Re: Filtering Password Protected .ZIPs [Bagle.J]

["Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>]

A more accurate procmail rule for the password
protected .ZIP files generated by the Bagle.J
worm might be:

:0B
* ^UEsDBAoAAQAAA
* > 17000
* < 36000
* password
some/folder

Dramatically reduces false positives.

Hope this helps,

~cam.

Cam Beasley
ITS/Information Security Office
The University of Texas at Austin
cam () austin utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
- 512.475.9242
---------------------------

> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cam Beasley, ISO
> Sent: Tuesday, March 02, 2004 23:57
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Filtering Password Protected .ZIPs [Bagle.J]
>
>
> It is possible to filter ONLY
> password protected .zip files
> (including the Bagle.I-J variants)
> by using the following base64 string
> in a procmail rule (or IDS, IPS)
> so that further analysis can be
> conducted:
>
>         UEsDBAoAAQAAA
>
> Note that this primitive method
> of filtering could result in
> unanticipated collateral damage
> (e.g. undelivered e-mail).
>
> ~cam.
>
> Cam Beasley
> ITS/Information Security Office
> The University of Texas at Austin
> cam () mail utexas edu
> ---------------------------
> Report Abuse To:
> - abuse () utexas edu
> - 512.475.9242
> ---------------------------
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Discussion Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Lane
> > Sent: Tuesday, March 02, 2004 22:48
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Bagle.j out
> >
> >
> > We have just re enabled zips and exe's due to 'popular
> > demand' despite elaborating on the potential risk of doing 
> > so.  It would appear that the ease of email based file 
> > distribution overrides any virus damage that might occur.
> >
> > Tim
> >
> >
> >
> > At 11:31 PM 2/03/2004 -0500, you wrote:
> > > Jason Richardson wrote:
> > > > Question: has anyone resorted to dropping ZIPs and/or other
> > > > attachments at your gateways until/unless this storm passes?  I 
> > > > mentioned in a meeting that I would be proposing it to my 
> > management
> > > > and received the predictable reaction, i.e., "you can't
> > block ZIPs, we
> > > > won't be able to do business."  Of course I was not deterred but I
> > > > also haven't been given clearance to block the attachments.
> > >
> > > We've been stripping zips on and off for the past several weeks as
> > > activity dictates. When the server strips the attachment, it 
> > forwards
> > > the message intact with information about what was blocked
> > and how to
> > > get it if they really want it (notify sender to rename).
> > >
> > > --
> > > Gary Flynn
> > > Security Engineer - Technical Services
> > > James Madison University
> > >
> > > **********
> > > Participation and subscription information for this EDUCAUSE
> > Discussion
> > > Group discussion list can be found at http://www.educause.edu/cg/.
> >
> > Tim Lane
> > Information Security Program Manager
> >
> > Information Technology and Telecommunication Services 
> Southern Cross 
> > University PO Box 157 Lismore NSW 2480
> >
> > Ph:  61 2 6620 3290
> > Fax: 61 2 6620 3033
> > Email: tlane () scu edu au
> > http://www.scu.edu.au
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE 
> Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.