Yes, but I was thinking of configuration data and credentials.
Right, but this information isn't sitting in plaintext files waiting to be
read. It's
not obvious how you'd get it if you were a worm.
Before Swen I would have agreed. But Swen spread quite rapidly, so apparently
there
are enough people who don't get suspicious if the get asked to enter their
credentials
out of the blue, and either remember them offhand or hunt down that piece of
paper they
noted it on (or call their ISP's hotline to find out).
Swen doesn't need this information to spread. Apart from sprading through
non-authenticated SMTP servers, it uses network shares, KaZaA, IRC and Usenet.
It's not
at all clear a lot of people entered that information.
What they'd really need to do is to find ways to crack the SMTP AUTH
credentials from the various MUAs that might be on a system.
Which probably isn't that hard for some MUAs. Netscape 4 just stored them in
the
preferences file (base64-encoded). Older versions of Eudora did the same (don't
know
about current ones). I don't know about Outlook and Outlook Express, but I
would not be
surprised if the information was stored somewhere in an easily decodable
format. Mozilla
is as good as you can possibly get: The credentials are stored encrypted (IF
the user
entered a "master password") and are only decrypted if needed. But while the
MUA is
running, it keeps the master password in memory, so another process running as
the same
user could get it and then decrypt the passwords. (disabling the ptrace system
call or
its equivalent on non-unix platforms might help).
Both Outlook and OE store the data in the registry in some sort of obscured
format. I
don't know the scheme and I doubt they're telling.
Bear in mind, if a worm were to spread itself this way, it would be completely
traceable. This too would help to stop them.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg