lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3F74545D.22710.16B9D3DB@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Swen Really Sucks

"Schmehl, Paul L" <pauls@...allas.edu> replied to me:

> > Swen has code to locate the "Default Mail Account" under the Internet 
> > Account Manager registry key then to extract the "SMTP Email Address" 
> > value appropriately.  This is then stored in a variable in the virus 
> > that is later used for the argument to the "MAIL FROM:" SMTP command 
> > while sending Email.  (It is possible that some other part of 
> > the Swen 
> > code I have not closely analysed surreptitiously changes the contents 
> > of this variable in some circumstances, but there is no obvious code 
> > that also alters the contents of the buffer used to hold the string 
> > pulled from the registry location just described...)
> > 
> > This is all based on disassembly and is corroborated by reports from 
> > other researchers who have watched it under debuggers, emulation, etc.
> 
> If it's as poorly written as most malware is, it most likely screws this
> up as well.  ...

8-)

You should be careful -- I get hate mail for saying stuff like that...

> ...  All I can tell you is that I get tens of bounces on my
> personal home email account daily, and I can assure you that I am not
> infected.  I'll take a look tonight (because I'm sure there will be at
> least 50 or 60 virus mails and bounces in my deleted items folder) and
> see what's in the headers.

Ahhhhh -- I didn't understand what you were saying before.

I am getting such bogus "bounces" too (about one for every ten 
"natural" samples I receive), but recall that many stupid Email gateway 
scanners will send "bounces" to addresses in the  From: and/or Sender: 
headers (and even to addresses in Reply-To:, X-Originally-From: and 
other weird custom headers -- clearly these products are written by 
chimpanzees that cannot read RFCs...).

> You can disassemble and run simulations til you're blue in the face, but
> things don't work perfectly in the real world, as I *know* you know.

Indeed I can, but when I do -- like Joe -- I tend to take quite some 
professional pride in the work (unlike the folk who wrote the SMTP 
processors that are busy sending you those "bounces").


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