At 10:49 AM -0500 3/1/04, Larry Seltzer wrote:
The trojan could always read this data [[address book?]] directly.
I don't think they
can block that.
And that's what they do, although the typical pattern is that they
read .wab, .htm*,
.txt, maybe .doc files, and scan them for e-mail addresses.
Interesting, but not
relevant to the main issue of authentication, except that to the
extent that these worms
read these addresses to determine from: addresses for their
propagation, they are even
less likely to spread through SMTP authentication.
Swen. But I don't think it uses data from Outlook or Outlook
Express. It simply pops
up a Window asking the user for his credentials.
A copy of this dialog box may be found at
http://securityresponse.symantec.com/avcenter/graphics/w32(_dot_)swen(_dot_)a(_at_)mm(_dot_)5(_dot_)gif(_dot_)
I have a
hard time believing. I doubt many people remember their SMTP server
credentials offhand,
since they are usually stored by the MUA for automatic use.
But anyway, if that's the best they can come up with I'm still sure
that worm spreading
would be cut dramatically. What they'd really need to do is to find
ways to crack the
SMTP AUTH credentials from the various MUAs that might be on a system.
Are you unfamiliar with Swen?
Since 9/19/03 I have received 3621 copies of Swen from over 1700
unique IP addresses carrying 1651 unique envelope senders, and that
only counts the ones aimed at my 'main' account. That number of held
down by the fact that mail to that account has a very draconian
SMTP-level blacklist in front of it as well as router-level
protections which together shun mail from most of Asia and large
pieces of the rest of the world, and I also use a number of the more
conservative public blacklists. It is a rare day when I do not see a
handful of new Swen sources. At one point the rate of Swen coming out
of Charter's mailservers was so high that my only defense to keep my
mail server usable for anything I wanted was to block that part of
their network at the router level. It took less than2 days for their
user population to reach that level of infection from the initial
sightings of Swen.
Swen arrives with the real address of the infected user in the SMTP
envelope and a bogus address that often claims to be from Microsoft
in the From header. It arrives NOT from the actually infected
machine, but from the normal outbound mailserver of that user's ISP
or employer (or wherever they normally pass their mail.) That dialog
you saw, as incredible as it may seem to you, demonstrably does its
job quite well. The only other explanation would be that Swen is
instead managing to dig credentials out of wherever Outlook Express
stores them OR that it is using some programmatic means of getting
the OS to send mail for it using the OE config and saved credentials,
and that it is only presenting the dialog as a bit of misdirection
for anti-virus folks. Unless a couple of ISP's have been lying to me
without prompting (both volunteered that they require SMTP AUTH in
asking me to stop blocking their servers,) Swen does indeed get
through machines that require SMTP authentication.
Swen and more recent worms have provided rather solid proof that the
most vulnerable attack point is between the keyboard and the chair.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg