[Dshield] cracking SoBig/SINIT/MyDoom, et alius

jayjwa jayjwa at atr2.ath.cx
Sat Feb 14 07:01:33 GMT 2004

On Fri, 13 Feb 2004, Erik van Straten wrote:

> John, Jayjwa,

> On Thu, 12 Feb 2004 15:16:25 -0800 John Draper wrote:
> >
> > On Feb 11, 2004, at 3:36 PM, jayjwa wrote:
> >
> > > Let's place the blame where it belongs- not at some tele-virus
> > > trans-continental spam-gang spreading viruses, but at home with
> > > Mr. Joe Avg. User. Why? Because Mr. User opens mystery zip-files,
> > > then proceeds to click on the attachment, that is clearly
> > > labeled as an .exe. He runs notoriously vulnerable software from
> > > a company with an awful track record for security.
> >
> > I agree,  this is the main cause.
> >
> > JD
> This is nonsense. Much in our lives depends on trust. Life will be
> unbearable for most if us without it. If you buy vegetables, you
> trust the shop and the farmer that they have not poisoned it. We
> cannot and will not all start running our personal chemical and
> biological labs checking food we buy.
> If someone rings my doorbell, says his car broke down and asks for
> a phonebook, I'll get it. My wife had her leather coat stolen like
> this. It does not mean we will distrust anyone (we'll be a bit more
> careful though).

Well then. It sounds like you've become a victim of your own principles.
How many times would you walk thru a low-hanging door, smack your head,
before you'd start ducking? Once bitten, twice shy comes to mind. Fool me
once, shame on you; fool me twice, shame on me.

> The MyDoom virus could have happened to any operating system user.

We can debate this one another day. Linux doesn't allow users to write all
over the system areas or into an area where something would be
auto-executed. Try as I might, user jayjwa on my linux system can not cp
evil.sh /etc/rc.d/rc.local. Likewise, rm -rf / fails. The only thing I can
do is write into my own /home directory, which has no executable data,
beyond things like shell start scripts, which would, again, only affect my
little piece of the system with only about 4 shell scripts to write to.
Linux viruses are more collector's items =)

> It is not based on bugs in an OS, perhaps just on bugs between the
> ears of the user, but there are a LOT of people with these bugs
> (please define "normal" and "common sense").

What is probable to be expected from an average everyday human being. eg:
Sticking one's finger in an open light-socket is not common sense. Moving
out of the street when you see a bus heading toward you see is common

> In contrary to what Jayjwa states, most of them were not clearly labeled
 as an exe.

I'm really glad your brought this up. I've really tried hard to contain
myself on this one, but here goes: anyone that gets hit by this virus,
even using Windows, needs to have their Information Highway Driver's
license revolked, permentantly. Hint: src, pif, exe, com, all =
executable, and have since early days. I can't see how-

 "This message can not be sent...<snip> partial message is available"

turns into: "Oh, goody. Let's unzip -n- click! Oh, my. What's that in
Notepad? <*drool*>"

> I expect to see a lot more of these social engineering tricks, and
> they will get "smarter". It is a waste of time and resources
> educating users on this, and they will also distrust other mail and
> communications (generating increasing numbers of "false positives").
> These social engineering tricks WILL happen to a Linux or MacOS user
> near you. The morons who are spreading this shit are to blame and
> should be prosecuted. This is not PoC, this is harassment.
> Who's gonna pay the bill?

I to, would like to belive the world is basically a friendly
place, full of new adventures everyday, and wonderful new people, just
waiting to be met. My 28 years on this planet tells me otherwise. It's
just not like that. In the community, or in cyberspace, there are people,
who can and will, defraud, exploit, steal, and lie their way thru all
their endevours. It hardens one, to some extent yes, but I think that the
majority of us still are able to sift thru it.

