Klez.H spread using faked F-Secure address!

Discussion in 'malware problems & news' started by root, May 11, 2002.

Thread Status:
Not open for further replies.
  1. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    http://www.europe.f-secure.com/news/items/news_2002050200.shtml

    Helsinki, Finland - May 2, 2002

    Several customers have contacted us and reported receiving a virus warning in e-mail from us - and that the warning contained an attachment infected with the Klez virus.

    Of course, F-Secure has not been infected by Klez and has not sent out any viruses. Instead, what is happening is that the Klez virus is sending faked messages which look like they are coming from various anti-virus vendors.

    Klez is a large family of viruses and it is capable of sending several different types of messages. Some examples include:

      From: random-email-address
      Subject: W32.Elkern  removal tools

      W32.Elkern  is a  dangerous virus that can infect
      on Win98/Me/2000/XP.
      F-Secure give you the W32.Elkern  removal tools
      For more information,please visit http://www.F-Secure.com
    ========================================
    This Klez thing is getting down right nasty.
     
  2. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I got the very same email, except it appeared to be from Sophos Anti-Virus.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And i got the kind of message from an infected user :)
    They are sending out so ad randum one asks who was the sender and in whose addressbook you might be, see constructions like
    name <name@domain.isp1>
    name <infected@domain.isp2>
    to: me
    although i think the under one is the infected person to be warned, but what if both name and infected are not in your addressbook nor in any of the received emails anywhere on your system, nor in the caches?
    I'm not opening an extra link to such infected persons with warning them.
    In real serious cases might warn both the ISPs in such a header who in most cases are very happy with the warning to be able to take measures and save themselves lots of bandwidth and more infections.

    For me the webmail is the weakest point, as the infected emails don't show attachments. On our local systems all email scanners and blockers do their work, but with webmail is slightly different.

    Just hoping used addresses are not forwarded to some central databases anywhere with all thinkable results.
    In test situation noticed the thing at opening is trying to transport you to an URL where they try to download their update to your computer and who knows what more....... so that can work for other actions as well.
     
  4. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I'm using M@ildefense, as a beta tester, and I believe it will protect against this and similar virii. But even with that, in combination with F-Secure, TDS3, and Outpost content filtering, I will be very carefull about each and every email I receive.
    I dread the day when malware spreads without user interaction, on a regular basis. I know it's already available.
     
  5. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I am getting undeliverable messages returned to me by mail servers who think I sent the mail because my address in in the "from" field when anyone who reads the header can see it was not me.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hope that was not me then :)
    I set up auto responders where possible with specific keys and my user name changed to Mailer Daemon and some undeliverable / permanent fatal error on this account / remove from your Spam databases / original email was infected with Klez.
    And my email account changed into bounce@isp for that occasion. Of course such things go to abuse and/or postmaster sender and a few senders more higher in the tree if necessary.  
    Can assure you that helps a bunch.
    So the few who are smart enough to dig for my real email address in the full header thank me with lots of gratitude. Others who just would reply with more infections get them back themselves or angry reactions i don't see either :)
    If your ISP doesn't allow you to make such an extra send mailbox, you can do the same with mailwasher or SamSpade.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In addition to this:
    To stop infected spam from the same sender, their cooperation is at least necessary and if they don't react, of their ISP.
    As the real sender is not the one who shows up as a sender for our email clients, filtering them out from the email server is really difficult.

    I had a real bad experience of keeping receiving spam from the same user all time, with attached all kind of other people's names of a news group we were both subscribed to, and several generated names from the internal database. Going "NO MAIL" myself did not work.
    So as for many weeks the infected origin nor their ISP did react (my emails were real nice polite requests to please help the user disinfect) i did some more investigation, with the help of some specialists, as this was after so many weeks the limit!
    Found the users web sites, other email accounts and warned via those, in their guest books, via yahoogroups, hotmail where the person has subscriptions and email accounts, none was helpfull. Also no reaction via the newsgroup.
    I suppose not any system infected with Klez can continue uncleaned so many weeks, so i had the impression of intentional sending!
    Visiting the ISP's web site learned they have a whole page about Klez and offered the so called immunization tool from their website for their users and other internetters in the world.
    Sounds familliar, doesn't it? Yes, the file was downloaded and tested and found to contain the infection itself, instead of a possible help against it.
    So again the ISP was contacted, but they never replied to any of the emails, pleas, warnings.  
    My ISP could not do a thing as the person is not their user, and they need the cooperation from that part.
    Found their local police website and system was located at the same ISP so now i had a way and i wrote an email explaining the situation and that if their ISPs hosting is as infected as they seem, they would lose their police web sites as well.
    As i did not see infected emails from that same sender since two days now, seems to have helped.
    So much trouble because either a user is ignorant or does it intentionally, that is still not all clear.....
    And i had to keep testing my own system of course!
    Hope nobody ever has such stubborn infectors as spammers...

    Update:
    The tool on the website now is AVP DOS Lite (Kaspersky) with some additional files for Klez which might work in some cases if that infection is chosing those files that time. The included keyfile works till end this year.
    The infected spammer appears to be the owner of that domain himself, hence the not reacting on warnings and pleas.
    They are an affiliate of the company possible responsible for this software tool, offering those tools.
    Found all their IP addresses on the blacklists so not only spamming me (got from other victims the same company name). And the spammer created a new domain to spam his infections with recently. Of course i warned the hosting of his new email server in the meantime.
    This infection spamming is clearly intentional and criminal case for which penalties are commonly around USD$ 100,000 or 6 months jail, so more steps are taken in that direction of course.

    I wonder if anybody knows how to block such a sender in the OE message rules. As the name appearing as sender is not the real sender. And the OE rules don't read the full header, IPs, whatever can be thought of.
    Thanks in advance for ideas.
     
Loading...
Thread Status:
Not open for further replies.