McAfee PROBLEM !!! (solved)
MailScanner
mailscanner at SMITS.CO.UK
Fri Mar 5 10:52:54 GMT 2004
MS could check the body of the message and try all words within ten words of 'password' to unlock the encrypted zip file, plus all phrases in the filename of the attachment. E.g. phrases like 'The password for this zip file is abracadabra' or 'use abracadabra when prompted for a password' will allow it to crack the zip.
This would expose the cleartext virus code which may still change, but AV software has been able to deal with morphing viruses for a while now.
Even if the contents of the zip were benign, we could still block/quarantine the message as 'uselessly encrypted zip file' since the only point in sending a encrypted file and its key in the same message is to bypass automated scanning.
Bart...
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Rabellino Sergio
Posted At: 04 March 2004 09:05
Posted To: MailScanner
Conversation: McAfee PROBLEM !!! (solved)
Subject: Re: McAfee PROBLEM !!! (solved)
Denis Beauchemin wrote:
> Le mer 03/03/2004 à 12:51, Rabellino Sergio a écrit :
>
>>Denis Beauchemin wrote:
>>
>>>Le mer 03/03/2004 à 12:14, Denis Beauchemin a écrit :
>>>
>>>
>>>>Many infected password-protected zip files passed through our McAfee
>>>>AV (using 4332). Nonetheless we detected 341 W32/Bagle.j at MM since
>>>>midnight.
>>>>Le mer 03/03/2004 à 11:34, Michael Baird a écrit :
>>>>
>>>>
>>>>>Good Question, Does DAT 4332 fix it, my understanding was that it
>>>>>handled the unzipping and so forth, and MailScanner interpreted the
>>>>>response, I'm looking for confirmation, I'm running an older
>>>>>version of MailScanner (4.25-14 I believe), I hate to upgrade
>>>>>unless it's necessary.
>>>
>>>
>>>I've taken a look at the Bagle.j detected so far and none were in a
>>>zip file (all were plain pif files).
>>>
>>>So I'd say 4332 is definitely not catching any password-protected Bagle!
>>>
>>>Denis
>>
>>As Bagle encrypt the virus itself in the zip with a random password,
>>how can McAfee (or any other antivirus) catch a virus encrypted in
>>999999 different forms ? (the password is 6 integer digits)
>
>
> Sergio,
>
> They can't unzip the file but they can compare its size and some
> checksum they computed on infected zip files.
>
But if the file is encrypted, the checksums and lengths changes as the key used change, also the filename used inside the zip could be changed randomly (if Bagle does not do this now, the next variant will....) so the complexity remains unchanged, a different zip file for every key used....
The only solution is to ban the zip encrypted files .
--
Dott. Sergio Rabellino
Technical Staff
Department of Computer Science
University of Torino (Italy)
http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
More information about the MailScanner
mailing list