Re: broken virus / worm email has attachment not found by grisoft proxy scanner

[Justin Lundy <jbl () tegatai com>]

On Tue, Aug 03, 2004 at 10:56:09AM -0400, Andrew R. Reiter wrote:
> I've seen binaries that resemble this situation lately as well.  If you
> `strings` the binary, it has some strings that would lead you to believe
> it's a PE file, ie. it contains UPX0 & UPX1 strings which are commonly
> used as tghe section labels for PE files that are UPX packed.  However, if
> you try to analyze the binary as a PE, even if you took the new executable
> offset found in the DOS header as being valid, the values one would read
> at the offset are bogus... just completely bogus.
>
> I haven't done anymore investigation than this and apologize if this is
> old info.

If you want to send over the binary attachments I'll take a look. Nothing
a little IDA and SoftIce can't identify. Andrew is certainly right though,
the lion's share of email virii are written with win32 platforms in mind as
the target. Even if the binary is UPX packed, often times the binaries can
be run through an unpacker. UPX doesn't have encryption routines, but other
binary compression utilities do. Maybe the one you have is unencrypted, in
which case it should be easy to figure out exactly what it is doing with
some minor disassembly. 
 
> On Tue, 3 Aug 2004, Denis McMahon wrote:
>
> :Hmm
> :
> :I've had a couple of suspicious emails this week with headers, blank
> :line, a line of text, mime headers.
> :
> :Thunderbird doesn't see the mime attachment due to the broken headers,
> :which is good, but nor does the grisoft email proxy scanner, which is
> :bad, especially as I guess that certain broken applications (no I don't
> :have outlook [express] on my system) might try and be snart and find the
> :attachment.
> :
> :This might be broken malware sending unusable stuff out, but my worry is
> :that somene may have found a technique that will sneak an attachment
> :past some a-v scanners in a "broken" format that certain popular email
> :apps will try and fix, possibly putting active malware on the hard disk.

That's a reasonable concern. Spammers find ways around anti-spam filters.
Blackhats find ways to evade intrusion detection systems. Likewise, virus
writers find ways to escape AV detection as well. Maybe you are right.

> :I tried to talk to grisoft about this, but all I get back is "you have
> :to pay to talk to us cheapskate" ... whilst I can agree that they might
> :not want to provide tech support to users of their free scanner, does
> :anyone have an email address at grisoft for submitting suspicious items
> :that have got past their proxy scanner?
 
If you want to send the attachments my way I can see if it matches any
known signatures from ClamAV, Norton Antivirus or other AV scanners. Go
ahead and forward it to this email address, I'll reply with the output ;)

-JBL

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html