Re: Filtering Password Protected .ZIPs [Bagle.J]

[Steve Worona <sworona () EDUCAUSE EDU>]

Here's MIT's solution, from another list.  It's a slight variation on Cam's.
Steve

At 12:39 AM -0500 3/3/04, Jeffrey I. Schiller wrote:
> Actually, you don't have to go that far. Turns out that all of these
> worm variants are shipped in ZIP files whose first (and only
> component) is "stored" (as opposed to "deflated"). They are also
> marked as Version 1.0 zip files while most tools these days label
> their ZIP files as version 2.0 (or more).
>
> All you need to block are ZIP files which begin with:
>
> UEsDBAoAAAAAA or UEsDBAoAAQAAA.
>
> The first variant blocks all ZIP files of version 1.0 with the first
> component stored. The second variant is different in only one bit
> (under the base 64 encoding). Specifically this variant has the
> "encrypted" bit set to catch the latest Bagle variant that arrives
> password protected.
>
> We are currently using these two strings quite successfully.
>
>                      -Jeff

-----
At 9:52 AM -0600 3/3/04, Cam Beasley, ISO wrote:
> A more accurate procmail rule for the password
> protected .ZIP files generated by the Bagle.J
> worm might be:
>
> :0B
> * ^UEsDBAoAAQAAA
> * > 17000
> * < 36000
> * password
> some/folder
>
> Dramatically reduces false positives.
>
> Hope this helps,
>
> ~cam.
>
> Cam Beasley
> ITS/Information Security Office
> The University of Texas at Austin
> cam () austin utexas edu
> ---------------------------
> Report Abuse To:
> - abuse () utexas edu
> - 512.475.9242
> ---------------------------
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Discussion Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cam Beasley, ISO
> > Sent: Tuesday, March 02, 2004 23:57
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Filtering Password Protected .ZIPs [Bagle.J]
> >
> >
> > It is possible to filter ONLY
> > password protected .zip files
> > (including the Bagle.I-J variants)
> > by using the following base64 string
> > in a procmail rule (or IDS, IPS)
> > so that further analysis can be
> > conducted:
> >
> >         UEsDBAoAAQAAA
> >
> > Note that this primitive method
> > of filtering could result in
> > unanticipated collateral damage
> > (e.g. undelivered e-mail).
> >
> > ~cam.
> >
> > Cam Beasley
> > ITS/Information Security Office
> > The University of Texas at Austin
> > cam () mail utexas edu
> > ---------------------------
> > Report Abuse To:
> > - abuse () utexas edu
> > - 512.475.9242
> > ---------------------------
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Discussion Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Lane
> > > Sent: Tuesday, March 02, 2004 22:48
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Bagle.j out
> > >
> > >
> > > We have just re enabled zips and exe's due to 'popular
> > > demand' despite elaborating on the potential risk of doing
> > > so.  It would appear that the ease of email based file
> > > distribution overrides any virus damage that might occur.
> > >
> > > Tim
> > >
> > >
> > >
> > > At 11:31 PM 2/03/2004 -0500, you wrote:
> > > > Jason Richardson wrote:
> > > > > Question: has anyone resorted to dropping ZIPs and/or other
> > > > > attachments at your gateways until/unless this storm passes?  I
> > > > > mentioned in a meeting that I would be proposing it to my
> > > management
> > > > > and received the predictable reaction, i.e., "you can't
> > > block ZIPs, we
> > > > > won't be able to do business."  Of course I was not deterred but I
> > > > > also haven't been given clearance to block the attachments.
> > > >
> > > > We've been stripping zips on and off for the past several weeks as
> > > > activity dictates. When the server strips the attachment, it
> > > forwards
> > > > the message intact with information about what was blocked
> > > and how to
> > > > get it if they really want it (notify sender to rename).
> > > >
> > > > --
> > > > Gary Flynn
> > > > Security Engineer - Technical Services
> > > > James Madison University
> > > >
> > > > **********
> > > > Participation and subscription information for this EDUCAUSE
> > > Discussion
> > > > Group discussion list can be found at http://www.educause.edu/cg/.
> > >
> > > Tim Lane
> > > Information Security Program Manager
> > >
> > > Information Technology and Telecommunication Services
> > Southern Cross
> > > University PO Box 157 Lismore NSW 2480
> > >
> > > Ph:  61 2 6620 3290
> > > Fax: 61 2 6620 3033
> > > Email: tlane () scu edu au
> > > http://www.scu.edu.au
> > >
> > > **********
> > > Participation and subscription information for this EDUCAUSE
> > > Discussion Group discussion list can be found at
> > http://www.educause.edu/cg/.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.