ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Sendmail CEO Backs Yahoo DK and MS CID

2004-03-01 11:01:40
from [Peter J. Holzer] [Permanent Link] 
On 2004-03-01 10:49:34 -0500, Larry Seltzer wrote:

The trojan could always read this data [[address book?]] directly. I don't 
think they

can block that.

And that's what they do, although the typical pattern is that they read .wab, 
.htm*,
.txt, maybe .doc files, and scan them for e-mail addresses.


Yes, but I was thinking of configuration data and credentials.


Swen. But I don't think it uses data from Outlook or Outlook Express. It 
simply pops

up a Window asking the user for his credentials. 

A copy of this dialog box may be found at
http://securityresponse.symantec.com/avcenter/graphics/w32(_dot_)swen(_dot_)a(_at_)mm(_dot_)5(_dot_)gif(_dot_)
 I have a
hard time believing. I doubt many people remember their SMTP server 
credentials offhand,
since they are usually stored by the MUA for automatic use. 

But anyway, if that's the best they can come up with I'm still sure that worm 
spreading
would be cut dramatically.


Before Swen I would have agreed. But Swen spread quite rapidly, so
apparently there are enough people who don't get suspicious if the get
asked to enter their credentials out of the blue, and either remember
them offhand or hunt down that piece of paper they noted it on (or call
their ISP's hotline to find out).


What they'd really need to do is to find ways to crack the
SMTP AUTH credentials from the various MUAs that might be on a system.


Which probably isn't that hard for some MUAs. Netscape 4 just stored
them in the preferences file (base64-encoded). Older versions of Eudora
did the same (don't know about current ones). I don't know about Outlook
and Outlook Express, but I would not be surprised if the information was
stored somewhere in an easily decodable format. Mozilla is as good as
you can possibly get: The credentials are stored encrypted (IF the user
entered a "master password") and are only decrypted if needed. But while
the MUA is running, it keeps the master password in memory, so another
process running as the same user could get it and then decrypt the
passwords. (disabling the ptrace system call or its equivalent on
non-unix platforms might help).

        hp

-- 
   _  | Peter J. Holzer    | I think we need two definitions:
|_|_) | Sysadmin WSR       | 1) The problem the *users* want us to solve
| |   | hjp(_at_)hjp(_dot_)at         | 2) The problem our solution addresses.
__/   | http://www.hjp.at/ |    -- Phillip Hallam-Baker on spam

Attachment: pgpRIX4bBgasS.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] Sendmail CEO Backs Yahoo DK and MS CID, Larry Seltzer
Next by Date:  [Asrg] [IP] CNN covers Meng's SPF, gep2
Previous by Thread:  RE: [Asrg] Sendmail CEO Backs Yahoo DK and MS CID, Larry Seltzer
Next by Thread:  RE: [Asrg] Sendmail CEO Backs Yahoo DK and MS CID, Larry Seltzer
Indexes:  [Date] [Thread] [Top] [All Lists]