At 2:14 PM -0500 11/27/04, Larry Seltzer imposed structure on a
stream of electrons, yielding:
Here was the specific context to which I was responding:
they might even send out email using the user's own email
account and/or email client.
Swen does that. Really.
No, it doesn't.
I confess to a lot of ignorance regarding Windows, but are you
actually stating that the perfect matching I see between SMTP
envelope senders and the machines handing me Swen is the result of
tens of thousands of lucky guesses?
Different versions of Swen do different things to get an SMTP server to
use, but they all use a built-in SMTP engine and none of them use SMTP
AUTH account information.
I must have missed some previous reference to SMTP AUTH. This is the
first I recall seeing it mentioned in this conversation.
In some circumstances Swen will put up a fake MAPI32 exception handler
that asks you for your email account server, username and password (see
a copy at http://www.trendmicro.com/vinfo/images/worm_swen_a_img2.gif).
According to Symantec
(http://securityresponse.symantec.com/avcenter/venc/data/w32(_dot_)swen(_dot_)a(_at_)mm(_dot_)h
tml) Swen uses the username and password to check the POP3 account for
copies of itself. So Swen might use the default SMTP server (harvested
from the registry), but that's as close as it gets to using the user's
own e-mail account.
I know that to not be so in all cases where I've tracked specific
Swen copies back to the machines sending them and identified the
owner of the machines. A small set admittedly (4,) however in every
case the envelope sender was the real email address of the machine's
owner. Every one of the thousands of Swen's I've seen is consistent
with the envelope sender being the real email address of the
machine's owner.
Frankly, I trust the evidence I've seen myself far more than the
combined opinions of Symantec and a tech journalist. Sorry.
How would a worm work if everyone had SMTP AUTH? It would either have to
use a social engineering trick like Swen does with the MAPI32 dialog -
and there's no evidence that there's a big problem with people filling
out that form - or it would have to find the cached account credentials
in the registry and use them.
Worms wouldn't work at all if everyone used competently designed
operating systems and mailers or if they used the dominant
garbageware with half a brain. Technical tweaks are nice mind games,
but the real world argues for them being largely pointless. People
open encrypted zip files from people they do not know and run the
contents. There are a lot of perfect fixes for the spam and malware
problems given a user population that is predominantly not made up of
blithering idiots. Such solutions are not realistic.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
