Full Disclosure mailing list archives

Re: Swen Really Sucks

From: christophe barbe <christophe () cattlegrid net>
Date: Wed, 24 Sep 2003 15:38:01 -0400

On Wed, Sep 24, 2003 at 12:31:08PM -0500, Brent J. Nordquist wrote:

On Wed, 24 Sep 2003, Peter Busser <peter () trusteddebian org> wrote:

I use several procmail rules to filter out domains (microsoft.com,
msdn.com, etc.) in From: and From, To: (e.g. microsoft.com) and certain
words in the subject (e.g. Microsoft). Since the virus depends on
looking like an authentic message, it can't do too much randomisation of
the domains and subject lines. Of course the filtering is not perfect,
but it still reduces the number of virus messages hitting the inbox.


Someone pointed out yesterday that Swen has the header "SUBJECT: " in all
upper-case, as opposed to the usual mixed-case "Subject: ".  I looked at
all the ones I've received, and sure enough, they're all upper-case.  
That might be another telltale you can use if you're taking the procmail
approach.

From the debian mailing list, the best test you can use with procmail

seems to be to look for the uuencoded counter url used by the virus.
b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv

The following procmail rule has been proposed:

:0
* > 140000
* < 165000
{
:0 BD
* b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv
/dev/null
}

If you want to avoid the body search (B option), you can use the
following regexp on the subject header:

^subject: (undeliverable|undelivered|returned)? ?(mail|message)(:? (returned to (mail|send)er|user unknown))?
^subject: (new(est)?|latest|last|current)? ?(net(work)?|microsoft|internet)? ?(critical|security)? 
?(pack|patch|update|upgrade)
^subject: (abort|bug|error|failure)? ?(advice|announcement|letter|message|notice|report)

The only missing subject is the empty one.

Christophe

-- 
Christophe Barb? <christophe.barbe () ufies org>
GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8  F67A 8F45 2F1E D72C B41E

An empty stomach is not a good political advisor.
-- Albert Einstein

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: [Fwd: Last Critical Update], (continued)
- RE: [Fwd: Last Critical Update] Richard M. Smith (Sep 23)
  - Re: [Fwd: Last Critical Update] Damian Gerow (Sep 23)
  - Swen Really Sucks Jason Coombs (Sep 23)
    - Re: Swen Really Sucks Jonathan A. Zdziarski (Sep 23)
    - Re: Swen Really Sucks Nick Price (Sep 24)
    - Re: Swen Really Sucks Peter Busser (Sep 24)
    - Re: Swen Really Sucks Evan Borgstrom (Sep 24)
    - Re: Swen Really Sucks Justin (Sep 24)
    - Re: Swen Really Sucks Evan Borgstrom (Sep 25)
    - Re: Swen Really Sucks Brent J. Nordquist (Sep 24)
    - Re: Swen Really Sucks christophe barbe (Sep 24)
    - Re: Swen Really Sucks Thamer Al-Harbash (Sep 24)
    - Re: Swen Really Sucks Joe Stewart (Sep 24)