Full Disclosure mailing list archives

Re: Swen Really Sucks

From: Craig Pratt <craig () strong-box net>
Date: Thu, 25 Sep 2003 16:49:57 -0700


On Thursday, Sep 25, 2003, at 15:04 US/Pacific, Nick FitzGerald wrote:

"Schmehl, Paul L" <pauls () utdallas edu> to Joe Stewart:

The "From" or Return-Path address specified by the MAIL FROM:
transaction in the SMTP session is the real email address of the
infected user, or at least is what they entered on the fake
MAPI dialog
that Swen uses to get that information.

Please tell me you don't believe this is true.  ...


I doubt Joe would have written it did he not believe it.

And, FWIW, I believe it too.

...  If you know anything
about SMTP you know that the MAIL FROM: can be anything you want it to
be.  ...


Yes, but we are specifically talking here about what _Swen_ "wants" it
to be...

... And Swen certainly forges the sender, as the hundreds of bounces I
get will testify.  There is *nothing* in an SMTP transaction that you
can rely on except the headers *if* you know how to read headers.  If
you don't, even those will fool you.


Swen has code to locate the "Default Mail Account" under the Internet
Account Manager registry key then to extract the "SMTP Email Address"
value appropriately.  This is then stored in a variable in the virus
that is later used for the argument to the "MAIL FROM:" SMTP command
while sending Email.  (It is possible that some other part of the Swen
code I have not closely analysed surreptitiously changes the contents
of this variable in some circumstances, but there is no obvious code
that also alters the contents of the buffer used to hold the string
pulled from the registry location just described...)

This is all based on disassembly and is corroborated by reports from
other researchers who have watched it under debuggers, emulation, etc.

Based on some circumstantial evidence, it does look like this might bethe case. Or, at least, it doesn't appear that the sender is randomized.

A bit of perusing through reports from my scanner demonstrates that theIP address of the relay (which appears to be an actual e-mail gateway,in the case of Swen), the IP address of the sender, and the envelopesender are all highly-correlated.

This wasn't the case with Klez, Sobig, etc - where you would seemultiple envelope senders coming from the same IP (which wasn't arelay).

So, has anyone actually sent mail to an envelope sender to see ifthey're actually infected? Or is it possible this thing just likes tofake the same sender for all outgoing messages?


Craig

---
Craig Pratt
Strongbox Network Services Inc.
craig AT strong-box DOT net


--
This message checked for dangerous content by MailScanner on StrongBox.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Swen Really Sucks Schmehl, Paul L (Sep 25)
- Re: Swen Really Sucks Joe Stewart (Sep 25)
- RE: Swen Really Sucks Nick FitzGerald (Sep 25)
  - Re: Swen Really Sucks Craig Pratt (Sep 26)
    - Re: Swen Really Sucks Kye Lewis (Sep 26)
    - Re: Swen Really Sucks Mary Landesman (Sep 26)
    - Re: Swen Really Sucks Kye Lewis (Sep 26)
- <Possible follow-ups>
- RE: Swen Really Sucks Schmehl, Paul L (Sep 25)
  - RE: Swen Really Sucks Nick FitzGerald (Sep 25)