Educause Security Discussion mailing list archives
Re: Filtering Password Protected .ZIPs [Bagle.J]
From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Wed, 3 Mar 2004 09:52:52 -0600
A more accurate procmail rule for the password protected .ZIP files generated by the Bagle.J worm might be: :0B * ^UEsDBAoAAQAAA * > 17000 * < 36000 * password some/folder Dramatically reduces false positives. Hope this helps, ~cam. Cam Beasley ITS/Information Security Office The University of Texas at Austin cam () austin utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 ---------------------------
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cam Beasley, ISO Sent: Tuesday, March 02, 2004 23:57 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Filtering Password Protected .ZIPs [Bagle.J] It is possible to filter ONLY password protected .zip files (including the Bagle.I-J variants) by using the following base64 string in a procmail rule (or IDS, IPS) so that further analysis can be conducted: UEsDBAoAAQAAA Note that this primitive method of filtering could result in unanticipated collateral damage (e.g. undelivered e-mail). ~cam. Cam Beasley ITS/Information Security Office The University of Texas at Austin cam () mail utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 --------------------------------Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Lane Sent: Tuesday, March 02, 2004 22:48 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Bagle.j out We have just re enabled zips and exe's due to 'popular demand' despite elaborating on the potential risk of doing so. It would appear that the ease of email based file distribution overrides any virus damage that might occur. Tim At 11:31 PM 2/03/2004 -0500, you wrote:Jason Richardson wrote:Question: has anyone resorted to dropping ZIPs and/or other attachments at your gateways until/unless this storm passes? I mentioned in a meeting that I would be proposing it to mymanagementand received the predictable reaction, i.e., "you can'tblock ZIPs, wewon't be able to do business." Of course I was not deterred but I also haven't been given clearance to block the attachments.We've been stripping zips on and off for the past several weeks as activity dictates. When the server strips the attachment, itforwardsthe message intact with information about what was blockedand how toget it if they really want it (notify sender to rename). -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSEDiscussionGroup discussion list can be found at http://www.educause.edu/cg/.Tim Lane Information Security Program Manager Information Technology and Telecommunication ServicesSouthern CrossUniversity PO Box 157 Lismore NSW 2480 Ph: 61 2 6620 3290 Fax: 61 2 6620 3033 Email: tlane () scu edu au http://www.scu.edu.au ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found athttp://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Filtering Password Protected .ZIPs [Bagle.J] Cam Beasley, ISO (Mar 02)
- <Possible follow-ups>
- Re: Filtering Password Protected .ZIPs [Bagle.J] Cam Beasley, ISO (Mar 03)
- Re: Filtering Password Protected .ZIPs [Bagle.J] Steve Worona (Mar 03)