DNSO Archives: [ga-full]

ICANN/DNSO DNSO Mailling lists archives

[ga-full]

<<< Chronological Index >>> <<< Thread Index >>>

Re: [ga] Reliability of the Internet - the silent battle - part 2

To: Roeland Meyer <rmeyer@mhsc.com>
Subject: Re: [ga] Reliability of the Internet - the silent battle - part 2
From: Thomas Roessler <roessler@does-not-exist.org>
Date: Thu, 8 Nov 2001 23:04:13 +0100
Cc: Peter de Blanc <pdeblanc@usvi.net>, GA DNSO <ga@dnso.org>
In-Reply-To: <EA9368A5B1010140ADBF534E4D32C72806A003@condor.mhsc.com>
Mail-Followup-To: Roeland Meyer <rmeyer@mhsc.com>,Peter de Blanc <pdeblanc@usvi.net>, GA DNSO <ga@dnso.org>
References: <EA9368A5B1010140ADBF534E4D32C72806A003@condor.mhsc.com>
Sender: owner-ga-full@dnso.org
User-Agent: Mutt/1.3.23.1i

On 2001-11-08 13:02:56 -0800, Roeland Meyer wrote:

>That was a secondary side-issue that only came up because Peter 
>was using NAV, which only checks the email wrapper and not the 
>actual payload. I now have three trusted sources which confirmed 
>that the payload was, in fact, absent.

I suppose you should check your sources, since what you spread was 
quite clearly an infectuous Sircam binary...  (Bad enough, it's no 
longer available in the public list archive.)

Let's look at your message with ID 
      <EA9368A5B1010140ADBF534E4D32C728069FFD@condor.mhsc.com> 
in more detail.

It contained a 268288-byte attachment named "Flight crews rely on 
passengers to stop trouble.doc.com" (note the extension).  As I said 
before, this attachment did, in turn, contain a word document at 
offset 137216 (0x21800).  So the question is whether the first 
100+kB of that attachment Sircam code or not.

For comparison, I'll take a different Sircam message I received from 
a person unknown to me, quite some time ago, named Deloitte.doc.lnk. 
I assume that this is a genuine instance of Sircam.

As a first test, I extract the tail of the document, skipping the 
first 137216 bytes, using dd:

	$ dd if=Deloitte.doc.lnk bs=1 skip=137216 of=d.doc

d.doc turns out to be a valid word document.

Next, I extract the first 137216 bytes from both files:

	$ dd if=Flight<...>.doc.com bs=137216 count=1 of=sircam-flight
	$ dd if=Deloitte.doc.lnk bs=137216 count=1 of=sircam-dloitte

Then, let's produce some hex dumps...

	$ od -xa sircam-deloitte > sircam-deloitte.hx
	$ od -xa sircam-flight > sircam-flight.hx

... and compare these:

	$ diff -u sircam-deloitte.hx sircam-flight.hx

The difference (diff output is available upon request) consists of 
e-mail address and host name strings.  For the sake of comparison, 
I've then done the same to yet another Sircam copy which arrived 
here quite some time ago, and, indeed, the same areas of the binary 
(plus some more toggled bits) differ between these.

Concluding, I'm quite sure that you did indeed spread the sircam 
binary you received, bit by bit.  Whatever you mean by NAV detecting 
an "e-mail wrapper" instead of the actual payload - you're on the 
wrong track in this case.

-- 
Thomas Roessler                        http://log.does-not-exist.org/
--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html

References:
- RE: [ga] Reliability of the Internet - the silent battle - part 2
  - From: Roeland Meyer <rmeyer@mhsc.com>
- RE: [ga] Reliability of the Internet - the silent battle - part 2
  - From: Roeland Meyer <rmeyer@mhsc.com>

<<< Chronological Index >>> <<< Thread Index >>>