Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to filter the Novarg virus

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 29 Jan 2004 15:52:18 +1300
"lsi" <stuart () cyberdelix net> wrote:

Note:  CC'ed to incidents () securityfocus com because the original was 
forwarded there.


I have devised a near-bulletproof Novarg filter.


Whilst true, it is somewhat more than just a Mydoom (aka Novarg -- look 
for Symantec to rename this yet...) filter...


The following regular expressions trap this virus dead, no matter 
what subject line, message body, or filename it uses:

If expression body matches "UEsDBAoAAA*" Move [virus folder]


This is the first seven bytes of a typical zip archive Base64 encoded 
(if you properly encode just seven bytes the result is "UEsDBAoAAA==" 
because of the three-bytes-to-four encoding and padding requirements of 
Base64).  It decodes to:

   0x50 0x4B 0x03 0x04 0x0A 0x00 0x00


If expression body matches "TVqQAAMAAA*" Move
[virus folder]


Ditto for the first seven bytes of a typical Windows executable and it 
decodes to:

   0x4D 0x5A 0x90 0x00 0x03 0x00 0x00


This is because the worm is in fact the same program with many 
disguises.  ...


No, the worm is just one program, though it can have variable 
phytysical forms for a raft of reasons I will not bother explaining 
again -- you can read some of the details in this archived copy of a 
message I posted to the Full-Discloure list yesterday (sorry, URL will 
wrap):

http://lists.netsys.com/pipermail/full-disclosure/2004-
January/016218.html

It is, however, sent in quite variable Email messages, which are 
further modified by all manner of system rejection mechanisms (mailbox 
full, user unknown, "we don't want your steenking attachment|virus", 
etc, etc, etc).


...  However the program looks the same when encoded with 
MIME.  ...


So long as a modified but working version does not have a change in 
those first seven bytes...


...  Therefore, the above are basically 'MIME sigs' which work just 
like a virus signature in a regular virusscanner.


You are welcome to believe that, but most contemporary virus scanning 
is not simple string scanning.  However, this is not really the place 
to discuss the last fifteen years of viurus scanner technology 
evolution, so I'll leave it at that...


So to find it we merely filter on the MIME strings above, which are 
the first 10 bytes of the MIME content section.

For users without enterprise-class content filters (such as me), 
these two regexp's work like a silver bullet.


A silver bullet that will "detect" virtually all executable and zip 
format files, rather than just Mydoom.  That is not necessarily a bad 
thing, but as described your "Myddom detector" will have a horrendous 
false positive rate which potential users should be aware of.


(That two different sigs are required suggests there are two versions 
of the virus in circulation.)


Well, since a few hours ago there have been two variants around, but 
that you required two "signatures" of this kind simply reflects the 
fact that by design the virus sometimes sends itself as a straight 
executable attachment and sometimes as an executable in a zip archive.

Your regexp's will detect both versions in both forms (plus almost all 
other executable and zip format files).


No silver bullet for auto-notification messages, unfortunately :(


Darn...   8-)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: