Worm storms

C

Christian Bau

in comp.lang.c i read:

[re: the swen worm and it's bounces]
I get about 50 an hour. Apparently Verisign is doing it to us.

only indirectly. the worm doesn't synthesize a (potentially non-existent)
domain, it uses the domains present in e-mail addresses it finds in msoe's
local cache, some of which will be invalid yet within .com or .net, so some
of the messages might have been rejected by some mta's were it not for the
wildcard.

I found a few messages that told me that a virus sent from _my_ email
address was caught and not delivered. Since I use a Macintosh I am quite
sure that my computer is not infected; since there are emails going it
with my address as the sender I know that the virus uses real, but
forged, email addresses.

That doesn't mean that Verisign's land grab isn't disgusting and must be
stopped. By the way, the guys are already convicted for sending forged
letters to domain owners where they claim a domain name is up for
renewal (which it usually isn't), and if you fill out the forms and send
them back then you just transferred your domain to Verisign which
charges more than your old name registrar.
 
G

Gordon Burditt

My ISPs idea is that whenever I get an Swen32 email I should complain
about it at their "abuse" email address, in which case they would then
find out who sent it (fat chance since the address is forged anyway) and
then probably do nothing about it because it's just a guy with an
infected PC.

What they could do quite easily: Find out which ones of _their own
customers_ are infected. That is quite simple; they only let you access
the Internet through their servers if you call from the right phone
number.

Most ISPs let you access the Internet through *ROUTERS*, not servers.
Routers don't do store-and-forward. By the time you get to the end
of the message so you can see that it's 150 KB (vs. 2 MB or whatever),
the destination has already gotten most of the message. Some ISPs
insist that you send mail out through THEIR mail servers; in this
case, the whole message is available for inspection at one time,
and it's much easier to run a virus scanner on it. The mail server
does not necessarily know what account sent the message, however.
So if one of their customers connects and starts sending 150 KB
emails,

It is unacceptable to block emails simply because they are of a
particular size like "about 150 KB" (Swen sizes seem to vary quite
a bit). Most worms don't fit that size profile (Swen certainly
isnt the only worm, not even the only one this month) but "more
than 10 KB" probably covers most worms (and most non-worm email),
but you could get most of the worms by blocking emails "with an
attachment". Of course, that's going to cause a riot among customers.
then some simple programming would direct that customer to a
webpage telling them their computer is infected the next time they try
to connect to any webpage.

That only works if the ISP uses their own proxy for all web requests,
and their web proxy is aware of who's logged in where. It could
work "the next time they try to connect to THE ISP's webpage" but
you'd have to gimmick up the ISP's web server.

Also, many people simply do not use the web at all (some on the
grounds that "it's nothing but porn"). And there are great
opportunities for damage from suddenly redirecting a user's web
page to elsewhere: not all web requests are made by humans. Suppose,
for example, the customer was in the middle of updating their system
with Windows Update, and the answer to a query by Windows Update
for patches that needed to be installed suddenly turned into a
complaint/notification about a virus. Windows Update aborting in
the middle of an update can get rather messy (although in the case
I'm thinking of, it was probably a person trying to make a voice
phone call from an extension rather than anyone redirecting the web
page request) and sometimes involves reinstalling from scratch,
THEN getting lots and lots of updates.

It is also amazing how ineffective a *telephone call* from the ISP's
abuse department can be until they use the big hammer and turn off
the account.
Install that software with every ISP, and
within a week Swen is gone.

And within a week something else replaces it.
You would think they would come up with something like that, because it
is their money too. Actually, it is only their money, it costs me only
time and nothing else.

Compiling a void main() program on a DS9000 might eliminate the
problem. And the human race also.

Gordon L. Burditt
 
M

Mark McIntyre

What they could do quite easily: Find out which ones of _their own
customers_ are infected. That is quite simple; they only let you access
the Internet through their servers if you call from the right phone
number. So if one of their customers connects and starts sending 150 KB
emails, then some simple programming would direct that customer to a
webpage telling them their computer is infected the next time they try
to connect to any webpage. Install that software with every ISP, and
within a week Swen is gone.

My ISP has done this, and furthermore when you get to the page, it
forces you to patch your box.
 
A

Alfred Einstead

It is unacceptable to block emails simply because they are of a
particular size like "about 150 KB" (Swen sizes seem to vary quite
a bit). Most worms don't fit that size profile

About 95% are, by my logs ... which pretty much dispels that myth.
It is unacceptable [... above ...]

More appropriately, this should read: it's unacceptable to SEND emails
beyond a certain size. E-mail is intended specifically for personal
communications in short ASCII text, like ordinary letters. You
already have FTP, the WWW and other resources for large transfers
and these are what are (and have always been) meant to be used instead.
Trying to use email as a surrogate FTP or WWW is a major abuse of
resources in and of itself.
 
C

Christian Bau

It is unacceptable to block emails simply because they are of a
particular size like "about 150 KB" (Swen sizes seem to vary quite
a bit). Most worms don't fit that size profile

About 95% are, by my logs ... which pretty much dispels that myth.
It is unacceptable [... above ...]

More appropriately, this should read: it's unacceptable to SEND emails
beyond a certain size. E-mail is intended specifically for personal
communications in short ASCII text, like ordinary letters. You
already have FTP, the WWW and other resources for large transfers
and these are what are (and have always been) meant to be used instead.
Trying to use email as a surrogate FTP or WWW is a major abuse of
resources in and of itself.

My ISP tries to impose a limit of 1000 messages or 100MB per mailbox;
that seems to imply that they expect 100KB average size. I don't mind
the occasional large message, as long as the sender knows that the
recipient wants to accept the message and knows that it doesn't cause
problems. Of course I do mind 4000 messages of 150KB.

In the case of the Swen worm, that worm is easily identifiable. I know
because I get tons of messages from servers that have identified the
worm and then passed the message on without it; some even encapsulated
it in some way so that if I _wish_ to infect my machine I can do so, so
you _can_ identify them. And any worm or virus can be identified at
least a few days after it starts.

And my ISP _can_ identify all his customers. When I connect to them
through ADSL, they check the phone number that is used, look it up in
the list of phone numbers of paying customers, and if it doesn't match
then they refuse the connection. Everyone connecting directly through
their modem hardware or ADSL hardware is their customer. If they are not
capable of using that information, that is their problem.

And I think it is quite likely that there is a paragraph in their terms
of usage that allows them to cut out customers who are using infected
machines that try to spread worms. Stopping everything over 150KB is
overly simplistic, but stopping everything containing worms is not. And
forcing your customers to do something about infected machines is doing
them a service.

What Gordon Burditt also missed is the fact that sending me thousands of
150KB emails _does_ block legitimate emails out, because my ISP deletes
the oldest mails once my mailbox reaches 100 MB. If I had been on
holiday for a week, all my legitimate email would have been lost.
 
R

Ravi

Dear C Mavens,

Anyone here getting hosts of spam with nefarious attachments,
purporting to be from M$ or its lackeys, into your mailbox?

I neglected to spoof my header, and since Hurricane Isabel
I have gotten well over 10K such messages.

This is odd. I got a special id to get some spam and till
now I have got only 5 mails containing the worm :(

(e-mail address removed)

(please send some)
 
G

Gordon Burditt

It is unacceptable to block emails simply because they are of a
particular size like "about 150 KB" (Swen sizes seem to vary quite
a bit). Most worms don't fit that size profile

About 95% are, by my logs ... which pretty much dispels that myth.
It is unacceptable [... above ...]

More appropriately, this should read: it's unacceptable to SEND emails
beyond a certain size. E-mail is intended specifically for personal
communications in short ASCII text, like ordinary letters. You

Intended by *WHOM*? I also think I have written, on occasion but
decades ago, handwritten, the equivalent of 150K bytes and sent it
by postal mail to my parents. And I've certainly seen contracts
longer than that. I'd hate to try an argue that sending of huge
spreadsheets is an abuse of resources to the management of my ISP,
because *they* do it all the time, in ways I consider just begging
for viruses. If one gets a virus, soon they'll all have it.

Two people have typical dialup or DSL accounts. Neither has a
static IP. One wants to send a long, complicated *PRIVATE* business
proposal (text) to the other (the recipient is taking bids from
contractors to build a house - that's personal for the recipient,
although a lot of ISPs will object to the suggestion that you can't
do business via email over the Internet (and I'm not talking about
marketing-SPAM, I'm talking about orders, bids, tech support, etc.
between two people who want to talk to each other)).

Describe how this is done, not using email to transport the whole
thing (but short notes "go get this HERE" are OK - right?). Neither
has a FTP server, and although one ISP has a public FTP server,
it's not private at all. It also leaves open the possibility of
one contractor reading the others' bids before dropping off his.
They may have personal web pages, but not necessarily the ability
(server capabilities or configuration may not allow it), skill (to
set a password), or tools (is there a version of htpasswd for Windows
for the customer, if the server runs Apache?) needed to password-protect
pages.

