[Dshield] Re: Suejdz & Kleze anyone

James C Slora Jr Jim.Slora at phra.com
Wed Oct 23 22:50:52 GMT 2002


My experiences have differed from yours a bit, Keith. Comments inline.

On Mon, 21 Oct 2002 19:21:23 -0500 Keith Tarrant wrote:
> Most varieties of Klez, which is the most widespread email
> virus right =
> now, randomly pick a sending email address from the email addresses =
> found on the newly infected system.  And even looking at the email =
> headers doesn't help.  Most varieties of Klez insert fake
> headers and =

In my experience, Klez and Yaha have usually been easy to trace. Both
typically have legitimate "Return-Path" fields in their headers that show
the true sender's address. I've heard that these are sometimes faked, but I
have pretty much only encountered this on double-infected messages (Klez
plus a combo infector/worm with its own SMTP behavior). Bugbear, on the
other hand, has nearly worthless header information except for the IP
addresses.

> bounce the email off an open email relay (so the email is
> untraceable).  =

Klez-H just as commonly uses your own mail server to send you mail if you
have a server named mail.domain.com and your address is user at domain.com.
Klez uses several guesses as to your mail server's name, based on your
address, then tries its built-in list of relay servers.

Email bounced off an open relay is not all that untraceable. The open relay
does not generally mask the IP address of the computer that triggered the
relay. If an open relay sent the message to your mail server, then the IP
address of the infected user is the one that sent the message to the open
relay. Klez can't fake the IP address of the infected sender - this IP will
always (IME) appear in the headers somewhere.

Definitely don't trust the "From" field in any infected message without
additional confirmation. All of the most prevalent email worms (Klez, Yaha,
Bugbear) fake this field. This is also a good reason not to automatically
notify infected senders - you'll almost always notify the wrong person.

Klez also can add garbage headers after the legitimate ones, but there has
always been a clear trail to the source in the copies I've had to
investigate.

> By the way, AOL and regular Hotmail accounts can't send Klez.  Klez =
> comes with its own software for sending email and contacts
> regular email =
> servers to do this.  So any Klez email from AOL or Hotmail
> accounts is =
> just a result of the fake randomly choosen sending address.

Keith and Tom Liston already made some corrections here.

> So the recommendation is not to bother contacting the alleged
> sender of =
> the email. =20

I agree, and would extend this to virtually all email worms. Notifications
to an infected sender feed more addresses, subjects, and message bodies to
the worm. My recommendation is to contact the person by phone if you know
them, block their true address at the mail server (if you can) until they
are clean, and notify their ISP if infected messages continue for several
weeks from the same infected computer or network.

> Sometimes the real infected computer can be infered after you
> receive a =
> few of these emails, because usually different source addresses are =
> chosen each time.  I got a Klez email allegedly from my
> sister in-law.  =
> I got a Klez email allegedly from my sister's best friend.
> Sure enough, =
> my sister's computer was infected.  But how many people have =
> Suejdz at ntlworld.com in their read and deleted email, or in their web =
> cache?

Bugbear appears more likely than Klez in the Suejdz case. The message could
not be forwarded through Hotmail because the entire message body of Bugbear
is in an i frame. Bugbear combines the domain from one address, with the
user from another address, so Suejdz at ntlworld.com is probably a nonexistent
address. In the copies I've investigated, the domain usually matches the
actual sender's domain.

> The standard advise is don't download any unexpected
> executable files, =
> unless you don't mind doing a clean re-install on your system and =
> re-creating all of your documents and emails (because it
> might be worse =
> than Klez, you don't know until it does its thing). =20

> Even if the sender is your brother, confirm with him that he
> intended to =
> send you a file before downloading anything other than a photo. =20

Good advice. With Klez-H, Yaha, and Bugbear, this advice is no longer
enough. You need to keep your system patched - even the simplistic Windows
Update and Office Update sites provide ample protection. MS02-027 alone is
enough to stop auto-execution of these worms in Outlook or OE. I don't know
about the Hotmail client, but I expect it is protected by the same patches
since it's IE-based.

What does an infected message look like? Any subject, including replies to
mail you sent. Any sender address, real or fake. Any text, including your
own words. Any combination of visible or invisible harmless and infected
attachments.

If your system is fully patched AND you exercise good judgment about running
attachments, you should not (with some exceptions) be able to be infected by
the most common email worms. If your system is not patched, you will
probably not even get a chance to decide whether to execute the attachment -
it executes as soon as you view the message.

> And just because you open an executable and it does what it said it =
> would, say showing a slide show, doesn't mean you didn't install a =
> trojan or virus.  Many trojans can be bonded to other
> executables and =
> will install simultaneously while the other executable runs.

Great advice. Agree 100%.




More information about the list mailing list