RE: Backdoor not recognized by Kaspersky

[Nick FitzGerald <nick () virus-l demon co uk>]

"Schmehl, Paul L" <pauls () utdallas edu> wrote:

> McAfee now detects the password protected zip files.  (There are other
> things you can look for besides trying to decrypt the contents of the
> zip filel  Also, zip passwords are weak and easily broken anyway.)

Though cracking is not, I believe, how it is done.  Knowing the limited 
character set and length of passwords used would make cracking 
relatively easy, but perhaps still in the order of an average of 
several to tens of minutes per Bagle-encrypted .ZIP.  I doubt many mail 
servers/content gateways could tolerate that level of additional CPU 
load...

I'd be very surprised if the "detection" of Bagle encrypted .ZIPs 
implemented by NAI (and others) is not prone to false-positive (at 
least if they insist on labelling the things they find as "Bagle") but 
it is likely to remain as a useful heuristic.

> BTW, there is a war going on right now between three virus groups, so
> you will continue to see new variants of Bagle, Netsky and Mydoom for
> the foreseeable future.  Should be a very interesting month.

Well, if everyone (especailly the media and the AV web pages) stopped 
paying these pathetic puppies' "war" the attention it has been getting, 
I suspect that they may quickly tire of the fight, as surely they gain 
little from it at the moment other than that attention...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html