[Dshield] MyDoom Part 2

MH procana at insight.rr.com
Wed Feb 4 01:58:31 GMT 2004


On Tue, Feb 03, 2004 at 05:00:37PM -0600, Micheal Patterson wrote:
> 
> ----- Original Message ----- 
> From: "MH" <procana at insight.rr.com>
> To: "General DShield Discussion List" <list at dshield.org>
> Cc: <micheal at tsgincorporated.com>
> Sent: Tuesday, February 03, 2004 4:32 PM
> Subject: Re: [Dshield] MyDoom Part 2
> 
> 
> > On Tue, Feb 03, 2004 at 11:53:44AM -0800, John Sage wrote:
> >
> > > I'd say 50% or more of the MyDoom-releated email I'm receiving is now
> > > of the form:
> > >
> > > Date: Tue, 3 Feb 2004 18:02:51 +0100
> > > From: Mail Delivery Subsystem <MAILER-DAEMON at mail6.mc2.net>
> > > To: <alice at finchhaven.com>
> > > Subject: Returned mail: see transcript for details
> > > Auto-Submitted: auto-generated (failure)
> > >
> > > [-- Attachment #1 --]
> > > [-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]
> > >
> > > The original message was received at Tue, 3 Feb 2004 17:49:54 +0100
> > > from mailrelay1.ornis.com [195.101.197.41]
> > >
> > >    ----- The following addresses had permanent fatal errors -----
> > > <andrew at gallimard.fr>
> > >     (reason: 550 RCPT TO:<andrew at gallimard.fr> User unknown)
> > >
> > >    ----- Transcript of session follows -----
> > > ... while talking to [10.180.49.32]:
> > > >>> RCPT To:<andrew at gallimard.fr>
> > > <<< 550 RCPT TO:<andrew at gallimard.fr> User unknown
> > > 550 5.1.1 <andrew at gallimard.fr>... User unknown
> > >
> > > /* snip */
> > > - John
> >
> > Hi John,
> >
> > I added the first names contained in the virus code to
> > the mta's blocked rcpt list.  My mta rejects the mail without ever
> > putting it into queue.  This has really cut down on the amount of
> > this stuff.
> >
> > Hope this helps,
> > Mike
> 
> I thought that this one pulled it's names from the users address book or are
> you just blocking the names based on what's been inbound to you?
> 
> --
> 
> Micheal Patterson
> TSG Network Administration
> 405-917-0600
> 
> Confidentiality Notice:  This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original
> message.
> 

Hi Michael,

I believe there are a couple of things at work here.  The first is the traditional
harvested direct send and the second is an email crafted from one of the names hardcoded 
in the virus.  Mydoom will use an addressbook etc to harvest addresses and attempt to propagate.  
This is really the eaiser of the two problems to deal with because most networks 
already have countermeasures to quarantine or delete malware.
Hopefully, the recipient domain's sysadmin is smart enough not to autosend one of 
those "You sent a virus" messages and they just silently discard or quarantine 
the malware email. :)
However, the second problem, this pollution of undeliverables, is caused by prepending one of the names
in the code snipit below and a spoofed domain (which I believe is pulled from the 
addressbook etc). Mydoom does spoof some of the bounces but most of what I have 
been seeing are actual bounces.  

Here is the snipit from mydoomA:
000018d0  72 61 6d 73 00 00 00 00  73 61 6e 64 72 61 00 00  |rams....sandra..|
000018e0  6c 69 6e 64 61 00 00 00  6a 75 6c 69 65 00 00 00  |linda...julie...|
000018f0  6a 69 6d 6d 79 00 00 00  6a 65 72 72 79 00 00 00  |jimmy...jerry...|
00001900  68 65 6c 65 6e 00 00 00  64 65 62 62 79 00 00 00  |helen...debby...|
00001910  63 6c 61 75 64 69 61 00  62 72 65 6e 64 61 00 00  |claudia.brenda..|
00001920  61 6e 6e 61 00 00 00 00  61 6c 69 63 65 00 00 00  |anna....alice...|
00001930  62 72 65 6e 74 00 00 00  61 64 61 6d 00 00 00 00  |brent...adam....|
00001940  74 65 64 00 66 72 65 64  00 00 00 00 6a 61 63 6b  |ted.fred....jack|
00001950  00 00 00 00 62 69 6c 6c  00 00 00 00 73 74 61 6e  |....bill....stan|
00001960  00 00 00 00 73 6d 69 74  68 00 00 00 73 74 65 76  |....smith...stev|
00001970  65 00 00 00 6d 61 74 74  00 00 00 00 64 61 76 65  |e...matt....dave|
00001980  00 00 00 00 64 61 6e 00  6a 6f 65 00 6a 61 6e 65  |....dan.joe.jane|
00001990  00 00 00 00 62 6f 62 00  72 6f 62 65 72 74 00 00  |....bob.robert..|
000019a0  70 65 74 65 72 00 00 00  74 6f 6d 00 72 61 79 00  |peter...tom.ray.|
000019b0  6d 61 72 79 00 00 00 00  73 65 72 67 00 00 00 00  |mary....serg....|
000019c0  62 72 69 61 6e 00 00 00  6a 69 6d 00 6d 61 72 69  |brian...jim.mari|
000019d0  61 00 00 00 6c 65 6f 00  6a 6f 73 65 00 00 00 00  |a...leo.jose....|
000019e0  61 6e 64 72 65 77 00 00  73 61 6d 00 67 65 6f 72  |andrew..sam.geor|
000019f0  67 65 00 00 64 61 76 69  64 00 00 00 6b 65 76 69  |ge..david...kevi|
00001a00  6e 00 00 00 6d 69 6b 65  00 00 00 00 6a 61 6d 65  |n...mike....jame|
00001a10  73 00 00 00 6d 69 63 68  61 65 6c 00 61 6c 65 78  |s...michael.alex|
00001a20  00 00 00 00 6a 6f 68 6e  00 00 00 00 61 63 63 6f  |....john....acco|

If you look at your bounces, almost all will have one of the names above as a recipient
and sometimes even the sender.
This is the relevant part of what I have been seeing with this mydoom buisness. 
I have been able to block almost all of this nonsense just by filtering on the rcpts above.

Hope this helps,
Mike






More information about the list mailing list