McAfee PROBLEM !!! (solved)

Rabellino Sergio rabellino at DI.UNITO.IT
Fri Mar 5 11:09:14 GMT 2004


MailScanner wrote:
> MS could check the body of the message and try all words within ten words of 'password' to unlock the encrypted zip file, plus all phrases in the filename of the attachment. E.g. phrases like 'The password for this zip file is abracadabra' or 'use abracadabra when prompted for a password' will allow it to crack the zip.
> 
I didn't know this, obviously the heuristics used in the password search can be override by a quoting of the password 
(as an example...)

> This would expose the cleartext virus code which may still change, but AV software has been able to deal with morphing viruses for a while now.
> 
Or simply return an error if the zip could not be scanned inside ?

> Even if the contents of the zip were benign, we could still block/quarantine the message as 'uselessly encrypted zip file' since the only point in sending a encrypted file and its key in the same message is to bypass automated scanning.
> 
> Bart...
Sure. you're right!
> 
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Rabellino Sergio
> Posted At: 04 March 2004 09:05
> Posted To: MailScanner
> Conversation: McAfee PROBLEM !!! (solved)
> Subject: Re: McAfee PROBLEM !!! (solved)
> 
> 
> Denis Beauchemin wrote:
> 
>>Le mer 03/03/2004 à 12:51, Rabellino Sergio a écrit :
>>
>>
>>>Denis Beauchemin wrote:
>>>
>>>
>>>>Le mer 03/03/2004 à 12:14, Denis Beauchemin a écrit :
>>>>
>>>>
>>>>
>>>>>Many infected password-protected zip files passed through our McAfee 
>>>>>AV (using 4332).  Nonetheless we detected 341 W32/Bagle.j at MM since 
>>>>>midnight.
>>>>>Le mer 03/03/2004 à 11:34, Michael Baird a écrit :
>>>>>
>>>>>
>>>>>
>>>>>>Good Question, Does DAT 4332 fix it, my understanding was that it 
>>>>>>handled the unzipping and so forth, and MailScanner interpreted the 
>>>>>>response, I'm looking for confirmation, I'm running an older 
>>>>>>version of MailScanner (4.25-14 I believe), I hate to upgrade 
>>>>>>unless it's necessary.
>>>>
>>>>
>>>>I've taken a look at the Bagle.j detected so far and none were in a 
>>>>zip file (all were plain pif files).
>>>>
>>>>So I'd say 4332 is definitely not catching any password-protected Bagle!
>>>>
>>>>Denis
>>>
>>>As Bagle encrypt the virus itself in the zip with a random password, 
>>>how can McAfee (or any other antivirus) catch a virus encrypted in 
>>>999999 different forms ? (the password is 6 integer digits)
>>
>>
>>Sergio,
>>
>>They can't unzip the file but they can compare its size and some 
>>checksum they computed on infected zip files.
>>
> 
> But if the file is encrypted, the checksums and lengths changes as the key used change, also the filename used inside the zip could be changed randomly (if Bagle does not do this now, the next variant will....) so the complexity remains unchanged, a different zip file for every key used....
> 
> The only solution is to ban the zip encrypted files .
> --
> Dott. Sergio Rabellino
> 
>   Technical Staff
>   Department of Computer Science
>   University of Torino (Italy)
> 
> http://www.di.unito.it/~rabser
> Tel. +39-0116706701
> Fax. +39-011751603
> 


-- 
Dott. Sergio Rabellino

  Technical Staff
  Department of Computer Science
  University of Torino (Italy)

http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603




More information about the MailScanner mailing list