Information Security News mailing list archives
Swen identification and response
From: InfoSec News <isn () c4i org>
Date: Mon, 29 Sep 2003 06:07:56 -0500 (CDT)
Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca> It is time, and past time, for the network community to start taking serious action to clean up the flood of Swen that has been going on for over a week. Typical server-based virus scanning tools may respond to the existence of an infected message, but likely respond to the FROM line in the header, which is spoofed in the case of Swen (and many others). However, Swen does seem to provide for identification of the infected user. Swen is difficult to identify from the sender or subject information. Swen can be identified by most virus scanners. The quickest and easiest way to identify Swen may be by the size of the messages. Swen has two very distinct forms. One generates a message roughly 143K in size, and the other roughly 156K in size. You will usually receive one of each form from an infected machine, generally in close proximity. The 156K version always contains a message body that starts out with: Microsoft Customer this is the latest version of security update, the "September 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run executable on your computer. This update includes the functionality = of all previously released patches. The message contains two gif attachments, and one executable, which uses the msdownload vulnerability, and so the message body contains the string: Content-Type: application/x-msdownload; name="[variable].exe" The subject almost universally ends with "upgrade" "Update" "Upgrade" "Patch" or "Pack". The sender name field is polymorphically generated frequently using the words Internet, Microsoft, or MS, and often Security, Corporation, Customer, Bulletin, Assistance, Division, Program, Department, Section, or Technical. The sender address uses a randomly generated username, sometimes a generic domain (ywbclobaqneqbh () advisor com), sometimes a random domain (rdarqmllhdedqx_zyyywtd () jxuzz com), but frequently names that appear to be associated with Microsoft (cuwuybvvcyx_dcnrm () advisor msn com, uiumod_levqwe () technet msn com, yvgsclw_hmxgz () news msdn net, pafwzupfy () news microsoft net) Except for the fact that it uses the iframe vulnerability, the 143K version may be more difficult to identify automatically. Many mail systems do not recognize messages formatted to use the iframe vulnerability as having an attachment, and so these messages may not be completely scanned for viruses by some server based scanners. The subjects used are those normally used for bounced or rejected messages, as well as some such as "Bug report." The sender names used are also very common, such as Admin and Administrator. Sender addresses are polymorphically generated. giving results like mailengine, mailerform, mailerroutine, mailrobot, webroutine, imailprogram, postform, amailbot, smtprobot, masterdaemon, postautomat, or webautomat at various common mail domain names. Message headers (somewhat edited for brevity) typically contain: Return-Path: <xxxxxxxxx () eircom net> Received: from mail00.svc.cra.dublin.eircom.net ([159.134.118.16]) [...] Received: from p145-175.as1.mvw.galway.eircom.net (HELO lgonmo) (159.134.145.175) by mail00.svc.cra.dublin.eircom.net (qp 83441) with SMTP; 27 Sep 2003 14:04:13 -0000 FROM: "Microsoft Security Assistance" <selkmkyiuq@technet_msdn.net> Message-Id: <20030927140445.NZGN3218.berlinr.sprint.ca () mail00 svc cra dublin eircom net or Return-Path: <xxx () urban net au> Received: from smtp.austarmetro.com.au ([203.166.224.2]) by orval.sprint.ca [...] Received: from tyhsbtop (dialup-89.52.194.203.acc03-dryb- mel.comindico.com.au [203.194.52.89]) by smtp.austarmetro.com.au (8.12.6/pre1.0-MySQL/8.12.6) with SMTP id h8QNvqpg017712; Sat, 27 Sep 2003 09:58:22 +1000 Date: Sat, 27 Sep 2003 09:58:22 +1000 Message-Id: <200309262358.h8QNvqpg017712 () smtp austarmetro com au> FROM: "Net Mail Storage Service" <kmailrobot () america com> Note that the Return-Path line does not agree with the FROM line (which fact can, itself, be used as a partial identifier), but *does* generally agree with the Received lines and the Message-Id. Therefore, it is likely that the Return-Path does identify the infected user or machine. (When IP addresses are checked, they also generally agree with the domain found.) Therefore, when infected messages are detected, a message should be returned to the user, using the Return-Path identification, alerting them to the existence of the infected messages. Given that the user may not be aware of actions to take in regard to a virus infection, copies of the message should probably be sent to the postmaster, abuse, and/or support accounts at the same domain. (If the IP address is checked and returns a slightly different domain, that abuse account should probably be copied as well.) If we can start *properly* alerting users to infections, we may be able to reduce the virus load much more quickly than simply letting the infection run its course. (Letting delinquent ISPs know may also help. Charter.net seem to have cleaned up their act, but BTConnect, BTInternet, and BTOpenWorld, a number of Italian, and not a few Australian ISPs seem to be well represented in the samples I've found.) ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () sun soci niu edu After attacking the sacred majesty of kings, I shall scarcely excite surprise by adding my firm persuasion that every profession, in which great subordination of rank constitutes its power, is highly injurious to morality. Mary Wollstoncraft (1759-1797), A Vindication of the Rights of Woman http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Swen identification and response InfoSec News (Sep 29)