Security Incidents mailing list archives
Re: how to filter the Novarg virus
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 29 Jan 2004 15:52:18 +1300
"lsi" <stuart () cyberdelix net> wrote: Note: CC'ed to incidents () securityfocus com because the original was forwarded there.
I have devised a near-bulletproof Novarg filter.
Whilst true, it is somewhat more than just a Mydoom (aka Novarg -- look for Symantec to rename this yet...) filter...
The following regular expressions trap this virus dead, no matter what subject line, message body, or filename it uses: If expression body matches "UEsDBAoAAA*" Move [virus folder]
This is the first seven bytes of a typical zip archive Base64 encoded (if you properly encode just seven bytes the result is "UEsDBAoAAA==" because of the three-bytes-to-four encoding and padding requirements of Base64). It decodes to: 0x50 0x4B 0x03 0x04 0x0A 0x00 0x00
If expression body matches "TVqQAAMAAA*" Move [virus folder]
Ditto for the first seven bytes of a typical Windows executable and it decodes to: 0x4D 0x5A 0x90 0x00 0x03 0x00 0x00
This is because the worm is in fact the same program with many disguises. ...
No, the worm is just one program, though it can have variable phytysical forms for a raft of reasons I will not bother explaining again -- you can read some of the details in this archived copy of a message I posted to the Full-Discloure list yesterday (sorry, URL will wrap): http://lists.netsys.com/pipermail/full-disclosure/2004- January/016218.html It is, however, sent in quite variable Email messages, which are further modified by all manner of system rejection mechanisms (mailbox full, user unknown, "we don't want your steenking attachment|virus", etc, etc, etc).
... However the program looks the same when encoded with MIME. ...
So long as a modified but working version does not have a change in those first seven bytes...
... Therefore, the above are basically 'MIME sigs' which work just like a virus signature in a regular virusscanner.
You are welcome to believe that, but most contemporary virus scanning is not simple string scanning. However, this is not really the place to discuss the last fifteen years of viurus scanner technology evolution, so I'll leave it at that...
So to find it we merely filter on the MIME strings above, which are the first 10 bytes of the MIME content section. For users without enterprise-class content filters (such as me), these two regexp's work like a silver bullet.
A silver bullet that will "detect" virtually all executable and zip format files, rather than just Mydoom. That is not necessarily a bad thing, but as described your "Myddom detector" will have a horrendous false positive rate which potential users should be aware of.
(That two different sigs are required suggests there are two versions of the virus in circulation.)
Well, since a few hours ago there have been two variants around, but that you required two "signatures" of this kind simply reflects the fact that by design the virus sometimes sends itself as a straight executable attachment and sometimes as an executable in a zip archive. Your regexp's will detect both versions in both forms (plus almost all other executable and zip format files).
No silver bullet for auto-notification messages, unfortunately :(
Darn... 8-) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: how to filter the Novarg virus Nick FitzGerald (Jan 29)