more on the mass mailing

Discussion in 'Computer Security' started by RB, Sep 19, 2003.

  1. RB

    RB Guest

    WOW! Whoever/whatever is really pounding out those MS looking messages. I
    got about 200 yesterday, and that many in just a few hours this morning.
    Today, I noted a few variants of the purported sender, and the subject topic
    lines. It's like the sender figured after awhile, with enough people
    getting those, they would start to put filter rules into place. So,
    changing those parameters would defeat the filter rules.

    What are the mechanics of this thing? What kind of setup does it take to
    reach out to millions of email addresses with repeat messages with munged
    originator addresses on them?

    Also, the creator of this attack is no amateur. Whoever's behind this one
    has the ability to make the message presented appear professional. Matter
    of fact, it is a complex one in that it has options you can choose,
    reinforcing its realistic look.
     
    RB, Sep 19, 2003
    #1
    1. Advertisements

  2. RB

    donut Guest

    Why don't you learn something about viruses before you pop off in a
    newsgroup like this and show everybody just how ignorant you are?
     
    donut, Sep 19, 2003
    #2
    1. Advertisements

  3. It's rather simple:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A&VSect=T

    The worm just scans files on the infected system which may contain
    e-mail addresses and also your browsers cache (since nearly every web
    document nowadays contains at least one valid address).
    That way it gathers some 200 to 300 addresses on one system.
    Also it propagates through your LAN using network shares and through
    mIRC. And it scans some 150 or so newsservers for e-mail adresses (we
    seem to have figured out that it ignores addresses containing the
    string "spam").
    Well now it has some 500 addresses or so to send a copy of itself to.
    Let's just calculate:
    |1System->500Mails->(500x500)25,000Mails->(25,000x500)1,250,000Mails
    Well let's say it only gathers 200 addresses and is only able to
    infect 25% of the addressed systems:
    |1System->200Mails->(50x200)10,000Mails->(2,500x200)50,000Mails
    Previous worms only scanned the addressbooks and/or brought an own
    (static/dynamic) database. If we do assume that only 25% get infected
    thats rather ineffective.
    Addressbooks:
    |1System->10Mails->(2x10)20Mails->(5x10)50Mails
    Static DB of 300 adresses:
    |1System->300Mails->(75x300)22,500Mails->(75x300)22,500Mails
    /
    /
    From that point on the number of hosts spreading the worm is
    decreasing, since the users will notice the infection and remove it,
    while the still uninfected hosts stay protected. No new adresses are
    added to the static DB and no new hosts will be infected.
    That's why the programmer of worms always used a combination aof
    addressbook scans and a dynamic DB, but it kept being ineffective due
    to the small number of addresses gathered on each infected system.

    regards
    André
     
    =?ISO-8859-1?Q?Andr=E9_Franke?=, Sep 21, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.