lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0H59009UY6AJGS@smtp1.clear.net.nz>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: kaspersky-labs webserver or listserver com

Andreas Tirok <Andreas.Tirok@...sen.de> wrote:

> Ka <ka@...dr.net> wrote:
> > Just received an email with some virus components
> > from kaspersky-labs.com. .o)
> > 
> > Possible		Exploit.IFrame.FileDownload 
> > and a README.EXE with	I-Worm.Bridex 
> > 
> > Here are the headers:
> > 
> > - ------------------------- BEGIN HEADERS -----------------------------
> > Received: from webserver2.kaspersky-labs.com (unknown [195.161.113.178])
> >         by mail.vegaa.de (Postfix) with ESMTP id A9F37174019
> >         for <zim@...aa.de>; Thu,  7 Nov 2002 22:51:28 +0100 (CET)
> > Received: by webserver2.kaspersky-labs.com (Postfix)
> >         id 33AB920047; Fri,  8 Nov 2002 00:22:31 +0300 (MSK)
> > Delivered-To: list-15@...server2.kaspersky-labs.com
> > Received: from webserver2.kaspersky-labs.com (unknown [148.235.6.199])
> looking for                                              +++++++++++++
> 
> dig -x 148.235.6.199

Yeah...

> ; <<>> DiG 8.3 <<>> -x

<<snip dig output that proves 148.235.6.199 isn't k-l.com>>

> Isn't webserver2.kaspersky-labs.com

So, the SMTP envelope FROM: was "forged" and this was not commented 
on by the receiving server...  Win32/Braid forges outgoing mail 
addresses so that should not be entirely surprising, and the real 
sending IP is in Mexico and other aspects of the message suggest that 
should not be surprising.

However, what you missed is that the "last" Received" header is:

> > Received: from webserver2.kaspersky-labs.com (unknown [195.161.113.178])
> >         by mail.vegaa.de (Postfix) with ESMTP id A9F37174019
> >         for <zim@...aa.de>; Thu,  7 Nov 2002 22:51:28 +0100 (CET)

and I think if you do your dig-ing again against 195.161.113.178 
you'll find that it and webserver2.kaspersky-labs.com are one and 
the same machine (though, IIRC from doing it earlier, there is no 
reverse DNS from 195.161.113.178 to webserver2.kaspersky-labs.com).

I know folk at Kaspersky Labs are aware something is going on, but I 
am still receiving messages through webserver2.kaspersky-labs.com 
mail that it should not be sending.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