SWEN Worm Propagation Anomaly?

[D.F. Manno]

In article <0001HW.BB97548C000E4D8F09A98AA0@text.giganews.com >,
Steve <nospam@nospam.com> wrote:

> CERT, Symantec and others report that this worm is propagating by mailing
> itself to everyone in the victim's address book. I, and many other
> individuals with multiple email addresses, have observed that only those
> addresses which were used to post to the usenet have been attacked. In
> addition, the same addresses are attacked over and over. If the source of the
> attacks were the vicitims' address books one would expect that the addresses
> not used on usenet would also be under attack.
>
> What this suggests to me is that the source of the lion's share of the
> current SWEN mailings is not other victims' address books but rather
> continued mailings to the same mailing list harvested from usenet. If that is
> the case, the number of sources should be able to be narrowed down
> considerably.
>
> It also suggests that ISPs are only going to be receiving complaints from the
> handfull of their customers who use usenet and are therefore likely to view
> it as a localized problem.
>
> Comments?

Your premise is faulty. I have received the worm at an address that has
never been used to post to Usenet.
--
D.F. Manno
[email]dommanno@netscape.net[/email]

Nobody Died When Clinton Lied

[Martin Crisp]

On Thu, 25 Sep 2003 4:02:52 +1000, Steve wrote
(in message <0001HW.BB97548C000E4D8F09A98AA0@text.giganews.com >):

> CERT, Symantec and others report that this worm is propagating
> by mailing itself to everyone in the victim's address book. I,

i.e. the people who have looked at Swen 'under a microscope' to see
how it propagates.

> and many other individuals with multiple email addresses, have
> observed that only those addresses which were used to post to
> the usenet have been attacked. In addition, the same addresses
> are attacked over and over. If the source of the attacks were
> the vicitims' address books one would expect that the addresses
> not used on usenet would also be under attack.

But, if it were using usenet addresses, those of us with _many_
usenet email addresses would be seeing Swen addressed to many
addresses. I'm not. I've received a total of 5 copies of Swen, to 2
addresses.

I have used (over the years) about 10 different email addresses in
usenet that still resolve, and still receive spam. I use
_different_ email addresses for private correspondence, different
ones again for email lists (specific to each list).

I am only receiving Swen to addresses I've used on usenet, but only
to 2 of those addresses. One of them, because I didn't intend it to
be publicly released, may also be used in personal address books.

I don't expect to receive Swen at 'personal' addresses for a couple
of reasons:
1) most people who email me privately are on Macs.
2) those who aren't tend not to use MS products for mail
3) most people don't copy addresses from email lists to their
addressbooks

Looks to me as though one or two people who have read/replied to me
using usenet have (for whatever reason) copied the address to their
addressbook.

> What this suggests to me is that the source of the lion's share
> of the current SWEN mailings is not other victims' address books
> but rather continued mailings to the same mailing list harvested
> from usenet. If that is the case, the number of sources should
> be able to be narrowed down considerably.

one of the addresses that has received swen has only been used in
one group (rec.games.roguelike.nethack). The other has been used in
1 cross-posted thread (4 articles, xposted to 5 groups:
alt.atheism, alt.bible, alt.christnet.philosophy,
alt.christnet.theology, alt.religion.christian). The ones that
aren't receiving it have been used in both, and other, places
_much_ more.

> It also suggests that ISPs are only going to be receiving
> complaints from the handfull of their customers who use usenet
> and are therefore likely to view it as a localized problem.
>
> Comments?

I'll go with the opinion of CERT...

Have Fun
Martin

[Bill Rowe]

In article <0001HW.BB978D5D0016130709E1BAA0@text.giganews.com >,
Steve <nospam@nospam.com> wrote:

> Secondly, this worm has been around for some time. If it were being driven
> primarily by address books, it is hard to explain the order of magnitude
> spike two weeks ago. I think that is more characteristic of a spam type
> mailing list.

Your second point coupled with my experience suggests to me it is not
just driven by Usenet postings. I've been a regular poster to a couple
of newsgroups for years and have never bothered to mangle my email
address until just yesterday. My trouble with the worm did not start
until this past Friday. If simply posting with a clear email address
were sufficient to become a target, then I should have become a target a
couple of weeks ago rather than just last Friday.

