Full Disclosure mailing list archives
Re: Backdoor not recognized by Kaspersky
From: Bart.Lansing () kohls com
Date: Wed, 3 Mar 2004 09:58:20 -0600
Cael...take a more sensible approach...no password parsing to scan needed...have the AV/mail gateways stop any zip with any executable inside. You don't need to use the password to see that there is an .exe/.scr/.com/.whatever inside a zip. You see it, you nuke the zip. If your policies allow zipped executables to meander through your mail system as long as they pass a virues scan, you must have damned busy 0 days. This ain't complicated...at all. Bart Lansing Manager, Desktop Services Kohl's IT
Leave passworded .zips alone -- take the sensible approach and catch an infected file once it's been extracted. Cael
full-disclosure-admin () lists netsys com wrote on 03/03/2004 08:56:34 AM:
Another variant against the Netsky virus. It's is packed with UPX. It spreads with the password protected zip file, which gets bypassed through all most all the AV scanners with latest signature updates because No AV can decrypt it without the password. (though password is in the message content), we humans tend to open it after reading the message.Kaspersky, NAI and possibly some other AV-vendors now parse the
password
from the body of the email to extract the zip and then scan it. Obviously this only helps if it can scan the complete email i.e. on the
mailserver. They might need to adapt to new varitions of how the password is included in the body, which will take some analysis when
new
variants emerge.Does anyone else find this new development a bad idea? I'm of the mindset that anti-virus companies should stick with what they're good at -- namely, detecting and handling infected files. It seems a bad idea to start down the natural language processing road. Are they scanning just for Bagle/Beagle style e-mail, or are their methods more general? What about messages of the form: 'Password is a long yellow fruit enjoyed by monkeys.' What about messages in languages other than English? I can easily see this becoming an arms-race, and one the anti-virus folks have no chance of winning.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Backdoor not recognized by Kaspersky, (continued)
- Re: Backdoor not recognized by Kaspersky maarten (Mar 03)
- Re: Backdoor not recognized by Kaspersky Martin Mačok (Mar 03)
- Re: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- Re: Backdoor not recognized by Kaspersky Bart . Lansing (Mar 03)
- RE: Backdoor not recognized by Kaspersky Aditya, ALD [Aditya Lalit Deshmukh] (Mar 03)
- Re: Backdoor not recognized by Kaspersky KUIJPERS Jimmy (Mar 04)
- Re: Backdoor not recognized by Kaspersky maarten (Mar 03)
- Re: Backdoor not recognized by Kaspersky Gregor Lawatscheck (Mar 03)
- Re: Backdoor not recognized by Kaspersky Cael Abal (Mar 03)
- Re: Backdoor not recognized by Kaspersky Bart . Lansing (Mar 03)
- Re: Backdoor not recognized by Kaspersky Cael Abal (Mar 03)
- Re: Backdoor not recognized by Kaspersky Gregor Lawatscheck (Mar 03)
- Re: Backdoor not recognized by Kaspersky Valdis . Kletnieks (Mar 04)