|
Eli M. Dow 42474 Tuesday, April 6, 2004 Graduate Networks Projects: An Email Virus Let Loose
|
| bet | 2/2 | | Sana | 25.03.2020 | | Hajmi | 485,6 Kb. | | #8803 |
Use the following filter: smtp.req.command contains "MAIL"
This will show you the beginnings of all the mailing done from this machine once it was infected. Notice the email addresses used in the from field. Alpha, Beta, Delta, and Gamma were set up to actually be popped onto the corresponding host. The muppet based usernames were created simply to fill the addressbooks. Any email address consisting of something other than Greek letters or puppets were generated by the virus itself! This is done to spoof the from field.
To get a better feel for what one of these spoofed messages looks like:
Follow the TCP stream from packet number 2168.
220 192.168.1.1 ESMTP Postfix
EHLO nobelglobe.com
250-192.168.1.1
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-XVERP
250 8BITMIME
MAIL FROM:
250 Ok
RCPT TO:
250 Ok
DATA
354 End data with .
From: claudia@nobelglobe.com
To: david@192.168.1.1
Subject: Status
Date: Thu, 1 Jan 2004 09:39:27 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_0002_8625C44D.FE58B3E4"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
------=_NextPart_000_0002_8625C44D.FE58B3E4
Content-Type: text/plain;
.charset="Windows-1252"
Content-Transfer-Encoding: 7bit
The message contains Unicode characters and has been sent as a binary attachment.
------=_NextPart_000_0002_8625C44D.FE58B3E4
Content-Type: application/octet-stream;
.name="document.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
.filename="document.zip"
Use the following filter: smtp.req.command contains "EHLO"
This trace will show you all the spoofed domains used by the worm. The only machines connected to the network this trace was conducted on, were assigned IP addresses matching 192.168.1.*
There were spoofed domains include: rhinosoft.com, youropen.com, donotfightit.com, iloveitagain.com, i-wantmore.com, vijayaba.cse.mrt.ac.lk, yahoo.com, wazupper.com, and nobleglobe.com.
Oddly enough, other emails appear in your inbox with spoofed addresses. How do I know they are spoofed? Well quite simply, since we set up the mail server and each account, and we know that there is no DNS used in this simulation, we can clearly see the odd looking email received immediately following the onslaught of automated SMTP sends performed by the worm. This email window also shows the valid contacts (recall valid contacts are those who are listed on page 2, and are coincidently all names of muppets.) for the host "delta".
|
| |