However, on the chance you are correct you will notice my email address
for this posting is mangled. And, I won't be exposing any other email
address I have to the Usenet.

[Jerry Kindall]

In article <dommanno-BCE585.17211924092003@corp-radius.supernews.com>,
D.F. Manno <dommanno@netscape.net> wrote:

> In article <0001HW.BB97548C000E4D8F09A98AA0@text.giganews.com >,
> Steve <nospam@nospam.com> wrote:
>

> > CERT, Symantec and others report that this worm is propagating by mailing
> > itself to everyone in the victim's address book. I, and many other
> > individuals with multiple email addresses, have observed that only those
> > addresses which were used to post to the usenet have been attacked. In
> > addition, the same addresses are attacked over and over. If the source of
> > the
> > attacks were the vicitims' address books one would expect that the
> > addresses
> > not used on usenet would also be under attack.
> >
> > What this suggests to me is that the source of the lion's share of the
> > current SWEN mailings is not other victims' address books but rather
> > continued mailings to the same mailing list harvested from usenet. If that
> > is
> > the case, the number of sources should be able to be narrowed down
> > considerably.
> >
> > It also suggests that ISPs are only going to be receiving complaints from
> > the
> > handfull of their customers who use usenet and are therefore likely to view
> > it as a localized problem.
> >
> > Comments?

>
> Your premise is faulty. I have received the worm at an address that has
> never been used to post to Usenet.

Nevertheless, swen does harvest addresses from Usenet, hence its name.
The 1300 copies I received were received through an e-mail address that
has never been used for anything BUT posting to Usenet, and when I
switched my posting address, I began receiving copies at that address
within minutes. I have received no copies at all on any of my other
e-mail addresses, some of which have been widely publicized but are not
used on Usenet.

--
Jerry Kindall, Seattle, WA <http://www.jerrykindall.com/>

When replying by e-mail, use plain text ONLY to make sure I read it.
Due to spam and viruses, I filter all mail with HTML or attachments.

[Jerry Kindall]

In article
<readnewsNOSPAM-C2D846.20285324092003@news06.west.earthlink.net>, Bill
Rowe <readnewsNOSPAM@earthlink.net.invalid> wrote:

> In article <0001HW.BB978D5D0016130709E1BAA0@text.giganews.com >,
> Steve <nospam@nospam.com> wrote:
>

> > Secondly, this worm has been around for some time. If it were being driven
> > primarily by address books, it is hard to explain the order of magnitude
> > spike two weeks ago. I think that is more characteristic of a spam type
> > mailing list.

>
> Your second point coupled with my experience suggests to me it is not
> just driven by Usenet postings. I've been a regular poster to a couple
> of newsgroups for years and have never bothered to mangle my email
> address until just yesterday. My trouble with the worm did not start
> until this past Friday. If simply posting with a clear email address
> were sufficient to become a target, then I should have become a target a
> couple of weeks ago rather than just last Friday.

Well, no. The worm wasn't active until late last week. I got copies
beginning Thursday.

--
Jerry Kindall, Seattle, WA <http://www.jerrykindall.com/>

When replying by e-mail, use plain text ONLY to make sure I read it.
Due to spam and viruses, I filter all mail with HTML or attachments.

[Torge Anders]

Steve <nospam@nospam.com> wrote:

> What this suggests to me is that the source of the lion's share of the
> current SWEN mailings is not other victims' address books but rather
> continued mailings to the same mailing list harvested from usenet.

I agree, that the worm apparently does not neccessarily just search
through adress books - I think it DOES at the same time probably also
scan through usenet postings - which are usually stored on peoples
harddisks as well.

The headers of the incoming mails all contain a "return path" which seem
to point to "real people" - unlike the "from" address.

So I would think, that this "spam" does not come from a few centralized
spam-mailers, but just about every computer where the worm is executed
and email-adresses can be found - in adress books or usenet posungs
alike...

Torge.

[Torge Anders]

Steve <nospam@nospam.com> wrote:

> That's a good point. I thought about that, especially since Outlook can be
> used for newsreading as well as mail. That particular method wasn't mentioned
> in the CERN advisory and I don't have enough familiarity with Wintel code to
> disassemble the exe and figure it out myself.

At the Symantec-Site
([url]http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.html[/url]) was a
pretty good explanation of the worm - including a list of all the types
of data it searches for emails.

