Tracking Down a Worm's Source

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

The MyDoom worm has had me in a defensive crouch all week long. Not because I'm worried about it infecting any computers I use (my Mac is not vulnerable to it, my Windows computers run non-Microsoft mail clients, and I don't open unexpected attachments anyway). Nor am I that worried about all the copies of the worm that have "borrowed" my work e-mail address from their victims' address books and browser caches (it's an unavoidable fact of having a published e-mail address).

No, what I'm concerned about is whether my private, home address will get "outed" by MyDoom as it was by SoBig. This is the one I have under a domain name I've registered, which I don't give out to companies and only use in correspondence with friends and family. Having gone to the trouble of registering a personal domain, I don't plan on giving it up, which means I don't want to see this address wind up on any spammers' mailing lists.

So far, so good. But SoBig exposed a big flaw in that strategy: While I can control what software runs on my computers, I can't do the same for the machines that my friends and family use -- not just their own computers, but also any PCs they might borrow at work or in a random cybercafe. A virus like SoBig will scour any such machine, from its address book to its Web cache to its mailbox files, not just for addresses it can relay copies of itself to, but also for source material for fake return addresses.

A game of e-mail ping-pong comes next: Many copies of the virus will get bounced back to the fake return address by mail servers at schools, offices and Internet providers.

In my own case, the result last August was a stuffed in-box at my home account, full of bounce messages -- I got more of them than I did "original" copies of SoBig itself -- followed by the unsettling realization that my "private" address was being silently transmitted to a widening circle of machines, some of which could turn out to be run by spammers.

I was mad enough to play detective to find out who had left their computer open to this virus. This took a while, but I think I did find a culprit.

My first step was to read each SoBig message to learn its intended recipient. Then I back-tracked, going through my own address book to look for people who might also know this intended recipient.

In other words, if Stranger A got a copy of the virus that appeared to come from me -- even though no machine of mine was ever infected -- the real source would have to be a Friend B, somebody with both Stranger A and myself in his address book when the virus hit.

This turned out be easier than I'd thought. Most of the SoBig messages had been sent to work addresses, and most of them belonged to either law firms, government offices or, curiously enough, the U.S. Army. Many of my friends are lawyers (can you guess how long I've lived around D.C.?), but only a few also have experience in government, let alone the Army. Only one, in fact.

This guy -- I'll leave his name out of this -- said he was positive that he didn't have the virus on this machine at home or work. But after examining the headers of these messages, I found another clue -- the same Internet Protocol address kept showing up.

My next step was to examine the headers of these messages. A bunch all had the same Internet protocol address. I ran that through some standard diagnostic utilities and traced it back to a company that runs a chain of copy shops across the country -- and in particular, one such shop a few blocks from my office.

This research took a couple of days (look, it was August and I had some free time), and meanwhile the deluge of SoBig messages did not stop. Fed up, I called this copy shop, asked to talk to the manager and said he had a virus problem, and that I'd be happy to walk over to help him fix it. He said he was pretty sure that his computers were fine, but that he'd check anyway -- and the next day, the flow of SoBig traffic stopped.

I don't know if my call actually encouraged this manager to break out a copy of Norton Anti-Virus, or even if the virus had ever taken up residence in that shop.

Whatever the cause, I was immensely relieved to not have my in-box under siege, just as I'm glad to find myself relatively unscathed from MyDoom (I've had fewer than 10 copies show up at that home address).

On the other hand, to feel relieved when bad things pass you by means admitting you have no control over them. That's not so great.

-- Rob Pegoraro