Educause Security Discussion mailing list archives

Filtering Password Protected .ZIPs [Bagle.J]

From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Tue, 2 Mar 2004 23:56:34 -0600

It is possible to filter ONLY
password protected .zip files
(including the Bagle.I-J variants)
by using the following base64 string
in a procmail rule (or IDS, IPS)
so that further analysis can be
conducted:

        UEsDBAoAAQAAA

Note that this primitive method
of filtering could result in
unanticipated collateral damage
(e.g. undelivered e-mail).

~cam.

Cam Beasley
ITS/Information Security Office
The University of Texas at Austin
cam () mail utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
- 512.475.9242
---------------------------

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Lane
Sent: Tuesday, March 02, 2004 22:48
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Bagle.j out

We have just re enabled zips and exe's due to 'popular 
demand' despite elaborating on the potential risk of doing 
so.  It would appear that the ease of email based file 
distribution overrides any virus damage that might occur.

Tim

At 11:31 PM 2/03/2004 -0500, you wrote:

Jason Richardson wrote:

Question: has anyone resorted to dropping ZIPs and/or other 
attachments at your gateways until/unless this storm passes?  I 
mentioned in a meeting that I would be proposing it to my

management

and received the predictable reaction, i.e., "you can't

block ZIPs, we

won't be able to do business."  Of course I was not deterred but I 
also haven't been given clearance to block the attachments.


We've been stripping zips on and off for the past several weeks as 
activity dictates. When the server strips the attachment, it

forwards

the message intact with information about what was blocked

and how to

get it if they really want it (notify sender to rename).

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

**********
Participation and subscription information for this EDUCAUSE

Discussion

Group discussion list can be found at http://www.educause.edu/cg/.


Tim Lane
Information Security Program Manager

Information Technology and Telecommunication Services
Southern Cross University
PO Box 157 Lismore NSW 2480

Ph:  61 2 6620 3290
Fax: 61 2 6620 3033
Email: tlane () scu edu au
http://www.scu.edu.au

**********
Participation and subscription information for this EDUCAUSE 
Discussion Group discussion list can be found at

http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Filtering Password Protected .ZIPs [Bagle.J] Cam Beasley, ISO (Mar 02)
- <Possible follow-ups>
- Re: Filtering Password Protected .ZIPs [Bagle.J] Cam Beasley, ISO (Mar 03)
- Re: Filtering Password Protected .ZIPs [Bagle.J] Steve Worona (Mar 03)