MyDoom (was: Test)
Mark Komarinski
mkomarinski at wayga.org
Mon Feb 2 13:25:29 EST 2004
On Mon, Feb 02, 2004 at 12:34:37PM -0500, bscott at ntisys.com wrote:
> On Mon, 2 Feb 2004, at 10:52am, mkomarinski at wayga.org wrote:
> >> It is worth pointing out that, like most such malware, the MyDoom worm
> >> forges the "From" address.
> >
> > SPF would prevent a lot of this from happening, strangely enough.
>
> True, but then the malware will just switch back to using the "real" email
> address of the sender.
Which itself may not work. If I send direct from my machine, but my SPF
record has only comcast.net's SMTP server listed, the email would be caught.
This would mean that the malware would have to either configure itself to read
my MUA configuration (mutt, pine, etc.) OR run it though the local MTA,
which may or may not be configured properly. Either way, it increases the
chances of it being detected quickly and increases the complexity of
the malware.
> > This is one of the reasons that I prefer getting code prepackages from a
> > distribution than rolling my own.
>
> And you check all those pre-built packages using an independently verified
> digital signature, right? :-)
The RPMs I get from Red Hat and freshrpms are digitally signed with GPG, so
yes, I do check. I'm not aware of DEBs having this ability, or if it exists,
is being used by the Debian maintainers.
-Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20040202/53ff9471/attachment.bin
More information about the gnhlug-discuss
mailing list