Educause Security Discussion mailing list archives
Re: Filtering Password Protected .ZIPs [Bagle.J]
From: Steve Worona <sworona () EDUCAUSE EDU>
Date: Wed, 3 Mar 2004 11:49:26 -0500
Here's MIT's solution, from another list. It's a slight variation on Cam's. Steve At 12:39 AM -0500 3/3/04, Jeffrey I. Schiller wrote:
Actually, you don't have to go that far. Turns out that all of these worm variants are shipped in ZIP files whose first (and only component) is "stored" (as opposed to "deflated"). They are also marked as Version 1.0 zip files while most tools these days label their ZIP files as version 2.0 (or more). All you need to block are ZIP files which begin with: UEsDBAoAAAAAA or UEsDBAoAAQAAA. The first variant blocks all ZIP files of version 1.0 with the first component stored. The second variant is different in only one bit (under the base 64 encoding). Specifically this variant has the "encrypted" bit set to catch the latest Bagle variant that arrives password protected. We are currently using these two strings quite successfully. -Jeff
----- At 9:52 AM -0600 3/3/04, Cam Beasley, ISO wrote:
A more accurate procmail rule for the password protected .ZIP files generated by the Bagle.J worm might be: :0B * ^UEsDBAoAAQAAA * > 17000 * < 36000 * password some/folder Dramatically reduces false positives. Hope this helps, ~cam. Cam Beasley ITS/Information Security Office The University of Texas at Austin cam () austin utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 --------------------------------Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cam Beasley, ISO Sent: Tuesday, March 02, 2004 23:57 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Filtering Password Protected .ZIPs [Bagle.J] It is possible to filter ONLY password protected .zip files (including the Bagle.I-J variants) by using the following base64 string in a procmail rule (or IDS, IPS) so that further analysis can be conducted: UEsDBAoAAQAAA Note that this primitive method of filtering could result in unanticipated collateral damage (e.g. undelivered e-mail). ~cam. Cam Beasley ITS/Information Security Office The University of Texas at Austin cam () mail utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 --------------------------------Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Lane Sent: Tuesday, March 02, 2004 22:48 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Bagle.j out We have just re enabled zips and exe's due to 'popular demand' despite elaborating on the potential risk of doing so. It would appear that the ease of email based file distribution overrides any virus damage that might occur. Tim At 11:31 PM 2/03/2004 -0500, you wrote:Jason Richardson wrote:Question: has anyone resorted to dropping ZIPs and/or other attachments at your gateways until/unless this storm passes? I mentioned in a meeting that I would be proposing it to mymanagementand received the predictable reaction, i.e., "you can'tblock ZIPs, wewon't be able to do business." Of course I was not deterred but I also haven't been given clearance to block the attachments.We've been stripping zips on and off for the past several weeks as activity dictates. When the server strips the attachment, itforwardsthe message intact with information about what was blockedand how toget it if they really want it (notify sender to rename). -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSEDiscussionGroup discussion list can be found at http://www.educause.edu/cg/.Tim Lane Information Security Program Manager Information Technology and Telecommunication ServicesSouthern CrossUniversity PO Box 157 Lismore NSW 2480 Ph: 61 2 6620 3290 Fax: 61 2 6620 3033 Email: tlane () scu edu au http://www.scu.edu.au ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found athttp://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found athttp://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Filtering Password Protected .ZIPs [Bagle.J] Cam Beasley, ISO (Mar 02)
- <Possible follow-ups>
- Re: Filtering Password Protected .ZIPs [Bagle.J] Cam Beasley, ISO (Mar 03)
- Re: Filtering Password Protected .ZIPs [Bagle.J] Steve Worona (Mar 03)