lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: nick at (Nick FitzGerald)
Subject: Swen Really Sucks

"Schmehl, Paul L" <> replied to me:

> > Swen has code to locate the "Default Mail Account" under the Internet 
> > Account Manager registry key then to extract the "SMTP Email Address" 
> > value appropriately.  This is then stored in a variable in the virus 
> > that is later used for the argument to the "MAIL FROM:" SMTP command 
> > while sending Email.  (It is possible that some other part of 
> > the Swen 
> > code I have not closely analysed surreptitiously changes the contents 
> > of this variable in some circumstances, but there is no obvious code 
> > that also alters the contents of the buffer used to hold the string 
> > pulled from the registry location just described...)
> > 
> > This is all based on disassembly and is corroborated by reports from 
> > other researchers who have watched it under debuggers, emulation, etc.
> If it's as poorly written as most malware is, it most likely screws this
> up as well.  ...


You should be careful -- I get hate mail for saying stuff like that...

> ...  All I can tell you is that I get tens of bounces on my
> personal home email account daily, and I can assure you that I am not
> infected.  I'll take a look tonight (because I'm sure there will be at
> least 50 or 60 virus mails and bounces in my deleted items folder) and
> see what's in the headers.

Ahhhhh -- I didn't understand what you were saying before.

I am getting such bogus "bounces" too (about one for every ten 
"natural" samples I receive), but recall that many stupid Email gateway 
scanners will send "bounces" to addresses in the  From: and/or Sender: 
headers (and even to addresses in Reply-To:, X-Originally-From: and 
other weird custom headers -- clearly these products are written by 
chimpanzees that cannot read RFCs...).

> You can disassemble and run simulations til you're blue in the face, but
> things don't work perfectly in the real world, as I *know* you know.

Indeed I can, but when I do -- like Joe -- I tend to take quite some 
professional pride in the work (unlike the folk who wrote the SMTP 
processors that are busy sending you those "bounces").

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists