Go to the FreeLists Home Page Home Signup Help Login 		 



[cybercrime-alerts] || [Date Prev] [05-2002 Date Index] [Date Next] || [Thread Prev] [05-2002 Thread Index] [Thread Next]

Are you the Klez monster?

  • From: alerts@xxxxxxxxxxx
  • To: cybercrime-alerts@xxxxxxxxxxxxx
  • Date: Fri, 17 May 2002 17:47:36 -0400

Are you the Klez monster?
By Robert Lemos
Staff Writer, CNET News.com
May 17, 2002, 1:05 PM PT
http://news.com.com/2100-1001-916945.html

It may only be a matter of time before you're accused of spreading the Klez 
virus.
A month after it started spreading, the Klez.h worm isn't slowing down, said 
antivirus experts on Friday. Moreover, the worm's technique of forging the 
address of the sender on each infected e-mail message is creating a flood of 
warnings from gateway antivirus software informing the wrong people that they 
are infected.

"A lot of traffic is being multiplied by the response mechanisms and refusal 
mechanisms," said Fred Cohen, security practitioner in residence at the 
University of New Haven.

In many cases, antivirus software protecting a company's e-mail gateways is 
sending out a response to each infected e-mail inadvertently sent out by a 
victim--but that warning is going to the wrong person. "So, in effect, you're 
getting twice the fun you would normally get," Cohen said.

Apart from magnifying the amount of spam produced by the virus, the incorrect 
identification of those who are infected is also responsible for hindering 
efforts to fight the spread of the worm, said Cohen.

Faked addresses
The Klez.h variant, which appeared in mid-April, infects PCs whose users open 
the attachment to an infected e-mail. Confusing matters, the e-mail will have a 
random "from" address, selected from various sources on the original victim's 
hard drive. And it pairs this bogus sender's address with one of more than 120 
different subject lines.

When a user opens the attachment, the virus starts up its own e-mail engine and 
mass mails itself to e-mail addresses found in various files on the PC, using a 
source address culled from those addresses. Klez.h can also send out a random 
file from the PC as an attachment, along with the e-mail that carries the worm, 
potentially passing confidential information.

In some instances, the worm also drops one of several other viruses, including 
the destructive CIH, and tries to remove any active antivirus software from the 
system.

Overall, the Klez.h variant has been extremely successful.

"The spread has been really steady," said John Harrington, director of U.S. 
marketing for e-mail service provider MessageLabs. "We've seen 20,000 again 
today (Friday), and there's no indication that this is dying down."

While the worm has not spread as quickly as, say, the LoveLetter virus?of which 
MessageLabs received one copy for every 23 legitimate e-mails during the virus' 
peak in May 2000--it does make up one out of nearly every 170 e-mails, 
Harrington said.

In fact, the steady spread--rather than a firestorm of e-mails?may actually be 
part of the reason for the worm's success, said Harrington. The Klez.h variant 
did manage to top the charts of computer viruses in April.

"It kind of cruises below the radar screen," Harrington said. "Everyone had 
heard of LoveLetter. But if you go into a computer shop and ask people if 
they've heard of Klez, they'll shake their heads."

Hard to track
The Klez variant's ability to spoof the source of infected e-mail makes it 
nearly impossible to track down the infected users who sent the virus.

"The whole spoofing thing adds a dimension to it that is a little different," 
said Vincent Gullotto, vice president of Network Associates' antivirus 
emergency response team. "It's definitely possible that the false addresses are 
slowing response."

Network Associates still receives more than 50 reports a day of the worm from 
customers, and some corporate clients are seeing more than 20,000 messages 
carrying the virus at their e-mail gateways.

The response to Klez--that uninfected users are being told they sent a 
virus--shows the holes in the system, added Gullotto.

In addition, some out-of-the-office auto-reply mechanisms may be going haywire 
as a result of an infected user sending an e-mail with a random source and 
receiver who are both away.

"I am sure there are some auto-reply wars that have been going on," Gullotto 
said. "There has been a lot of mail that is going around that is caused by 
this."

Until system administrators disable antivirus notification on the e-mail 
gateway servers, the confusion will only continue.





--
This was sent to you from http://theMezz.com
To Subscribe/Unsubscribe go to http://techPolice.com

* Our Monthly Tech NewsLetter is at http://theMezzenger.com *




[ Home | Signup | Help | Login | Archives | Lists ]

All trademarks and copyrights within the FreeLists archives are owned by their respective owners.
Everything else ©2008 Avenir Technologies, LLC.