A multitude of new viri... at least 3 separate viri... both coming multiple times from various computers. (i.e. apparently significant depth and breadth)
...this is combined with an ever increasing volume of SPAM
... making it hard to tell what the hell is going on 'round here.
here are some points of clarity... or less mud --
1) all (the SPAM and all of the new viri) appear to use some version of email harvesting from webpages and/or compromise the cache of your browser (to find email addresses from the stored webpages.)
2) at least one of these varmints appears to use a new technique... whether intentional, or not, i do not know... but, it appears to harvest email addresses from the same webpage/site and mail to the other people on that page [thus, the spoofing of sid sending me a virus... and me appearing to have sent him one... our email addresses appear on the same webpage]
So... i am collecting and testing some things... including the removal of me as middle man when it comes to SPAM... and maybe viri? ya know... why not let the harvesters harvest the email addresses directly?
also, here is a partial copy of what the 3 new viri look like as they come in:
A)Klez
From: borisTo: sid@membrane.com Subject: Japanese lass' sexy pictures X-Apparently-From: TForker874@aol.com --Ho6p1557K304o0Uma1r5yq1yQF14NQ78 Content-Type: audio/x-wav; name=65_7[1].scr Content-Transfer-Encoding: base64 Content-ID:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZS BydW4gaW4g
B) the multinational game viri (I've gotten a variety of these with different broken English versions in the subject line):
>From daemon Thu Apr 4 07:03:29 2002 Date: Tue, 2 Apr 2002 18:14:16 -0500 (EST) From: tvd_documentationTo: boris@lyonesse.membrane.com Subject: A very excite game MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=JT5l3n1n60F6LI9f9Rp161y0 X-Apparently-From: JENEADGBE@aol.com --JT5l3n1n60F6LI9f9Rp161y0 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable This is a very excite game
This game is my first work.
You're the first player.
I wish you would like it. --JT5l3n1n60F6LI9f9Rp161y0 Content-Type: application/octet-stream; name=install.exe Content-Transfer-Encoding: base64 Content-ID:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZS BydW4gaW4g
3) the fake returned mail viri --
>From daemon Fri Apr 5 23:27:28 2002 Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49]) by lyonesse.membrane.com (8.9.3/8.9.3) with ESMTP id XAA08421 for; Fri, 5 Apr 2002 23:27:26 -0500 Received: from logs-tq.proxy.aol.com (logs-tq.proxy.aol.com [152.163.201.5]) by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id XAA15346 for ; Fri, 5 Apr 2002 23:26:18 -0500 (EST) Received: from Shpvdc (AC9FEC4D.ipt.aol.com [172.159.236.77]) by logs-tq.proxy.aol.com (8.10.0/8.10.0) with SMTP id g364CNh91686 for ; Fri, 5 Apr 2002 23:12:25 -0500 (EST) Date: Fri, 5 Apr 2002 23:12:25 -0500 (EST) Message-Id: <200204060412.g364CNh91686@logs-tq.proxy.aol.com> From: postmaster To: boris@membrane.com Subject: Undeliverable mail--"congratulations" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=BJ8l840V9DO7Fm3034B7ym2w42D Status: R --BJ8l840V9DO7Fm3034B7ym2w42D Content-Type: text/html; Content-Transfer-Encoding: quoted-printable
The following mail can't be sent to Carlson512@aol.com:
From: boris@membrane.com
To: Carlson512@aol.com
Subject: congratulations
--BJ8l840V9DO7Fm3034B7ym2w42D Content-Type: application/octet-stream; name=this .bat Content-Transfer-Encoding: base64 Content-ID:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZS BydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAACYl33g3PYTs9z2E7Pc9hOzp+ofs9j2E7Nf6h2zz /YTszTp GbPm9hOzvukAs9X2E7Pc9hKzq/YTszTpGLPO9hOzZPAVs932E7NSaWNo3PYTswA AAAAAAAAA UEUAAEwBBABcmkI8AAAAAAAAAADgAA8BCwEGAADAAAAAgAgAAAAAAHi AAAAAEAAAANAAAAAA QAAAEAAAABAAAAQAAAAAAAAABAAAAAAAAAAAUAkAABAAAAAAAAA CAAAAAAAQAAAQAAAAABAA ABAAAAAAAAAQAAAAAAAAAAAAAAAY1gAAZAAAAABACQAQAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA ANAAAOQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAA AGq2AAAAEAAAAMAAAAAQ AAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAADqDwAAANAAAAAQAAAA0A AAAAAAAAAAAAAAAAAA QAAAQC5kYXRhAAAA7FMIAADgAAAAQAAAAOAAAAAAAAAAAAAAAAAAA EAAAMAucnNyYwAAABAA
FOLLOW-UP & SUMMARY
This is the really sloppy brief i'd write if i was sending any analysis and investigation request to, say CERT FBI/NIPC OSU systems people - meaning the decision makers
+-+-+-+-+-+-+-+-+
A series of email-address capture softwares are used to gather legitimate email addresses from major ISP's internationally. E.g.: Roadrunner Yahoo AOL Neweb/Dion in Japan XYZ.my in Malaysia
Using the legitimate email addresses gathered in this manner, the perps then send spam mail (advertising or other product and service pitches and promotions) in very large quantities and in multiple close-quarters sends - sometimes juts minutes apart - to millions of targeted recipients.
Many of the spam sender email addresses possess the same root name sender - the same five or six letters are used in various forms by the spam sender perps.
Many of the spam emails are traced to email addresses with Chinese (PRC) .gov domains.
This draws complaints in record numbers from spam recipients directed to both ISPs and the U.S. FTC (uce@ftc.gov)
In response, the FTC expands its spam program, employing more assets, people and money in the process.
Also in response, many major US ISPs literally lock out other ISPs email - e.g., RoadRunner in the US has locked out all email originating with an otherwise legit ISP domain in Japan - Neweb/Dion.ne.jp.
Many of the spams, whether virus-contaminated or not, contain spoofed sender-email addresses.
This scenario, if implicitly correct, could represent an asymmetric, low intensity east-west infrastructure attack which blends spam, spoofs and virus intended to cause havoc.
The elements of this scenario would cause serious conflict, based largely on wild goose chases, between and among both nations and among ISPs. They would also cause a potentially mission critical failure in the east-west web communication infrastructure.