Re: Finding the Swen Source by Inspecting Msg Headers

From: Matt Scarborough (vexversa_at_verizon.net)
Date: 09/27/03 

Date: Sat, 27 Sep 2003 19:01:04 +0000

On Sat, 27 Sep 2003 16:15:22 GMT, W. Watson wrote
<3F75B7AA.9967DCF6@earthlink.net>
> Yep, done that on NS 4.76 but wasn't quite sure if I was getting all the
details. The important
> question though is whether Swen or other virus/worms disguise themselves, so
it becomes pointless to
> look at the headers?

In some very specific circumstances, the source of W32/Swen@MM can be
determined with some degree of probability. There are some variables beyond
W32/Swen@MM that affect this.

Meaning, what is pumped into an SMTP sever by a worm may not always correlate
to what every user expects to see in her POP3 mailbox and message headers.
There are miles and miles of ether between the two as well as a myriad of
servers and SPAM filters and privacy filters, etc.

But, when a Swen infected user succumbs to the fake "MAPI32 Exception" dialog
box asking for the MAPI details
http://www.f-secure.com/v-descs/swen.shtml
and that victim enters her credentials and SMTP server information,
W32/Swen@MM will use that information in the SMTP command "MAIL FROM"

As in this example

220 ESMTP server ready
MAIL FROM: <swen@victim.invalid>

In the example <swen@victim.invalid> may have been entered by the victim in
the fake "MAPI32 Exception" dialog box, or pulled from that victim's Registry
by W32/Swen@MM . Same method can be true for her SMTP server hostname.

So, in very general terms, we expect to see this same data in received e-mail
headers as

"Return-Path: <swen@victim.invalid>"

and the "victim.invalid" domain will also appear in the

Received: from SERVER ([192.168.0.0]) by SERVER01.victim.invalid with
Microsoft SMTPSVC(5.0.2195.5329);

to add a tiny bit of correlation as well.

NONE of this information can be relied on as evidence of any kind to point a
finger or nastygram at a user. But, it is how W32/Swen@MM is coded as
confirmed by
http://www.lurhq.com/

Since all of the headers in a received e-mail can be forged by a remote
attacker, it would be just as easy as Swen for a malicious third-party to send
an email that by all appearances "proved" that <swen@victim.invalid> was
infected. That "proof" would be wrong.

If we remove that possibility though, we can have some small level of
certainty that indeed <swen@victim.invalid> is probably infected with Swen.

A good antivirus scan run on swen@victim.invalid would be a far better
indicator.

Matt Scarborough 2003-09-27

> Br0wnbear wrote:
>
> > If you are using outlook express
> > Click on the properties of the message.
> > Hmm mozilla 4.75
> > Then select Details.
> > Then Message Source.
> > Outlook is a little different.
> > If it is a different email program. Then try the help section.
> > HTH
> >
> > jbrown
> > brownbearat@canadadotcom
> >
> > remove the at and the dot ;)
> >
> > "W. Watson" <sierra_mtnviews@earthlink.net> wrote in message
> > news:3F75827C.2A26A04E@earthlink.net...
> > > Is there a tool that one can apply to messages that are from Swen that
> > will allow me to inspect the
> > > message header to determine what IP originated the Message? About 80
> > friends and colleagues have my
> > > e-mail address in their address books. I was able to determine by sheer
> > luck one of them had swen.
> > > He removed it but someone else has it too, and likely another worm. It
may
> > be that Swen disguises
> > > its IP address when it sends a message from a hijacked computer. Anyone
> > know?
> > >
> > > --
> > > Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada
> > City, CA)
> > > -- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121°
1'
> > 0" W
> > >
> > > Remember to drink an adequate amount of dihydrogen oxide each
> > day.
> > >
> > > Web Page: <home.earthlink.net/~mtnviews>
> > > Imaginarium Museum:
> > <home.earthlink.net/~mtnviews/imaginarium.html>
> > >
> > >

Relevant Pages

  • Re: Decoding Internet headers in email
    ... >> when it identifies the IP address of the sending server. ... client making the connection. ... The SMTP server may run a DNS lookup to determine ... headers can be tricky. ...
    (microsoft.public.security)
  • Re: Ever heard of a mail server which blocks by type of IP address?
    ... they ask from hotmail my smtp server sends it to Bulk Mail in Hotmail. ... headers so that they cannot tell it was from a DHCP assigned address. ...
    (microsoft.public.security)
  • Re: With authentication off the server denies relaying mail..
    ... To find your SMTP server IP if you don't know it try opening the command ... Another way might be if you are able to add valid headers to the firewall, ... this assumes you can see what headers are being blocked in the first place. ...
    (microsoft.public.mac.office.entourage)
  • Re: Scam Or Real??
    ... If you have a copy of "whois", do a lookup on every IP address in the headers. ... post the headers here - it might be an interesting exercise... ... displaying all the text of a received e-mail. ... got the e-mail) turns out to be a server in Accra-North, Ghana - an unlikely entry point for a message from a "customer" who claimed to be in Australia! ...
    (rec.woodworking)
  • Re: Problem Updating New Messages from NTTP News Server OE
    ... > as far as I know and he doesn't have a server in his setup. ... download the answer to a problem he had posted in the Outlook group and I had seen the answer almost immediately on July 1. ... sure how taking the check out of the download headers boxes would have helped. ... pane 3) Get headers at a time 4) No check in mark all messages as read when exiting newsgroup ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
Quantcast