MavEtJu's Distorted View of the World - 2004-02

Strange transparent proxying
Virus scanners
...the day after
Computer viruses via email

Back to index

Strange transparent proxying

Posted on 2004-02-27 18:47:32, modified on 2006-01-09 16:29:21
Tags: Networking

Before you read this, I want to make it clear that I am totally sane. Well, mostly. Regarding networking related issues you can trust my sanity. That's why this strange experience is bothering me.

My computers are connected to the internet via an ADSL modem, which is connected to the Comindico network. The machines I do most of my work on are also connected to the Comindico network. So most of the time the traffic is on the place it should be in a couple of hops:

Hostname                                %Loss  Rcv  Snt  Last Best  Avg  Worst
 1. ???
 2. rns02-kent-syd.comindico.com.au        0%   15   15    22   19   30     94
 3. 203.194.20.193                         0%   15   15    21   19   24     32
 4. ge6-2.1000.cor01-kent-syd.comindico    0%   15   15    20   18   22     28
 5. fe0-0.wsr03-kent-syd.comindico.com.    0%   15   15    18   18   40    204
 6. barnetworks-link.syd.comindico.com.    0%   14   14    22   19   22     29
 7. tim.barnet.com.au                      0%   14   14    22   19   25     47

Sometimes when I'm browsing the internet my HTTP session is captured and answered by an MS IIS server which tells me that the page doesn't exist. This is browser independent, it has happened with Mozilla, in a text based browser and with wget. Destination independent too, it happens to sites attached to the Comindico network, other Australian ones and overseas ones.

This is strange, because as far as I could tell these sites should be running some version of the Apache webserver...

It wasn't until today that I got a name with it: The construction site company. I was trying to update a ticket in our tracking system and suddenly got this ugly orange screen.

Please study the image: It's an IIS 404 screen. It refers to rt2.barnet.com.au, the site I was trying to access. It identifies itself as www.theconstructionsite.com.au. It has a banner on it refering to infomail.

The machine with hostname www.theconstructionsite.com.au (203.39.34.202) is located on the Telstra network. The image with 'infomail' came from the site www.infomail.com.au (203.39.34.203), also located on the Telstra network and owned by the people of thecontructionsite.com.au.

 1. ???
 2. rns02-kent-syd.comindico.com.au        0%   29   29    20   19   35    255
 3. 203.194.20.193                         0%   29   29    34   18   27    101
 4. ge6-2.1000.cor01-kent-syd.comindico    0%   29   29    21   18   24     48
 5. ge5-0-0.bdr01-kent-syd.comindico.co    0%   29   29    20   19   37    132
 6. POS2-1-0.un1.optus.net.au              0%   29   29    22   20   27    115
 7. 203.202.36.9                           0%   29   29    23   20   27     99
 8. gigabitethernet4-3.ken12.Sydney.tel    0%   29   29    22   21   41    241
 9. FastEthernet1-0.chw13.Sydney.telstr    0%   28   29    23   21   33    107
10. constr19.lnk.telstra.net               0%   28   28    28   27   45    130
11. 203.39.34.202                          0%   28   28    34   27   39    164

I checked the DNS cache, it had still more than 800 seconds before the record for rt2.barnet.com.au would expire. I checked the DNS querylog, no strange requests were made before the request for www.infomail.com.au.

I don't run a proxy server, I don't have strange firewall rules. And when I reloaded the page the one I expected shows up again.

This happens about once per week that I'm aware of (I have a lot of HTTP traffic by automatic scripts which try to recover from errors so they would just retry when they get this message).

I know it is nitpicking of me, and that I just should ignore it, but I can't stand it when a network designed to be logical does things which are illogical like this. Specially not when they can be a sign of something else going wrong.

More pictures with information: Mozilla - Media Info Mozilla - Links Info Mozilla - General Page Info

I've contacted my ADSL provider about it (that's not Comindico) and they will be looking into it, but I'm afraid it will be as much mystery for them as it is for me.


Show comment | Share on Facebook | Share on Twitter

Virus scanners

Posted on 2004-02-05 14:04:12, modified on 2006-01-09 16:29:20
Tags: Happiness

If a virus scanner has all virus definitions in its data files, wouldn't the virus scanner pick them up then?


