Swen and bounces...
From: N. Miller (duh_at_blackhole.aosake.net)
Date: 05/08/04
- Next message: Frustrated!: "AVG Anti-virus & WXP....Conclusion...."
- Previous message: Br0wnbear: "Re: Bring me the head of the sasser Creator!!!"
- Next in thread: Bill Sanderson: "Re: Swen and bounces..."
- Reply: Bill Sanderson: "Re: Swen and bounces..."
- Maybe reply: N. Miller: "Re: Swen and bounces..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 7 May 2004 19:24:21 -0700
I am just trying to understand something about the way that Swen works. I
currently have an 'A' record for the third level domain showing in my
"From:" address; DNS points it to a 'localhost' address. I understand that
this presents some problems, and was doing some tests on transaction filters
in my MTA. What I saw intrigued me. The results of my test were discouraging
because what actually happened did not correspond with my expectations. But
I did catch a number of connection attempts which I miss when the 'A' record
is set to 127.168.102.254.
For this discussion, I am only assuming that the messages in the log contain
W32.Swen.A@mm; the messages were refused, the payload not delivered. But the
log seems consistent with the description of Swen delivery.
Most were similar to this example from the MTA connection log:
> T 20040507 180212 409bcd8e Connection from 68.168.78.178
> T 20040507 180213 409bcd8e EHLO mta2.adelphia.net
> T 20040507 180214 409bcd8e MAIL FROM:<,,,,@adelphia.net> SIZE=159697
> T 20040507 180217 409bcd8e RCPT TO:<local.part@blackhole.aosake.net>
> E 20040507 180217 409bcd8e RCPT from 68.168.78.178 - user <local.part@blackhole.aosake.net> not known.
<Some RSETs, and another RCPT TO: snipped>
> T 20040507 180224 409bcd8e QUIT
> T 20040507 180224 409bcd8e Connection closed with 68.168.78.178, 12 sec. elapsed.
I had assumed that Swen, like other viruses, was sending forged envelope
sender addresses (MAIL FROM: in the example above), yet this log example
shows that the envelope sender actually matches the source. Of course, I
knew that Swen, unlike other viruses, often, apparently mostly, by the
examples I have, uses the SMTP of the infected user's ISP.
This has caused me to wonder; should I keep the domain 'A' record pointing
to my real IP address? I would wind up with several hundred, perhaps even
thousand, log entries per day. All such entries are delivery refusals; the
line beginning with 'E' is a rejection; the virus was not actually delivered
here. But the ISP's MTA, "mta2.adelphia.net", would return the message to
",,,,@adelphia.net", probably with the virus intact. If that email address
is a forgery, then somebody at Adelphia is infected with Swen.
If the 'A' record points to my IP address, my MTA will refuse delivery. For
viruses sending directly from the infected computer there will be no bounce.
The viral SMTP engine has no reason to send a bounce, nor any destination.
For spam there will be no bounce. The spammer's software may record the 5xx
reject code, or not, but there is no reason for the spammer to bounce it
anywhere.
But for Swen, coming through an ISP's MTA, there will be a bounce; the ISP's
MTA will return the email to the envelope sender. In my example, ,,,,
@adelphia.net should see a bounce from MAILER-DAEMON, postmaster, or
whatever role account handles bounces for Adelphia.
Can anybody ascertain for certain if Swen forges the sender? As a user of
Symantec's NAV 2003, I went to their response center site, here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html
...and part of the description of Swen is this:
"9. Adds the values:
* "CacheBox Outfit"="yes"
* "ZipName"="<random>"
> * "Email Address"="<The current users email address that the worm retrieves from the registry>"
> * "Server"="<The IP address of the SMTP server that the worm retrieves from the registry>"
* "Mirc Install Folder"="<location of mirc client on system>"
* "Installed"="...by Begbie"
* "Install Item"="<random>"
* "Unfile"="<random>"
to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer
\*
where * is a random set of letters."
It sure looks like the actual infected user's email address is being used,
though nowhere on this page is that explicitly mentioned. It appears that,
in the case of Swen, the bounce will go to the right place.
And a note for those of you getting bounces; you might want to examine them?
After I reset the DNS 'A' record for my 'blackhole' third level domain, I
sent a message to sbcy@blackhole.aosake.net from a Hotmail account. This is
what came back from Hotmail:
> X-Message-Info: HIwbeuzhQ4Y=
> Received: from hotmail.com ([207.68.164.196]) by mc10-f4.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824);
> Fri, 7 May 2004 18:36:39 -0700
> From: postmaster@mail.hotmail.com
> To: ,,,,@hotmail.com
> Date: Fri, 7 May 2004 18:16:36 -0700
> MIME-Version: 1.0
> Content-Type: multipart/report; report-type=delivery-status;
> boundary="9B095B5ADSN=_01C4321B8992C72400009DEBhotmail.com"
> Message-ID: <P7U7F3FG300005892@hotmail.com>
> Subject: Delivery Status Notification (Failure)
> Return-Path: <>
> X-OriginalArrivalTime: 08 May 2004 01:36:39.0776 (UTC) FILETIME=[E8C19600:01C4349C]
>
> This is a MIME-formatted message.
> Portions of this message may be unreadable without a MIME-capable mail program.
>
> --9B095B5ADSN=_01C4321B8992C72400009DEBhotmail.com
> Content-Type: text/plain; charset=unicode-1-1-utf-7
>
> This is an automatically generated Delivery Status Notification.
>
> Delivery to the following recipients failed.
>
> sbcy@blackhole.aosake.net
>
>
>
>
> --9B095B5ADSN=_01C4321B8992C72400009DEBhotmail.com
> Content-Type: message/delivery-status
>
> Reporting-MTA: dns;hotmail.com
> Received-From-MTA: dns;mail.hotmail.com
> Arrival-Date: Fri, 7 May 2004 18:16:36 -0700
>
> Final-Recipient: rfc822;sbcy@blackhole.aosake.net
> Action: failed
> Status: 5.7.3
> Diagnostic-Code: smtp;505 5.7.3 Client was not authenticated
This comprises the full headers of the bounce, generated by the Hotmail
system. Aosake.net did not even see the message; DNS failed to find a
destination and Hotmail returned the message as undeliverable.
This message also contains the transcript, where the Hotmail system
describes the nature of the failure; not 'address unknown', but 'Client not
authenticated', presumably Hotmail's way of saying it couldn't find a
deliverable destination host in the DNS system.
If you get such a bounce from your own mail service, you might do well to
check your computer for W32.Swen.A@mm.
-- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint
- Next message: Frustrated!: "AVG Anti-virus & WXP....Conclusion...."
- Previous message: Br0wnbear: "Re: Bring me the head of the sasser Creator!!!"
- Next in thread: Bill Sanderson: "Re: Swen and bounces..."
- Reply: Bill Sanderson: "Re: Swen and bounces..."
- Maybe reply: N. Miller: "Re: Swen and bounces..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
