Virus Blog

Today, we were able to identify an infected system, validating email adresses before sending out some few SPAM messages. This behaviour is probably nothing new, but i haven't seen it before.

So what the infected machine does, it connects to a single mailserver, in this case it was yahoo mail and inititates the email sending process.That means, it sends MAIL FROM with a random address followed by 3-7 random recipients (RCPT TO). For each recipient the mailserver returns either OK or not. Afterwards the infected hosts sends a RSET to reset the the mail process and starts from the beginning.

Thus, traffic looks like this:

• -> MAIL FROM:<Juana_Blanco@stny.rr.com>
• -> RCPT TO:<dbrant_07@yahoo.com>
• <- 250 recipient <dbrant_07@yahoo.com> ok
• -> RCPT TO:<dbpoet1969@yahoo.com>
• <- 250 recipient <dbpoet1969@yahoo.com> ok
• [...]
• -> RSET
• <- 250 reset ok
• -> MAIL FROM:<OdessaHutchins89@catcha.com>
• [...]

And here comes another one =) This time more bug fixes and less new features. Get it here.

Changes in v0.1.3:

• fixed tftp download packet ACK reply to correct port
• fixed setting download identifier for tftp downloads
• fixed properly checking blocked hosts
• fixed double closing of bindports, http, connback, and ftp downloads
• added initial stage to tivoli vulnerability
• added drop privilege function to run as non-root user
• added extended logging option
• added new shellemulation class to handle bindport and connectbackshell
• added new logfile for shellemulator
• modified submission modules to receive notficiation if file already exists
• modified bindport to submit shellcode to shellcode manager