[John and Brian and the other folks who replied are right: It seems to be a virus that infected someone on the list. Serves me right for not keeping up on the latest malware to infect people using Microsoft products. *sigh*. --Declan] --- Date: 22 Jul 2003 19:46:27 -0400 From: "John R Levine" <johnlat_private> To: "Declan McCullagh" <declanat_private> Cc: politechat_private Subject: Re: FC: A nasty new trend in spamming: Forged Politech messages Anything that shows up with forged addresses and an attached zip file is almost certainly a variant of the SOBIG virus. Virus writers have gotten better at social engineering in recent months, picking more plausible files to use in the text and better subject lines. Needless to say, only people who use software written in Redmond, Washington, need to worry about it. Regards, John Levine, johnlat_private, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner "A book is a sneeze." - E.B. White, on the writing of Charlotte's Web --- Date: Tue, 22 Jul 2003 19:27:42 -0400 To: declanat_private From: Brian McWilliams <brian@pc-radio.com> Subject: Re: FC: A nasty new trend in spamming: Forged Politech messages Declan, Sounds like a case of the Bugbear worm: http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.bat_private It's known to paste stuff from actual email on the infected client's computer. Reminiscent of a few years ago when someone at the FBI infected himself with SirCam, and it sent out some "official use" docs ... Brian --- Date: Tue, 22 Jul 2003 17:48:19 -0700 To: declanat_private From: Bill Stewart <bill.stewartat_private> Subject: Re: FC: A nasty new trend in spamming: Forged Politech messages Cc: politechat_private In fact that's to be expected, as people adopt spam-blockers to block spam and whitelists to prevent them from blocking real mail. Header forgery is so easy, and almost nobody's whitelists do more than simple pattern matching, and neither you nor Dave Farber routinely clearsign, much less encrypt - so spammers who want their ads read will start pretending to be you. You'll also see spammers subscribing to subscriber-only mailing lists and then spamming the members or selling subscribed-user addresses. Yahoogroups is one obvious target, but I'm only on a couple of small lists there so I don't know if they're being harvested widely. (I know they limit how many groups you can subscribe to in a day, but since it's easy enough to create multiple identities, that's an easily evadable limit.) --- Date: Tue, 22 Jul 2003 19:27:22 -0400 From: Rich Kulawiec <rskat_private> To: "Christopher A. Petro" <petroat_private> Cc: Declan McCullagh <declanat_private> Subject: Re: FC: A nasty new trend in spamming: Forged Politech messages > Looks like someone's mined the archives for email addresses and hand- > crafted an email with an attached win32 executable. Could be -- or if could one of the virus/worms that prowls through infected machines, constructs plausible-looking headers and messages, and then mails itself out. (This is one of the vectors by which spammers hijack remote machines: the infected system will also "phone home" and/or respond to commands on certain ports in order to indicate that it's ready to be used as a spam distribution point.) [ Enclosed below is a sanitized and lightly annotated version of one such message that I got yesterday. Hopefully it'll illustrate what I mean. ] I don't do much in the way of dissecting viruses (don't have to: no M$ used or permitted here) but all sorts of folks who hang out in Usenet's news.admin.net-abuse.email are quite good at taking these critters apart and discovering lots of interesting things about them. If you're really curious about exactly what it is, I'd drop a line there -- it's entirely possible that it'll turn out to be a known specimen that's already been analyzed. ---Rsk > Received: from compuserve.com (adsl-63-199-229-240.dsl.scrm01.pacbell.net [63.199.229.240]) > by XXXXXXXXXXXXXXXXXXXXX (8.12.9/8.12.9) with SMTP id h6LGtb5i028106 > for <rskat_private>; Mon, 21 Jul 2003 12:55:41 -0400 (EDT) Let's stop here and note that this really came from 63.199.229.240 -- which really is adsl-63-199-229-240.dsl.scrm01.pacbell.net. Both forward and reverse DNS match and since the IP address in [] was logged on my end, it can be trusted. This is probably a DSL-connected box in Sacramento, given the subdomain name. But note that when the system connected to deliver the message, and got to the HELO part of the SMTP negotiation, it identified itself as compuserve.com. Bzzzzt. > Date: Tue, 22 Jul 2003 01:58:50 +0000 > From: Wells Fargo Accounting <wfba.accountingat_private> Forged. This message was never anywhere near wellsfargo.com. > Subject: Re: Wells Fargo Bank New Business Account Application - ID# XXXXX And of course I've not enquired about a WFB business account. ;-) Bet that the [redacted] ID is real, though, and corresponds to someone who did. > To: Rsk <rskat_private> > References: <44CG1AC2KA8CHGEJat_private> > In-Reply-To: <44CG1AC2KA8CHGEJat_private> Also wrong. gsp.org doesn't emit message-ids that look like that; the ones from here look like: <20030718632045.GA21908at_private> <20030715134457.GA24158at_private> <20030718124619.GB24158at_private> My guess is this particular bit of code used the right-hand-side of "gsp.org" to make this look more plausible, but either fabricated the left-hand-side or snarfed it from somewhere. > Message-ID: <G4LLHHF4A0JGLIE1at_private> I don't know what WFB uses to run their mail system, but that might actually be a real message-id. In fact, it's possible that it's the message-id of a real message sitting on the infected system, i.e. the one that this virus/worm used to construct the one it sent to me. > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary="----=_NextPart_H7DGE_4EEF9H0JAKF7_8F51KA" > X-UIDL: kFF!!lel!!"V7!!-#4!! > Content-Length: 8714 > Lines: 132 > > ------=_NextPart_H7DGE_4EEF9H0JAKF7_8F51KA > Content-Type: text/plain > Content-Transfer-Encoding: 8bit > > Dear Sir, > > Thank you for your online application for a Business Account with Wells Fargo. We appreciate your interest in banking with us. > > In order to open a Business Account, we must receive specific credit information that is verifiable. Because Wells Fargo has no locations in your state, we are unable to confirm the credit information in your application. Consequently, we regret to say that we cannot open an account for your business at this time. > > Attached are your Wells Fargo Application and your Social Security File. > > Sincerely, > > Xxxxxx Xxxx > Business Resource Center Services > Wells Fargo Bank This may actually be real text from a WFB person. But: > ------=_NextPart_H7DGE_4EEF9H0JAKF7_8F51KA > Content-Type: text/plain; name="wellsfargo.biz.jsessionid=5QWBU8TLSM01.pif" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; filename="wellsfargo.biz.jsessionid=5QWBU8TLSM01.pif" > Content-ID: <wellsfargo.biz.jsessionid=5QWBU8TLSM01.pif> The virus payload which follows this certainly isn't. ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. ------------------------------------------------------------------------- To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 21:45:00 PDT