RE: A worm...

[Nick FitzGerald <nick () virus-l demon co uk>]

"M. Osten" <lists () bleepyou com> to ATD:

> >     And this was my point. Are the crafty "worm gods" creating worms that
> > evade detection by using compression and other methods?  If they are
> > doing this, and if they are creating the "stealth worms" whats next. Zip
> > files would be just one of hundreds of ways to hide worms. Maybe the
> > virus scanning technology needs to be kicked up a notch or two.
>
> Do most virus scanners *not* scan compressed files?  We scan all
> incoming mail using Amavis (on linux) with the NAI engine which does
> scanning of all the common compression schemes.

Most virus scanners do, by default, scan inside archive files (at 
least in their "on demand" forms and when in Email gateway and/or 
content inspection type roles).

The main point is not whether scanners look inside archive files 
or not.  The point is, if you are a new and thus "unknown to the 
scanners" malware, how do you get past the "security controls" in 
Outlook and Outlook Express and/or past the "block arbitrary files of 
this type regardless of what the virus scanner says" policies of many 
corporate Email gateway content scanners.

Sobig.E's "ZIP trick" allows it to get past the attachment "security" 
restrictions of Outlook and the recent OE 6.0 service pack and, so 
long as a virus scanner's heuristic's did not fire on the executable 
inside the ZIP, would also allow it pass through many corporate Email 
attachment scanning policies too.

That may only buy it a few more hours "freedom" but that can be more 
than enough to "get lucky" at some large corporate and thereby get 
sent to half the planet.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html