ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Virus alert

2003-09-02 02:38:38
from [Jonathan Hogg] [Permanent Link] 
On 31/8/03 23:34, Dean Anderson wrote:


Your comments are true in general, but I don't think they take into
consideration the differences between this virus and the ones that go
through the address book. One can (more) easily get such valid, trusted,
familiar addresses from the address book. Many virues do just that,
probably with just the purpose you mentioned. However, this virus is
different. It is using 'valid' addresses that aren't found in address
books--addresses that wouldn't be familiar to anyone, but are still valid.
There must be a reason why they would go to such trouble...


I think this virus wasn't just designed to spread, I think it was designed
to remain alive on each machine it infected. If you send out emails to a
user's address book from that user, they will quickly get emails from their
friends saying "I think you've got a virus Bob, I just got this weird email
from you." Or they will receive bounces/vacation-messages for emails they
know they didn't send.

Faking the From address means that replies will go to someone completely
random. Since that means the sender will be a stranger, you might as well
grab as many To addresses as possible rather than just restricting yourself
to the user's address book.

Faking the From address also adds another vector for infection in that
people start getting bounces saying "Sorry I was unable to deliver your
message." They open these to figure out what the original message was and
get infected. Now the virus can use a vast network of unwitting relays to
further spread and mask its location.

I have received dozens of emails from helpful systems and people notifying
me that I have the virus - and I have a Mac. I could crawl through the
headers on the bounces to determine the machine that has actually been
infected and has my email address, but once I've got an IP number I have no
easy way to turn that into an email address for the user.

The disinformation strategy clearly worked, so I expect to see more of this
style of virus in the future. Many have suggested that the purpose of the
virus may have been to setup a large zombie spamming network - I'm not sure
if it was this time, but I'm pretty sure it will be next time.

Jonathan
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: the VoIP Paradox, grenville armitage
Next by Date:  RE: the VoIP Paradox, Rod . Walsh
Previous by Thread:  Re: FW: Virus alert, Dean Anderson
Next by Thread:  Re: Virus alert, Dean Anderson
Indexes:  [Date] [Thread] [Top] [All Lists]