forged from address was the target of the abuse: the abuser hoped to have people block mail with the common from address, thus getting some measure of revenge on that person. Most people have filtering on From: addresses for this reason. The best thing to do in response to such an attack is to do things that frustrate purposes the abuser, catch the abuser, or nothing at all. Never succumb to what might be a desired manipulation--That only encourages more abuse. --Dean sleekfreak pirate broadcast world tour 2002-3 live from the pirate hideout http://sleekfreak.ath.cx:81/
Re: FW: Virus alert
Open source kernels aren't immune. They just aren't at focus this time. Have fun with the sandwich. ;-) --Dean On Fri, 29 Aug 2003, shogunx wrote: On Sat, 30 Aug 2003, Dean Anderson wrote: How beautiful to be immune behind an open-source kernel;) The rest of the world worries. I eat a sandwich. Scott
