lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: craig at (Craig Pratt)
Subject: Swen Really Sucks

On Thursday, Sep 25, 2003, at 15:04 US/Pacific, Nick FitzGerald wrote:
> "Schmehl, Paul L" <> to Joe Stewart:
>>> The "From" or Return-Path address specified by the MAIL FROM:
>>> transaction in the SMTP session is the real email address of the
>>> infected user, or at least is what they entered on the fake
>>> MAPI dialog
>>> that Swen uses to get that information.
>> Please tell me you don't believe this is true.  ...
> I doubt Joe would have written it did he not believe it.
> And, FWIW, I believe it too.
>> ...  If you know anything
>> about SMTP you know that the MAIL FROM: can be anything you want it to
>> be.  ...
> Yes, but we are specifically talking here about what _Swen_ "wants" it
> to be...
>> ... And Swen certainly forges the sender, as the hundreds of bounces I
>> get will testify.  There is *nothing* in an SMTP transaction that you
>> can rely on except the headers *if* you know how to read headers.  If
>> you don't, even those will fool you.
> Swen has code to locate the "Default Mail Account" under the Internet
> Account Manager registry key then to extract the "SMTP Email Address"
> value appropriately.  This is then stored in a variable in the virus
> that is later used for the argument to the "MAIL FROM:" SMTP command
> while sending Email.  (It is possible that some other part of the Swen
> code I have not closely analysed surreptitiously changes the contents
> of this variable in some circumstances, but there is no obvious code
> that also alters the contents of the buffer used to hold the string
> pulled from the registry location just described...)
> This is all based on disassembly and is corroborated by reports from
> other researchers who have watched it under debuggers, emulation, etc.

Based on some circumstantial evidence, it does look like this might be 
the case. Or, at least, it doesn't appear that the sender is randomized.

A bit of perusing through reports from my scanner demonstrates that the 
IP address of the relay (which appears to be an actual e-mail gateway, 
in the case of Swen), the IP address of the sender, and the envelope 
sender are all highly-correlated.

This wasn't the case with Klez, Sobig, etc - where you would see 
multiple envelope senders coming from the same IP (which wasn't a 

So, has anyone actually sent mail to an envelope sender to see if 
they're actually infected? Or is it possible this thing just likes to 
fake the same sender for all outgoing messages?


Craig Pratt
Strongbox Network Services Inc.
craig AT strong-box DOT net

This message checked for dangerous content by MailScanner on StrongBox.

Powered by blists - more mailing lists