Somewhat to my surprise, classical viruses by email are still a thing

December 30, 2014

Normally, my sinkhole spam-capturing SMTP server is set up so that it rejects as much as possible of what I consider boring spam. The other day I decided to run it completely unfiltered for a while, accepting everything no matter how obviously bad it was or whether it was going to an address that had ever existed. Already something interesting to me has turned up in the results.

In statistics drawn from our production mail system, I've previously noticed that viruses in email are way, way down. Much to my surprise, the first day of operating my sinkhole server completely unfiltered got me no less than five classical virus-laden email messages (out of 60 messages received so far). And when I say they're classical, they're really classical:

  • all are Windows executables, one straight as a .pif file and four inside files (the one that I extracted was a .jpg.exe file).

  • all appear to have come directly from end-user machines, not relayed through anyone's mail systems (based partly on DNS PTRs associated with them, network areas, etc). Three out of the four IPs involved are listed in the PBL.

  • all four IPs involved are currently listed in the CBL.

Four of the five arrived in one burst and are all the same zipfile and executable; although they came from three different IPs and had different MAIL FROMs, they only went to two different destination addresses. The one IP address that sent two messages sent them to different addresses (and in different SMTP sessions, although it was one right after the other).

(In an interesting little detail the most recent message was forged as a bounce message from my own system, although it also had a X-Mailer claiming it had been produced by Outlook Express.)

In contrast to a bunch of copies of the same Chinese spam message that have been sent to message-ids here, all of the destination addresses are at least plausible and two out of the three actually existed at one point.

All of this is what I think of as classical old-fashioned virus behavior that I thought had died out some time ago, partly because so many places had made it hard to get such email through when it was sent directly from end-user machines. After all, any anti-spam system that scored highly based on being on the CBL would have rejected these emails even before running them past virus checking. I guess the old ways are not dead after all, especially if I got five messages within 24 hours of opening my sinkhole server up.

At this point I'll admit I haven't checked our main system's stats recently to see if we're seeing more virus emails there than we used to a year or so ago. If we aren't, I'm not entirely sure what might be causing the difference. While the addresses that these viruses are being spammed to are old addresses, our main system has plenty of equally old addresses (and I believe any number of them get regular spam). Oh well, that's an analysis for another day.

Comments on this page:

I would conjecture that the machines sending this malware mail are relics (infected long ago and still operational in the same state of OS and software installed), and that your getting this much signal simply means that non-trivial numbers of such relics remain extant and connected.

By cks at 2014-12-31 17:29:28:

That's possible, but I ran both viruses through some online 'test your sample with many virus engines' places. One was recognized by basically everything, but another one was only recognized by a few engines; to me this suggests that it's relatively recent. It could be that the old relics keep getting re-infected by newer viruses over time because they're still vulnerable.

Interesting. Then even if the machines are relics the malwares aren’t, which was the main point of my conjecture. So someone out there is still creating new worms based on old methods, it’s not just remnants of the past. Hmm.

Actually, the "new viruses" might well not be traditional viruses at all - that is, they might not try to propagate by themselves. Instead, they may well just be malware RATs that will cause the recipient's machine to join a botnet and send out other spam on command.

(Or be ransacked for personal info/credit cards, or used to mine bitcoins in the background)

The RSS feeds' typeset are not quite right, when there are more contents after some unordered list.

Written on 30 December 2014.
« How I have partitioning et al set up for ZFS On Linux
A retrospective on my one Django web application »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Dec 30 00:48:58 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.