OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: Fri Nov 08 2002 - 05:25:25 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Andreas Tirok <Andreas.Tirokbeusen.de> wrote:

    > Ka <kakhidr.net> wrote:
    > > Just received an email with some virus components
    > > from kaspersky-labs.com. .o)
    > >
    > > Possible Exploit.IFrame.FileDownload
    > > and a README.EXE with I-Worm.Bridex
    > >
    > > Here are the headers:
    > >
    > > - ------------------------- BEGIN HEADERS -----------------------------
    > > Received: from webserver2.kaspersky-labs.com (unknown [195.161.113.178])
    > > by mail.vegaa.de (Postfix) with ESMTP id A9F37174019
    > > for <zimvegaa.de>; Thu, 7 Nov 2002 22:51:28 +0100 (CET)
    > > Received: by webserver2.kaspersky-labs.com (Postfix)
    > > id 33AB920047; Fri, 8 Nov 2002 00:22:31 +0300 (MSK)
    > > Delivered-To: list-15webserver2.kaspersky-labs.com
    > > Received: from webserver2.kaspersky-labs.com (unknown [148.235.6.199])
    > looking for +++++++++++++
    >
    > dig -x 148.235.6.199

    Yeah...

    > ; <<>> DiG 8.3 <<>> -x

    <<snip dig output that proves 148.235.6.199 isn't k-l.com>>

    > Isn't webserver2.kaspersky-labs.com

    So, the SMTP envelope FROM: was "forged" and this was not commented
    on by the receiving server... Win32/Braid forges outgoing mail
    addresses so that should not be entirely surprising, and the real
    sending IP is in Mexico and other aspects of the message suggest that
    should not be surprising.

    However, what you missed is that the "last" Received" header is:

    > > Received: from webserver2.kaspersky-labs.com (unknown [195.161.113.178])
    > > by mail.vegaa.de (Postfix) with ESMTP id A9F37174019
    > > for <zimvegaa.de>; Thu, 7 Nov 2002 22:51:28 +0100 (CET)

    and I think if you do your dig-ing again against 195.161.113.178
    you'll find that it and webserver2.kaspersky-labs.com are one and
    the same machine (though, IIRC from doing it earlier, there is no
    reverse DNS from 195.161.113.178 to webserver2.kaspersky-labs.com).

    I know folk at Kaspersky Labs are aware something is going on, but I
    am still receiving messages through webserver2.kaspersky-labs.com
    mail that it should not be sending. 

    -- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html