[Intrusions] Possible New Lovgate Variant Spamming
Edward Southcote-Want
southcotewant at yahoo.co.uk
Sat Nov 27 10:51:56 GMT 2004
Hi James,
I thought you might like to know that I was seeing extreme traversal attempts from 61.82.85.148 (www.dreamwizardi.com) which is in Korea. Unfortunately the webmasters address does not appear to resolve so unable to request them to check their box.
1st and 4th octets a coincidence or a side effect of the worm.
Regards,
Eddie.
James C Slora Jr <Jim.Slora at phra.com> wrote:
I'm blocking messages containing what Symantec detects as Lovgate.R (and
other AV as Lovgate.W) coming from 61.178.78.148, but the arrival does not
match Lovgate.R's documented behavior - it looks much more like later
Lovgate variants. I'm not an expert in Lovgate behavior but it looks like a
new variant is being spammed.
1. The messages sometimes use DNS-published MX servers, and sometimes try to
come through a server with no public MX record but with a cname that would
be a reasonable guess for SMTP services. This is typical of later Lovgate
variants, which look up MX in DNS and also guess servers by prepending
common mail host names to the domain name, but is not typical of Lovgate.R
afaik. Lovgate.R uses its own SMTP engine to send directly to hosts with MX
records in DNS for the target domain.
2. The recipient addresses are a mixture of predefined (common US first name
at domain) and harvested addresses. Afaict previous Lovgate variants harvest
recipient addresses but do not generate them.
3. Sender addresses are spoofed by combining a common list of names with a
harvested domain - typical of newer Lovgate variants, but not typical of
Lovgate.R.
I don't have any captures of the binaries, but can get them.
Some guesses about the explanation:
- New variant of Lovgate has new behaviors but contains a pattern caught by
AV detection of old strains. I consider this most likely, since Lovgate has
a rich history of variation and AV vendors have wildly different lists of
detections for it.
- Someone is spamming Lovgate.R. No stretch of the imagination, but why spam
a months-old variant?
- Someone could be spamming a double infection (maybe Lovgate with a new
file infector), using the old virus as a way to increase detection lag for
their new malware.
- Spammer is infected with Lovgate.R. Their DNS server might have a record
for my mail server based on portscans, even though that server does not have
a public MX record.
- Lovgate.R has always behaved this way and the writeups I consulted are
incomplete or I misunderstood them.
- Someone who gets lots of Joe job spam and saves it all has been infected
with Lovgate.R, and Lovgate.R does in fact guess SMTP server names
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
---------------------------------
Moving house? Beach bar in Thailand? New Wardrobe? Win £10k with Yahoo! Mail to make your dream a reality.
More information about the Intrusions
mailing list