Show comment | Share on Facebook | Share on Twitter

...the day after

Posted on 2004-02-01 19:07:01, modified on 2006-01-09 16:29:21
Tags: Happiness

                sometimes
                        nonsense                        
makes                                   
sense        

b . u . t      n . o . t      t . o . d . a . y
                ...not today


No comments | Share on Facebook | Share on Twitter

Computer viruses via email

Posted on 2004-02-01 09:58:42, modified on 2006-01-09 16:29:21
Tags: Computers, Networking, Email, Viruses

Remember the old rule of the thumb regarding email and viruses? "As long as you don't start the attachment, you are safe."

The computer world has evolved since then... Read on!

History

Up to the release of MS-Word 6, the line between safe and unsafe attachments in your email was simple: if the file was executable (i.e. did it end with .exe, .com or .bat), then it was not safe. Was it is a text file, a document, a spreadsheet, then it was safe to open.

Breaching the line between data and executables

MS-Word 6 introduced a new feature: A scripting language in the word-processor, and it was installed with scripting enabled by default. There were a couple of issues with it:

  • The file with executable code called NORMAL.DOT, which will be executed when Word was started.
  • The introduction of AutoMacros, executable code in the documents which is ran when the document is being opened.
  • The ability of the executable code to update the file NORMAL.DOT.

The thin border between safe and unsafe attachments was breached: documents could suddenly have executable payload.

Concept virus

The first Word virus was the Concept Word Macro virus. It didn't do much besides displaying a dialogbox with a "1" on the screen when an infected document was loaded and infecting other documents with itself. It didn't do any damage further, it was just annoying.

Mixing Word and Outlook

The next feature was the capability of the Word scripting language to interact with the MS Outlook mail reader. Where a Word viruses up to that point was only able to propagate slowly via shared Word documents, it suddenly had access to a faster path: It could send itself via Outlook to everybody in the address book on the infected computer, and with a little bit of luck the recipients would open the Word document and the infection would spread.

Beside the technical capabilities to get this virus spreading, the virus needed to convince the receiver that it was safe to open the attachment. Welcome to the social engineering department. The first step is to make sure the receiver trusts the source. Since the virus gets the receivers' address from the address book of the user whose Word document is infected, that means there is some kind of trust relationship between the sender and receiver, and thus most likely also between the receiver and the sender. The second step is to use a catchy text in the body while referring to the attachment, for example by referring to the document as a shared secret between the sender and receiver.

Melissa virus

The first virus which successfully combined these two issues was the Melissa virus. When a user opens an infected document, the virus is activated and it infects the NORMAL.DOT file so all newly created documents will contain the virus; sends itself in an email with the following text to the first 50 people in the adddress book of the infected user:

Subject: Important Message From username Here is that document you asked for ... don't show anyone else ;-)'

It is hard to resist emails with this text, even if you are made suspicious by the fact that you got five of them already, all from different sources...

Get rid of the users

When displaying emails, most of the modern browsers only show the text and/or the HTML parts of the email. The last line of defense with regard to email based viruses was the fact that users needed to open the attachment before the virus became active.

If you could execute code in the HTML part of a document, you would be able to infect the computer without having to open an attachment.

Fortunately this is not so easy anymore. JavaScript, one of the programming languages which can be embedded in HTML, isn't capable of accessing files on the local disk. Java, a programming language which is often embedded in web based applications, doesn't allow remote applications to access local disks. ActiveX, Microsofts competitor of Java, shouldn't allow remote applications to access local disks, but due to some implementation issues this was sometimes still possible.

So if you were able to make an HTML message with ActiveX components which bypassed the ActiveX security, you would be able to create a file on disk from just viewing the email message.

BubbleBoy virus

The BubbleBoy virus was the first virus which contained ActiveX code which bypassed the security and wrote a file to disk to the startup directory of Windows. That was all the email did. But when the computer was restarted, the file was started and the the virus started to propagate to everybody in the address book of the infected user.

This is not an executable

After these viruses, the users knew they had to keep an eye open for attachments which were executables, and Word and other MS-Office related documents. Luckily, images and audio files (GIFs and MP3s for example) are still safe. So a quick visual inspection of the name of the attachment should tell if it is safe or not.

