lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <405AEC0E.20863.B5518BB@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: [inbox] malware added in transit

Frank Knobbe <frank@...bbe.us> wrote:

> However, the topic at hand doesn't lend itself to a quick switch or
> simple addition of data at the end of the stream. If you want to add
> malware to an SMTP session on the fly, you will have to intercept and
> rewrite the email.  ...

Well, that really depends on what was meant by "in transit" and on the 
Email architecture between sender and "victim"...

> ...  A plain text email will have to be converted to a
> MIME encapsulated email so that you can add the attachment on the fly.

Nah -- most "user friendly" MUAs will find UUencode "begin" lines 
arbitrarily deep in messages these days (after all, perhaps the single 
most used MUA -- OE -- still supports this format for outgoing 
attachments, though does not default to this for SMTP; only NNTP), so 
all you need to do is insert your encoded malware at the end of the 
SMTP data stream (i.e. immediately before the ".<CR><LF<CR><LF>").

That in turn is even easier if you can get to run on a machine relaying 
between sender and victim, or acting as mail server for either.

> Tricky, but very doable. It probably won't take long and you'll have an
> adware/malware adding email proxy in the wild  :)

Well, a few self-mailing viruses have already done it, if you count 
acting as a relay on the sending machine as "in transit".

The first successful self-mailer, Ska (aka Happy99) did just this, 
intercepting a couple of critical WinSock APIs (send and receive from 
memory) and interdicting an additional Email (carrying an encoded copy 
of itself) into the Email sending chain, after copying the headers of 
the victim's actual Email.  Thus, each address a Ska victim sent a 
message to (that was delivered from their PC into the Internet Email 
chain via port 25) would receive another message, apparently also from 
that person, which was actually a copy of the virus.  (Ska was 
"thoughtful" in keeping a list of addresses it had already sent itself 
to and checked the address on each outgoing message was not already in 
this list, only sending itself to those addresses not already on the 
list.)

One of the Hybris plugins also did much the same, except it added 
itself (via MIME) as an attachment to actual messages from its victims, 
and I have a vague idea some of the Klez variants may have been up to 
similar jiggery-pokery...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