Full Disclosure mailing list archives
Re: broken virus / worm email has attachment not found by grisoft proxy scanner
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 04 Aug 2004 01:30:28 +1200
Denis McMahon wrote:
I've had a couple of suspicious emails this week with headers, blank line, a line of text, mime headers.
And that is _all_ ??? If so, what are you worrying about? If not, why didn't you describe all the sections in the message structure?
Thunderbird doesn't see the mime attachment due to the broken headers,
_Which_ headers are broken? Do you mean there is something "bad" (c.f. the relevant RFCs) in the Email headers, or in the MIME headers???
which is good, but nor does the grisoft email proxy scanner, which is bad, especially as I guess that certain broken applications (no I don't have outlook [express] on my system) might try and be snart and find the attachment.
But your description of the structure of these messages above says nothing about any "attachments"...
This might be broken malware sending unusable stuff out, but my worry is that somene may have found a technique that will sneak an attachment past some a-v scanners in a "broken" format that certain popular email apps will try and fix, possibly putting active malware on the hard disk.
Are these "attachments" in the ~1.5KB - 2KB size range? If so, I'd say there is a reasonable chance they are the "IPs I've already hit" log-only (aka "corrupted") Mydoom.O messages. These _should_ appear in any of the forms of message Mydoom.O can produce which includes attachment-only (blank message part) through various "clever" SE message forms to "binary gibberish" messages. Further, the base64 encoded attachment can also be "normal" or "corrupted" (spaces, odd line-breaks inserted where they are not allowed by the spec -- Outlook and OE (and several other MUAs) happily ignore these "encoding errors" and "correctly" decode the intended attachment.
I tried to talk to grisoft about this, but all I get back is "you have to pay to talk to us cheapskate" ... whilst I can agree that they might not want to provide tech support to users of their free scanner, does anyone have an email address at grisoft for submitting suspicious items that have got past their proxy scanner?
Yes but you'll have to contact me off-list as I won't publish the details here. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- broken virus / worm email has attachment not found by grisoft proxy scanner Denis McMahon (Aug 03)
- Re: broken virus / worm email has attachment not found by grisoft proxy scanner Nick FitzGerald (Aug 03)
- Re: broken virus / worm email has attachment not found by grisoft proxy scanner Andrew R. Reiter (Aug 03)
- Re: broken virus / worm email has attachment not found by grisoft proxy scanner Justin Lundy (Aug 03)
- RE: broken virus / worm email has attachment not found by grisoft proxy scanner Todd Towles (Aug 03)