> Some of us have become so "secured" that they start exhibiting very
> strange behavior. For example, Jayjwa (who apparently fears telling
> us his real name) has a fixation on source ports. After a strange
> post from him in January I tried to explain to him, OFF-LIST, how
> this IP stuff works. Here it is (I gave up after this 3d attempt):

Eric, if you're attempting to slump to personal attacks, I won't follow
you there. I don't get what you're talking with 'strange fixation on
source ports' or 'strange posts.' Further more, I do not need you, nor
anyone else, to explain to me how this "IP stuff" works. After 13 years,
several HS courses, a college major, and countless hours in front of the
screen, I think I've got a basic understanding. As you state above, you
don't know me. You obviously haven't even done your homework, or you'd
know how to look up someone on the Internet. Many people on this list use
PGP. So do I. A search:
jayjwa at atr2%gpg --search-keys "jayjwa at atr2.ath.cx"
gpg: searching for "jayjwa at atr2.ath.cx" from HKP server subkeys.pgp.net
Keys 1-1 of 1 for "jayjwa at atr2.ath.cx"
(1)	Jason W. Austin <jayjwa at atr2.ath.cx>
	1024 bit DSA key EC55F4D8, created 2003-07-18
Enter number(s), N)ext, or Q)uit > q (Actually, it's B628B851. The above
one died with a harddisk some time ago, for the record.)
Jay w. Austin = jay+J.W.A. = jayjwa, blame my 5th grade Pascal teacher.
It's shorter. No one really cares about last names when, chances are, they
will never be more than a voice behind a post, or a few lines on a
I'm also contactable by several other traditional unix means. I don't like
to stress that, because then surely I'll get at least one joker who'll
abuse them. I've found that the more visible you are, the more spam,
viruses, hack attempts, etc. that you'll attract. It's not fear, it's
being wise and avoiding trouble, before it starts.

> On Mon, 26 Jan 2004 02:20:00 +0100 Erik van Straten wrote:
> > To: "jayjwa" <jayjwa at atr2.ath.cx>
> > Subject: Re: [Dshield] ISP's not blocking egress 25/tcp (was: spoofed address)
> >
> >
> > ----------------------------------------------------------------------
> > NOTE: this is my THIRD attempt to send you this mail. If I send from
> > my MTA, cpo.tn.tudelft.nl, your MTA denies the connection. Thank you:
> >
> >   <jayjwa at atr2.ath.cx>: host atr2.ath.cx[] said: 550 5.0.0
> >
> > I am now relaying via another MTA. If you reply, I will send any reply
> > on your mail via my own MTA. If that fails, I'm sorry. I will not retry
> > any other route. You are not being very kind...
> > ----------------------------------------------------------------------

Yes, sorry. That's a Whitelist. I released two documents on the internet
at that time. Those documents contained the above address, hence a ton of
Win32.Swen started to pour in. If I expect to be mailed by you, you're
whitelisted, it goes thru. If I'm being mailed unexpectedly, 99% of the
time it's a) spam or b) virus. (The other 1% is Opps!- forgot to add you
to the list). Since that time, things have slowed, and I've been able to
remove the whitelist. I still block many known spam-houses, and some ISP's
that routinely don't respond to abuse tickets or seem not to care.
cpo.tn.tudelft.nl	OK	added to access.db.

> > You're mixing up some things. Firstly, blocking egress (outbound) SMTP
> > traffic does NOT imply blocking ingress (inbound) traffic. They are 2
> > different things.

Yes, of course. BUT- either one effectively ends email for guys like me. I
won't use Hotmail unless I'm forced (do you blame me?) and I'm really not
keen on my ISP's MTA handling my mail. Whether you realized it or not,
your idea ends email for people like me, or at the very least, makes it
more complex for no reason. I'm obviously not a spammer, I don't
open-relay, and the amount of mail that goes in and out isn't much at all.
But I choose to handle it myself, both directions, mostly because I enjoy

> >
> > Like good old snail mail (the letters with postmarks on them), email
> > usualy takes different routes. If the mailman brings your letters, he
> > puts them in your mailbox. However, to send mail, you cannot put
> > letters you write in that same mailbox and expect the mailman to take
> > these with him (this process may be still be in use in some countries).
> >
> > Without an ingress 25/tcp block, ANYONE can put mail in your mailbox,
> > and you can do your own filtering, blacklisting etc. This is entirely
> > unrelated to an egress 25/tcp block.
> >
> > With an egress 25/tcp block, your PC (mailserver) can ONLY hand over
> > email to your ISP's mailserver, this is called a smartrelay. They will

Actually, there's several ways around this. But that's another email. =)

> > take care of the delivery. It is comparable to putting your paper mail
> > in the mailbox at the street corner, to have the postal service take
> > care of delivering it. Blocking egress 25/tcp prevents YOU from going
> > to another town and posting a letter there. You are forced to use the
> > mailbox (colored red in most countries) on the streetcorner. This has
> > advantages and some disadvantages, which are discussed on the DShield
> > list.

Why on earth would anyone want to do this with their mail? Maybe you'd
like to see my mail do this, but I wouldn't. That was the point of my
If I'm at point A, and I wish to mail point B, what's the sense in sending
it to point W first, if I'm fully capable of sending it on to B myself?
If I relay thru my ISP:
	1. It becomes obvious that I'm running a mail server, a gray-area
in their AUP.
	2. I suddenly become bound to their transport restrictions, i.e,
the content I send. That MyDoom.A source someone requested off me a few
lists back that I sent out would have certainy caused an up roar, and
most certainly would have bounced back in my face with a stupid "We have
detected a virus in your mail. Please run AV software by clicking on the
Windows..." note attached. Of course, I can use a non-conventional
archiver to send it, but then how do I know that he could open it?
Plus, the archives in common between Windows and Linux is smaller still.
Handling my own mail completely, I remove both size and content
restrictions that may be placed on it.
	3. My mail routing becomes more complex, as all of the mail
programs I have here default to using Sendmail, which is what I have now.
I'd have to change all those around. It seems pointless to change
something thats working well already.

> > numbers are really irrelevant. To communicate you need 2 sockets:
> >
> > a.b.c.d:p <-> w.x.y.z:q  (p and q are ports, a.b.c.d is your IP).
> >
> > To start a communication with a remote PC you need to know 2 things:
> > the IP-address and the protocol you want to talk. The portnumber is

You are aware that I run this Linux server which generally is more
dependable than the ISP that it's connected to, right?

> > NOTE: some admins may run an SMTP server that listens on an unpriv.
> > port. There are various reasons to do that. But this does not imply
> > that the same port is used when the server acts as a client; on the
> > contrary, definitely another port will be used.

I think you are refering to a comment I made about a Windows XP box I
noticed that was _sending_, that is, their _mail server_, from a high,
unpriv. port. This is a characteristic of spammers. Most legit mail
servers sit on port 25, by convention. Yes, I am well aware that a daemon
can sit anywhere, but as you stated, this is generally the way it's done.

> Jayjwa: it's not my intention to make a fool of you. I know that having
> your email address published on mailinglists causes one to be spammed
> (which is one reason I'm not using my regular address but a discardable
> one instead). However I'd appreciate if security specialists stop
> stating that ordinary people -who try to live normal lives- are stupid
> for being tricked into something definitely not obvious.

I guess this comes down to a matter of perspective. I think an attachment,
sent from an unknow source, unasked for, unanticipated, with an odd error
message taking about how a full message couldn't be received, but yet by
the same token it somehow gets zipped up; with an executable inside (just
what DID people expect to pop out of those files, anyway? The pony
express? ) is obviously fishy.


Version: 3.12
GCS d- s+: a- C+++ UL++++ P+ L+++ E- W+++ N++ o- K- w---
O-- M-- V-- PS+++ PE Y PGP+ t- 5- X- R* tv-- b++ DI-- D-
G e h+ r% y--

More information about the list mailing list