> On the other hand, I am getting the worm at email addresses I haven't used
> for over a year, so it's unlikely that it would be in anyone's usenet article
> cache.

I bet, people have things on their computers, you would never even dream
of - harddisk space of over 100 gigs - you could probably store usenet
postings back to the year 0 - without problems...

> Whatever it is, I wish someone could figure out an effective way to stop it

I have a feeling, it's been going back since maybe yesterday...

Torge.

[Lou Forlini]

In article <240920032329121763%jerrykindall@nospam.invalid> , Jerry
Kindall <jerrykindall@nospam.invalid> wrote:

> Well, no. The worm wasn't active until late last week. I got copies
> beginning Thursday.

Same here. And so far only to the e-mail address I use on Usenet,
in multi-megabyte quantities daily.

Regards,

- Lou Forlini
Software Engineer
System Support Products, Inc.

[D Warcken]

In article <0001HW.BB9829AF0003E05109A8F0A0@text.giganews.com >, Steve
<nospam@nospam.com> wrote:

> On Thu, 25 Sep 2003 2:57:27 -0400, Torge Anders wrote
> (in message <1g1u356.1erb6f615sjwjkN%torgeandersNOSPAM@gmx.de> ):
>

> > Steve <nospam@nospam.com> wrote:
> >

> >> What this suggests to me is that the source of the lion's share of the
> >> current SWEN mailings is not other victims' address books but rather
> >> continued mailings to the same mailing list harvested from usenet.

> >
> >
> > I agree, that the worm apparently does not neccessarily just search
> > through adress books - I think it DOES at the same time probably also
> > scan through usenet postings - which are usually stored on peoples
> > harddisks as well.
> >
> > The headers of the incoming mails all contain a "return path" which seem
> > to point to "real people" - unlike the "from" address.
> >
> > So I would think, that this "spam" does not come from a few centralized
> > spam-mailers, but just about every computer where the worm is executed
> > and email-adresses can be found - in adress books or usenet posungs
> > alike...
> >
> > Torge.

>
> That's a good point. I thought about that, especially since Outlook can be
> used for newsreading as well as mail. That particular method wasn't mentioned
> in the CERN advisory and I don't have enough familiarity with Wintel code to
> disassemble the exe and figure it out myself.
>
> On the other hand, I am getting the worm at email addresses I haven't used
> for over a year, so it's unlikely that it would be in anyone's usenet article
> cache.
>
> Whatever it is, I wish someone could figure out an effective way to stop it
> :-)
>
> Steve

I did read some posts on another group (a virus group) that suggested
setting a filter to trash any email that was not specifically addressed
to you. I haven't tried it yet (I just read it). Dunno....

[Blackjack Joe]

In article <260920032126329334%warcken@netpipe.com>,
D Warcken <warcken@netpipe.com> wrote:

> I did read some posts on another group (a virus group) that suggested
> setting a filter to trash any email that was not specifically addressed
> to you. I haven't tried it yet (I just read it). Dunno....

This only works if you're not on any mailing lists. Most mailing lists
are not specifically addressed to you.

--
Address in header is dead, please use:

netuse2 <at> jkonton <dot> best <dot> vwh <dot> net

Please excuse the munging, but after receiving thousands of emails
with the swen virus due to usenet email harvesting...

[madiba]

Lou Forlini <sales@sspi-software.com> wrote:

> In article <240920032329121763%jerrykindall@nospam.invalid> , Jerry
> Kindall <jerrykindall@nospam.invalid> wrote:
>

> > Well, no. The worm wasn't active until late last week. I got copies
> > beginning Thursday.

>
> Same here. And so far only to the e-mail address I use on Usenet,
> in multi-megabyte quantities daily.
>

Me too, it quickly fills up my Yahoo account to the 6MB limit and I
can't receive normal email. I see a definite connection to usenet, I
posted with my yahoo address to two cancer groups for the first time a
week ago and within days the mail-bombing started.
Yahoo of course doesn't care. In fact they are hoping I'll expand my
mailbox size for a fee..

