« Chiba Witty Blues and Blastoff! | Main | Web Application Worms: Myth or Reality? »
Traffic Analysis on a Mass Mailing Worm and DNS/SMTP
From researchers in Japan and found on the website of Yasuo Musashi, Traffic Analysis on a Mass Mailing Worm and DNS/SMTP [PDF], a presentation by Yasuo Musashi, Kenichi Sugitani, and Ryuichi Matsuba. Now, what they've done is interesting and so simple it's beautiful. It turns out that aside from a large number of mails that all look similar and are sent bypassing the local SMTP relay, mass mailer worm infected hosts also generate a large number of DNS requests for MX records of their targets. They don't do this under normal operations (where they relay mail through a local SMTP server that they get an A record for), so you can easily measure this and detect a mass mailer infected system. Using the technique and principles described in this presentation (prior to finding it, I might add), I built a small prototype in Python using libpcap and was able to reliably detect mass mailer infected hosts within a few minutes. A simple solution that doesn't require much heavy analysis. Unfortunately, I am unable to share the code with the general public at this time.
June 7, 2005 in detection, mass mailers, papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
a trend I've been seeing in Mytob family is that they do not query MX address for the target. They append possible smtp servers names to the domain suffix, such as smtp, mx, gate, etc. Like in Mybob variant http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EDX&VSect=T
Posted by: vinicius | Jun 7, 2005 3:50:53 PM
Hello!
The Mytob worm does not send the MX record based DNS query packet to the DNS server, surely. Only A record based DNS query packets are transmitted and I have noticed it early days of January. Recently, I have found how to detect it and prevent it. I wrote and submitted three papers that described about the Mytob worm or Mytob related worms/viruses. Fortunately, these papers are accepted and will be soon published.
http://www.apnoms.org/2005/
http://www.elfa.sk/ICETA-2005/en/index.html
http://www.ipsj.or.jp/sig/dsm/y2005/sig2-prog.html
Posted by: Yasuo Musashi | Jul 4, 2005 12:02:24 PM
The comments to this entry are closed.
