Bugtraq mailing list archives

Re: Why are postmasters distributing the MyDoom virus?


From: mgotts () 2roads com
Date: Tue, 10 Feb 2004 17:16:24 -0800

I was looking over the MyDoom email messages that I received todayand 
found
about 15 copies of the worm which came from postmasters in bounce 
messages.
Some postmasters, when sending out a bounce message, include the 
original
email message as an attachment.  If a bounce message is for a
MyDoom-infected message, the bounce message will sometimes includean 
intact
copy of the MyDoom executable which can be run by mistake with a few 
mouse
clicks.

This is sometimes unavoidable.  A lot of MyDoom's go to nonexistent
recipients, and when they are failed with a 5xx failure code, the 
sending
relay (quite reasonably) includes the original message in the bounce.


Not only do a lot of MyDoom's go to nonexistent recipients, they go to 
nonexistent recipients *by design*. These are intentional bounces where 
the worm is putting a simple but typically nonexistent email address in 
the "To:" and putting it's intended target address in the "From:". Then it 
uses the 5xx failures to deliver the worm via the bounce mechanism, so 
that the recipient gets an actual non-delivery report, not a faked one.

It is a subtle distinction, but I don't recall this method of delivery 
being used previously. All those bounces/rejections you see in your 
mail-server logs for "bill () yourdomain com", "jane () yourdomain com", 
"john () yourdomain com", and "sam () yourdomain com", etc. are NOT really 
attempts to deliver the worm to those made-up addresses (though I doubt 
the worm author would mind if the addresses did exist...). They are meant 
to bounce to the *actual* intended recipient, who is listed in the "From:"

I agree that the 5xx failures correctly bounce the complete message. But 
it is that predictable process that is being exploited by the worm author.

-- Mark


Current thread: