Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Novarg

From: mgotts () 2roads com
Date: Fri, 30 Jan 2004 10:45:11 -0800
If that is what is going on, it is a cunning ploy to get the worm 
instance to have another go at getting to a real persons inbox. It also 
explains why so many copies that I get are 'unknown user' bounces (as 
opposed to stupid virus scanner "you are infected, and here is a copy of 



what you sent for good measure" bounces). 



The 'unknown user' bounces are part of the intentional design of the worm, 
which it uses as a distribution method.

In the worm's repertoire of attack methods is one that looks like a 
dictionary attack. We get thousands of attempts a day for 
'bill () ourdomain com', 'tom () ourdomain com', 'linda () ourdomain com', 
'matt () ourdomain com', 'jose () ourdomain com', 'leo () ourdomain com', etc. 
While there are a handful of different addresses, it is way too small of a 
list to be a dictionary attack. Instead, these are intentionally meant to 
bounce (in most cases, anyway) so that a *legitimate* bounce message then 
returns the email to a forged 'From' address.

The worm is trying to bounce the messages to have the delivery come from a 
legit mail server with what it hopes to be a package that arouses the 
curiosity of the 'sender' ("hey, I don't remember sending this..."). The 
bounces are not just coincidental attempts at dead addresses it found on 
some infected PC. The addresses are coded into the worm. Smart stuff. 
Evil, but smart.

As for the 'lower priority MX record being tried first' theory, well, 
maybe. However, the mail server at our lower-priority MX record is 
unavailable, and has been for months (it's intentional). Yet we've seen 
plenty of all the different distribution types from this worm. So, 
although my 'proof' is a statistically insignificant sample of one, we are 
the example where the lower-priority MX record points to a dead end. Yet 
I've got 1,000 copies of the worm I can show you, having arrived directly, 
and by returns from antivirus scans, and by returns to 'user unknown'.

-- Mark

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: