Noutati privind BadtransII!

To those who have been affected by the BadtransII Internet worm—the password-stealing program that has infiltrated thousands of users’ computers worldwide—the e-mails transferring the worm seem to have ostensibly originated from America Online (AOL). This would appear to be supported by the Yahoo.com “from” line address found in the header message, which when looked at closely, more likely than not contains "AOL.COM".

On the contrary, AOL is not to blame. All of this results from a traditionally deceptive procedure utilized by senders of junk e-mail (known colloquially as “spammers”), in which the BadtransII perpetrator has designed the worm’s built-in e-mail program to forge an AOL.COM address in a message’s “received from” section in order to mask its true identity. In this case, security experts have come to the conclusion that the worm’s writer went this route due to simple laziness, not wanting to write any involved code.

As explained by the operator of Network Abuse Clearinghouse, John Levine, typically, a computer sends an e-mail to another computer using SMTP protocol, and greets the receiving server with a “HELO” command. However, this command can be forged. In the BadtransII case, the virus starts mail sessions with “HELO aol.com” in spite of the actual e-mail sender’s identity.

Messages that truly originate from AOL users via the company's e-mail servers contain a more detailed "received from" address such as imo-d09.mx.aol.com. So, in order to avoid similar future worm deceptions, e-mail-server administrators used by ISPs and corporations could create procedures filtering any message with the phony HELO command. E-mail administrators could also remove message attachments in the two file formats, .pif and .scr, used by BadtransII.

Sursa: www.viruslist.com