Now, where can I get an account that includes FTP (including the
ability to set up temporary accounts for others to get or put stuff
there) at a price approximating that of a dialup or DSL account?

Incidentally, where's the "abuse of resources" involved with sending
ONE copy of a document to ONE person as an attachment? Yes, the
attachment probably gets about 25% or so bigger, which may not be
worse than the average person's initial failed attempts to use FTP.
The equation becomes MUCH different if you're mass-mailing it to
hundreds or millions of people, most of whom don't even want whatever
it is.
My ISP tries to impose a limit of 1000 messages or 100MB per mailbox;
that seems to imply that they expect 100KB average size. I don't mind

I'm not sure I agree with that conclusion; it's more like they
expect 100KB as the upper end of average size for 95% of their
customers or something like that. I think some stats I ran once
showed that 50% of emails in a large spool directory were under
about 8KB and 50% were above that. That value may have changed a
lot in 5 years, though. A surprising number of messages were under
250 characters plus about 1KB of headers. A fairly large number
of emails I send or receive have a few lines of quoted text followed
by something like "OK, thanks", or "OK, done.".
the occasional large message, as long as the sender knows that the
recipient wants to accept the message and knows that it doesn't cause
problems. Of course I do mind 4000 messages of 150KB.

In the case of the Swen worm, that worm is easily identifiable. I know

The worm is *NOT* easily identifable on *ROUTERS*, where the entire
message is never in the hand of the sender's ISP at any one time
(at most, a router may have a few packets of the message at a time)
unless it's also the recipient's ISP. Modern worms send directly
to the victim's (ISP's) mail server, not through the local ISP mail
server, if at all possible (because if it goes through two different
ISP mail servers, the chances of its getting blocked are much higher).
because I get tons of messages from servers that have identified the
worm and then passed the message on without it; some even encapsulated
it in some way so that if I _wish_ to infect my machine I can do so, so
you _can_ identify them. And any worm or virus can be identified at
least a few days after it starts.

And my ISP _can_ identify all his customers. When I connect to them
through ADSL, they check the phone number that is used, look it up in
the list of phone numbers of paying customers, and if it doesn't match
then they refuse the connection.

You have *DIALUP* DSL? I thought the DSL part was a dedicated line
from one point (customer) to another point (ISP's router) with the
phone number used only for billing. The voice part has the phone number.
Everyone connecting directly through
their modem hardware or ADSL hardware is their customer. If they are not
capable of using that information, that is their problem.

One of the last things an ISP wants to do is to tie all their
services together so that when one of them breaks, everything else
goes down or runs slowly. It's more of a problem with dialup than
static-ip DSL. Who's using a particular IP address can change
quickly (this also applies to cable modems or DSL using DHCP and
dynamic IP addresses). Most mail or web server software has no use
for this information and there's no standard way to get WHICH user
is using this IP, although it's easy to configure "this range of
IP addresses is allowed to relay (where "this range" changes
infrequently)". The last thing an ISP wants is the mail server
pausing a lot because the "who's using this IP" server is down or
unreachable.

If a mail or web server needs this info, it may be several minutes
before that information can be gotten out of possibly
telephone-company-owned terminal servers (yes, sometimes the phone
company, not the ISP, owns the modems you dial up to) to somewhere
it can be used. (The RADIUS protocol has this thing called
accounting-delay-time, which represents the delay between the user
logging in and the accounting record getting sent. Obviously a
known issue. Also, some records get lost when a certain phone
company cycles power on the box or takes it down for maintenance.
Some users are still shown as logged in on boxes taken out of service
years ago since logout records were never generated. Oh, yes, if
the phone company DOES power-cycle the box, we may not be told for
hours, if ever). Would you want to have to wait several minutes
AFTER connecting to do anything?

Oh, yes, there's also this nasty issue of clock synchronization.
A number of bank customers have been nailed wrongly because the
time on the ATM and the time on the camera don't match (for, say,
using the stolen ATM card of a mugging/murder victim). This is
also an issue for nailing customers of ISPs for sending worms, port
scanning, making death threats to the President, mailing SPAM,
sharing music, etc. The recent RIAA lawsuit against some computer
user supposedly sharing music with Kazaa on his Mac (Kazaa doesn't
run on Macs) may be an example of this. For those servers that can
run it (UNIX, Windows, etc.), NTP (Network Time Protocol) is a
solution. However, things like Livingston Portmasters used with
dialup modems can't run it. Some routers can't either. It gets
especially bad when it (whatever it is) can't run NTP but does
generate logs.

