Re: Novarg

mgotts_at_2roads.com
Date: 01/30/04

Next message: Smith, David: "RE: Novarg"

Previous message: Raffael Marty: "Re: Yet another Visa scam scheme"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Robin Sheat <robin@kallisti.net.nz>
Date: Fri, 30 Jan 2004 10:45:11 -0800

> If that is what is going on, it is a cunning ploy to get the worm
> instance to have another go at getting to a real persons inbox. It also
> explains why so many copies that I get are 'unknown user' bounces (as
> opposed to stupid virus scanner "you are infected, and here is a copy of

> what you sent for good measure" bounces).
>

The 'unknown user' bounces are part of the intentional design of the worm,
which it uses as a distribution method.

In the worm's repertoire of attack methods is one that looks like a
dictionary attack. We get thousands of attempts a day for
'bill@ourdomain.com', 'tom@ourdomain.com', 'linda@ourdomain.com',
'matt@ourdomain.com', 'jose@ourdomain.com', 'leo@ourdomain.com', etc.
While there are a handful of different addresses, it is way too small of a
list to be a dictionary attack. Instead, these are intentionally meant to
bounce (in most cases, anyway) so that a *legitimate* bounce message then
returns the email to a forged 'From' address.

The worm is trying to bounce the messages to have the delivery come from a
legit mail server with what it hopes to be a package that arouses the
curiosity of the 'sender' ("hey, I don't remember sending this..."). The
bounces are not just coincidental attempts at dead addresses it found on
some infected PC. The addresses are coded into the worm. Smart stuff.
Evil, but smart.

As for the 'lower priority MX record being tried first' theory, well,
maybe. However, the mail server at our lower-priority MX record is
unavailable, and has been for months (it's intentional). Yet we've seen
plenty of all the different distribution types from this worm. So,
although my 'proof' is a statistically insignificant sample of one, we are
the example where the lower-priority MX record points to a dead end. Yet
I've got 1,000 copies of the worm I can show you, having arrived directly,
and by returns from antivirus scans, and by returns to 'user unknown'.

-- Mark

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Smith, David: "RE: Novarg"

Previous message: Raffael Marty: "Re: Yet another Visa scam scheme"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Why are postmasters distributing the MyDoom virus?
... >> I was looking over the MyDoom email messages that I received todayand ... >> Some postmasters, when sending out a bounce message, include the ... Not only do a lot of MyDoom's go to nonexistent recipients, ... uses the 5xx failures to deliver the worm via the bounce mechanism, ...
(Bugtraq)
Re: Worm Attack
... on and off over the last several days due to a "dictionary attack" using my ... possibly a worm in my system. ... if it was sent from a malicious source, they'll help me to prosecute the ... people do these random malicious acts. ...
(comp.periphs.printers)
Re: Worm Attack
... on and off over the last several days due to a "dictionary attack" using my ... possibly a worm in my system. ... if it was sent from a malicious source, they'll help me to prosecute the ... people do these random malicious acts. ...
(comp.periphs.printers)