Security Incidents mailing list archives
Re: Novarg
From: mgotts () 2roads com
Date: Fri, 30 Jan 2004 10:45:11 -0800
If that is what is going on, it is a cunning ploy to get the worm instance to have another go at getting to a real persons inbox. It also explains why so many copies that I get are 'unknown user' bounces (as opposed to stupid virus scanner "you are infected, and here is a copy of
what you sent for good measure" bounces).
The 'unknown user' bounces are part of the intentional design of the worm, which it uses as a distribution method. In the worm's repertoire of attack methods is one that looks like a dictionary attack. We get thousands of attempts a day for 'bill () ourdomain com', 'tom () ourdomain com', 'linda () ourdomain com', 'matt () ourdomain com', 'jose () ourdomain com', 'leo () ourdomain com', etc. While there are a handful of different addresses, it is way too small of a list to be a dictionary attack. Instead, these are intentionally meant to bounce (in most cases, anyway) so that a *legitimate* bounce message then returns the email to a forged 'From' address. The worm is trying to bounce the messages to have the delivery come from a legit mail server with what it hopes to be a package that arouses the curiosity of the 'sender' ("hey, I don't remember sending this..."). The bounces are not just coincidental attempts at dead addresses it found on some infected PC. The addresses are coded into the worm. Smart stuff. Evil, but smart. As for the 'lower priority MX record being tried first' theory, well, maybe. However, the mail server at our lower-priority MX record is unavailable, and has been for months (it's intentional). Yet we've seen plenty of all the different distribution types from this worm. So, although my 'proof' is a statistically insignificant sample of one, we are the example where the lower-priority MX record points to a dead end. Yet I've got 1,000 copies of the worm I can show you, having arrived directly, and by returns from antivirus scans, and by returns to 'user unknown'. -- Mark --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Novarg Nick FitzGerald (Feb 02)
- <Possible follow-ups>
- Re: Novarg mgotts (Feb 02)
- RE: Novarg Smith, David (Feb 02)