(Related example: Your bank presumably has some method of preventing
you and your wife from each withdrawing $500 from your joint account
that has $800 in it on the same day. Can they stop you from doing
it in the same *MILLISECOND*, you in New York and her in San Francisco
(bank offices in New York)? Maybe, but there's this pesky problem
with the speed of light, and a system responding that fast is
expensive. Also, their ATM network tends to go down nationwide if
it needs maintenance, since they don't trust anyone to withdraw
cash without the system up. It's cheaper to risk this happening
occasionally and then charge overlimit fees and hope they can
collect. Similarly, traffic to authenticate who's sending possible
worms may far exceed the traffic from worms.)

If the authentication server(s) go down or are unreachable for 10
minutes (RADIUS lets you have a backup server, but things run slower
if only the backup is up), nobody can log in, but those currently
logged in can still use the Internet. That's bad. If one terminal
server (presumably one of many) goes down, it gives out busy signals
and maybe disconnects a few hundred customers, that's bad, but they
can try to re-dial. If having the authentication server (or RADIUS
accounting server) down causes NOBODY to be able to send mail or
surf the web because they can't identify the customer, that's a
catastrophe. Remember that many ISPs have enough computers that
things like hard drive failures, power supply failures, and CPU fan
failures are fairly common somewhere in their network. For the same
reason, they often use RAID disk setups and multiple servers.
And I think it is quite likely that there is a paragraph in their terms
of usage that allows them to cut out customers who are using infected
machines that try to spread worms. Stopping everything over 150KB is
overly simplistic, but stopping everything containing worms is not. And

Detecting worms with a *ROUTER* is far from simple. Detecting worms
in general, not just a specific one, on a mail server is also not
that simple, and it's something that antivirus companies spend a
lot of time on.

I know I had better not try to block a complaint to the abuse address
of my ISP containing a copy of a worm allegedly sent from there
(even if the sender fell for the fake sender address). Refusing
abuse complaints, which tend to contain copies of worms or SPAM,
gets your ISP on all sorts of real-time black lists.
forcing your customers to do something about infected machines is doing
them a service.

It's funny how they often don't agree with that. I'm not against
forcing customers to disinfect their machines (my comments about
"axe through the phone line and/or power cord" are often considered
a bit harsh) but hijacking a web browser is not a good way to do
it.

Customers are often burned out on worm warnings thanks to some idiot
virus scanners which send a warning about the virus to the purported
sender of the virus, EVEN WHEN THE SCANNER KNOWS THE TYPE OF THE
WORM IS ONE THAT FAKES RETURN ADDRESSES. Therefore, most customers
are pelted with bogus "disinfect your machine" warnings so they
tend to disregard real ones. Hint to virus scanner writers: do
not "clean" the virus from the email. DELETE THE WHOLE DAMN EMAIL!
Warn the sender only if there is a high probability that their
machine is the one infected, which is not the case with modern
worms.
What Gordon Burditt also missed is the fact that sending me thousands of
150KB emails _does_ block legitimate emails out, because my ISP deletes
the oldest mails once my mailbox reaches 100 MB. If I had been on
holiday for a week, all my legitimate email would have been lost.

Yes, but the person whose email was wrongly blocked probably has a
stronger lawsuit against the ISP than the person who had all his
legitimate email expired because the ISP let the worms through.
There are also some annoying legal precedents that if you (ISP)
filter by content, you're responsible for the stuff you let through,
but if you let it all through, you're not responsible for any of
it.

Gordon L. Burditt
 
C

Christian Bau

You have *DIALUP* DSL? I thought the DSL part was a dedicated line
from one point (customer) to another point (ISP's router) with the
phone number used only for billing. The voice part has the phone number.

I don't know how they do it, but the idea is that I can use ADSL only
from my home phone. And if you live next door, use ADSL with another
ISP, and we swap computers, then we both won't be able to connect. Yes,
the phone number is used only for billing. But that makes it possible to
identify me.
If the authentication server(s) go down or are unreachable for 10
minutes (RADIUS lets you have a backup server, but things run slower
if only the backup is up), nobody can log in, but those currently
logged in can still use the Internet. That's bad. If one terminal
server (presumably one of many) goes down, it gives out busy signals
and maybe disconnects a few hundred customers, that's bad, but they
can try to re-dial. If having the authentication server (or RADIUS
accounting server) down causes NOBODY to be able to send mail or
surf the web because they can't identify the customer, that's a
catastrophe. Remember that many ISPs have enough computers that
things like hard drive failures, power supply failures, and CPU fan
failures are fairly common somewhere in their network. For the same
reason, they often use RAID disk setups and multiple servers.