--
madiba

[Torge Anders]

Steve <nospam@nospam.com> wrote:

> Whatever it is, I wish someone could figure out an effective way to stop it

One thing I tried, was sending back mails to the adresses in the
"return-path" section in the header of the spam mails. I wrote about
their possible "swen" infection and a link to the symantec swen site,
which tells you, how to get rid of the worm. I beleive about 60% of
these mails are comeing back - mostly because of "error 5.2.2" which
reads "mailbox full".

Do you have any idea, if these "return-path" entries inside the header
information contain the REAL sender-adress? Or can even this be changed
by the worm?

Torge.

[Devi Jankowicz]

On Mon, 29 Sep 2003 11:54:10 +0100, Steve wrote
(in message <0001HW.BB9D879200335C0E0940F800@text.giganews.com >):

> I think the lesson is that if you post to usenet with an open email address
> you _will_ be attacked and once attacked your only defense is filtering or
> giving up the address.

A reakl newbie question: werte can I find out how to do emails withhout using
what you;pve termed an 'open' address. How would using a 'closed?' address
allow me to receive e-mails witout receiving the spam?

(My own solution has been to change my address-- troublesome, as you
indicated-- but you seem to be talking about some other method.

Kind regards,
Devi Jankowicz

[Torge Anders]

Steve <nospam@nospam.com> wrote:

> I have pretty much resigned myself that the only way to solve the problem is
> to change the affected email addresses. A royal pain in the ass and it is
> going to cost real $$ to change business cards, etc.

My biggest problem was the really long time it took for the 150kB mail
attachments to download from my email provider. I've solved that one now
using PopMonitor or MailSiphon to have a look at the mails before I
download them - and delete the ones which are definitely worm-mails. You
can see which ones are pretty well from the combination of FROM, TO and
size...

> BTW as a test, I set up a dummy email address and used it to post one (that's
> o-n-e) post to one (that's o-n-e) usenet group. In less than 24 hours I
> received the first SWEN and within a day or so I was experiencing the same
> volume as everyone else as well as the usual Viagra crap. Pretty dramatic.

I've done a similar test on two highly frequented groups - and had my
first SWEN mail as little as 15 minutes later... they towered up to
about 10 an hour after about 4 - 5 hours!

> I think the lesson is that if you post to usenet with an open email address
> you _will_ be attacked and once attacked your only defense is filtering or
> giving up the address. BTW, one of my addresses that is under attack was only
> used in posts to alt.test!

I hope this thing won't go on forever - I have a feeling, it's going
down already and maybe in 2-3 weeks you only get about 1 all in a while
and can live with it like with all the other ...-enlargement and viagra
mail...

Torge.

--
torge anders - diplombastler/tinkering with a diploma
braunschweig - germany

[Clark Martin]

In article <0001HW.BB9EC4B90015F12209E17780@text.giganews.com >,
Steve <nospam@nospam.com> wrote:

> On Mon, 29 Sep 2003 12:50:12 -0400, Devi Jankowicz wrote
> (in message <0001HW.BB9E21540008BED2F0101600@news.cache.cable. ntlworld.com>):
>

> > On Mon, 29 Sep 2003 11:54:10 +0100, Steve wrote
> > (in message <0001HW.BB9D879200335C0E0940F800@text.giganews.com >):
> >

> >> I think the lesson is that if you post to usenet with an open email
> >> address
> >> you _will_ be attacked and once attacked your only defense is filtering or
> >> giving up the address.

> >
> > A reakl newbie question: werte can I find out how to do emails withhout
> > using
> > what you;pve termed an 'open' address. How would using a 'closed?' address
> > allow me to receive e-mails witout receiving the spam?
> >
> > (My own solution has been to change my address-- troublesome, as you
> > indicated-- but you seem to be talking about some other method.

>
> Just change the address in your newsreader to:
>
> Devi Jankowicz <animusNOSPAM@ntlworld.com>
>
> for example. There are many ways to do the same thing. Just look at examples
> from other peoples' posts.

A better choice is to tweak out the domain name. The above address will
still result in that e-mail going to your ISPs server (and choking it).
altering the domain name will cause it to go noowhere if you pick the
right fix. i.e. <animus@ntlworld.NOSPAM.com> or
<animus@ntlworld.MICROSOFT.com> if you care to get back at the source of
the problem.

--
Clark Martin
Redwood City, CA, USA Macintosh / Internet Consulting

"I'm a designated driver on the Information Super Highway"