MS-Outlook, for example, doesn't by default display the full filename. So an attachment with the name test.doc would be displayed as a test with a Word document icon above it. And an attachment with the name test.gif.exe would be displayed as test.gif with an executable icon above it. If the user only checks the filename displayed, he would see the image filename and assume it was safe to open. Of course he would know immediately know he had ran a program instead of having opened an image, but the damage is done.

Badtrans virus

The payload of the Badtrans virus appeared under the filenames of README.TXT.exe and s3msong.MP3.pif. When the extension wasn't shown, the filenames looked innocent. When opening the attachment the executable was run. To soothe the user into thinking that the application hadn't ran, it showed a dialog box saying "File data corrupt: probably due to bad data transmission or bad disk access".

Faster transmission, obscuring the sender and guessing the recipients

By sending infected emails through the mail application on the infected computer, MS-Outlook creates some side effects:

  • The email has the sender-address of the user, so tracking of the infected computer is easy.
  • The email is delivered to the SMTP gateway of the ISP which can scan it for viruses and thus can block it.
  • The SMTP gateway of the ISP might block email which doesn't have an internal sender address.
  • The outgoing mail queue on the SMTP gateway of the ISP will grow and the CPU usage on the virus scanner on the SMTP gateway will rise. If properly monitored, alerts will go out to the ISP.
  • The SMTP gateway of the ISP will get records of undelivered emails and it might alert them.

To overcome these problems, viruses started to be designed with their own SMTP engines. This way the ISP would be circumvented and would it be harder for the sender to find out where the infected emails were coming from.

Because the sender address could be faked now, more social engineering tricks can be performed. For example, email can be faked to come from the MAILER-DAEMON, which is normally computer generated email coming from SMTP gateways informing you that the email sent couldn't be delivered, and often attaching the full original email to the bounced message. Opening the attachment is one of the ways to find out which email wasn't able to be delivered.

To counter these kind of viruses, ISPs started to block all outgoing SMTP sessions except the ones coming from and to their own SMTP gateways.

Frethem virus

The Frethem virus was the first virus with its own SMTP engine on board.

MyDoom virus

The MyDoom virus was one of the first viruses with its own SMTP engine on board and which also sends emails to common names (bill, john, mike etc) of target domains. The faked sender addresses will get the undeliverable messages.

Blocking the virus scanner

The virus scanner on both the SMTP gateway of the ISP and the computer which retrieves the email should be able to open the attachments to check for viruses. But what if the attachment is an encrypted ZIP file and the key to open it is given in the email? Unfortunately, there is no clear method to prevent problems with these kind of email viruses.

Mimail

The Mimail-M virus had an encrypted ZIP archive attached:

For unzip archiver download WinZip: http://download.winzip.com/winzip81.exe Password for archive is "kiss". Attached file: wendy.zip

Relevant links

  • Word Macro Viruses by Bruce P. Burrell - [email protected]: http://www.itd.umich.edu/virusbusters/hist-word-macro-viruses.html
  • Virus information about the Concept Word Macro virus: http://www.sophos.com/virusinfo/analyses/wmconcept.html
  • Virus information about the Melissa Word Macro virus: http://www.sophos.com/virusinfo/analyses/wm97melissfam.html
  • BubbleBoy Virus Changes The Rules: http://www.netlawtools.com/security/bubbleboy.html
  • VBS/BubbleBoy Analysis by Ian Whalley, IBM Research, USA: http://www.virusinfo.bz/VB/VbsBubbleboy.htm
  • W32.Badtrans.gen@mm: http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
  • Self-Propagating Worm Roaming Internet: http://www.esecurityplanet.com/trends/article.php/10751_1367621
  • W32/Frethem-E: http://www.sophos.com/virusinfo/analyses/w32fretheme.html
  • W32/MyDoom-A: http://www.sophos.com/virusinfo/analyses/w32mydooma.html
  • W32/Mimail-M: http://www.sophos.com/virusinfo/analyses/w32mimailm.html

Show 2 comments | Share on Facebook | Share on Twitter