You know, the solution to this problem is simple. It is so incredibly
simple, you won't believe it. If you try to accept only connections from
your paying customers, then as a result only very few non-customers will
try to connect. So if your authentication server is down, instead of
refusing the 99.9% of connection attempts that come from your customers,
you accept connections from everyone while that server is down.
Detecting worms with a *ROUTER* is far from simple. Detecting worms
in general, not just a specific one, on a mail server is also not
that simple, and it's something that antivirus companies spend a
lot of time on.

It is not "worms in general" that cause the problem. It is specific
ones. And they are quite easy to identify.
Customers are often burned out on worm warnings thanks to some idiot
virus scanners which send a warning about the virus to the purported
sender of the virus, EVEN WHEN THE SCANNER KNOWS THE TYPE OF THE
WORM IS ONE THAT FAKES RETURN ADDRESSES. Therefore, most customers
are pelted with bogus "disinfect your machine" warnings so they
tend to disregard real ones. Hint to virus scanner writers: do
not "clean" the virus from the email. DELETE THE WHOLE DAMN EMAIL!
Warn the sender only if there is a high probability that their
machine is the one infected, which is not the case with modern
worms.

That is exactly why I said the ISP should identify email coming from
their own customers. As I said, if email is sent from _my_ machine to
_my_ ISP then the information to identify the sending machine is 100
percent there.

Maybe the infrastructure is not there (but it seems to be there, because
some ISPs are doing this already). The worm problem will get worse over
the next years, and some kine of action will have to be taken. Maybe
taking action costs money, but in the end it will be cheaper than buying
more servers.
 
A

Al Bowers

Gordon Burditt wrote:

Two people have typical dialup or DSL accounts. Neither has a
static IP. One wants to send a long, complicated *PRIVATE* business
proposal (text) to the other (the recipient is taking bids from
contractors to build a house - that's personal for the recipient,
although a lot of ISPs will object to the suggestion that you can't
do business via email over the Internet (and I'm not talking about
marketing-SPAM, I'm talking about orders, bids, tech support, etc.
between two people who want to talk to each other)).

Describe how this is done, not using email to transport the whole
thing (but short notes "go get this HERE" are OK - right?). Neither
has a FTP server, and although one ISP has a public FTP server,
it's not private at all. It also leaves open the possibility of
one contractor reading the others' bids before dropping off his.
They may have personal web pages, but not necessarily the ability
(server capabilities or configuration may not allow it), skill (to
set a password), or tools (is there a version of htpasswd for Windows
for the customer, if the server runs Apache?) needed to password-protect
pages.

Now, where can I get an account that includes FTP (including the
ability to set up temporary accounts for others to get or put stuff
there) at a price approximating that of a dialup or DSL account?

There are free services on the internet that you can use to
get around not having a static ip. Every time you start up
the computer or dial in to the internet the free software will
signal a dns server to update your domain with the possibly new
ip. I have used this technique for internet telephony where I
can easily locate members of my family on the internet.

However, this is not a suggestion that FTP or WWW would
be the appropriate means to send such documents.
 
R

Ravi

I got suprised one day as it turned out that I had ~200 messagess waiting
for me. The bad thing is that I have *slow* connection and those messages
were simply killing my system. I had 100+ of sendmails hanging around and
waiting forever for the mail to arrive.

On windows I like using mailshield desktop. But on
linux/unix may be magic mail monitor could work. Try it.

You can view mail (header) and then delete them without
downloading them.

But I don't understand one thing. I get only 5-10 mails per
day :(

I don't get about 200 mails like you guys.

(e-mail address removed)

Send some spam! And some worms.
 
C

Christian Bau

I am getting around 4 mb per day. I may have to change my id.

Use Mozilla Thunderbird. Choose the option not to download anything
about for example 130KB.
 
R

Richard Heathfield

I am getting around 4 mb per day. I may have to change my id.

If four millibits of swen-virus per day justifies a change in your id, then
I can only presume that the five hundred MegaBytes I'm receiving justifies
a change in my super-ego.
 
B

BruceS

Richard Heathfield said:
If four millibits of swen-virus per day justifies a change in your id, then
I can only presume that the five hundred MegaBytes I'm receiving justifies
a change in my super-ego.

I look to Richard's posts for enlightenment. Humor is a bonus.
 

Members online

Forum statistics

Threads
474,083
Messages
2,570,591
Members
47,212
Latest member
RobynWiley

Latest Threads

Top