Re: (Fwd) how to filter the Novarg virus

[Damian Menscher <menscher () uiuc edu>]

On Wed, 28 Jan 2004, lsi wrote:

> The following regular expressions trap this virus dead, no matter
> what subject line, message body, or filename it uses:
>
> If expression body matches "UEsDBAoAAA*" Move [virus folder]
>
> If expression body matches "TVqQAAMAAA*" Move [virus folder]
>
> So to find it we merely filter on the MIME strings above, which are
> the first 10 bytes of the MIME content section.

And what makes you think those 10 bytes are sufficiently unique to avoid
filtering a legitimate email?  What if someone sends a legitimate .zip
file?  How do those begin, when MIME encoded?  I'd be very cautious
about only filtering on 10 bytes of base64 text, especially when
considering that most filetypes begin with some "magic".

Look what happens when I create a random zip file:

menscher@lx2:~> echo blah > blah
menscher@lx2:~> zip blah.zip blah
updating: blah (stored 0%)
menscher@lx2:~> uuencode -m blah.zip.uu < blah.zip
begin-base64 644 blah.zip.uu
UEsDBAoAAAAAAM2LPDAtMsRQBQAAAAUAAAAEABUAYmxhaFVUCQADEkYYQLJF
GEBVeAQAMQy4C2JsYWgKUEsBAhcDCgAAAAAAzYs8MC0yxFAFAAAABQAAAAQA
DQAAAAAAAQAAAKSBAAAAAGJsYWhVVAUAAxJGGEBVeAAAUEsFBgAAAAABAAEA
PwAAADwAAAAAAA==
====

Now notice the first few bytes:  "UEsDBAoAAA".

Congratulations!  Your filter just stopped me from saying "blah" to my
friends!

That said, here's what I'm doing:

# W32/Mydoom@MM
:0 BD
* > 30037
* < 40000
* and has been sent as a binary attachment\.$|^Mail transaction failed\. Partial message is available\.$
/root/mydoom.string

# W32/Mydoom@MM
:0 BD
* > 30037
* < 40000
* 3NreW2Fmc9UACmhsoy12gVd8LmRsbLPdUXUmbsnK9nlfQQtkGTB0TrDQatwCd28P8Oht5dYcztFr
/root/mydoom

The first is based on the text strings that are usually part of the
virus.  It catches many of them, but runs the slight risk of catching a
legitimate eamil.  I considered those chances to be sufficiently small.

The second is because not all copies contain those text strings.
Sometimes they contain no message text, or it's in some other language
(big8 or something).  So I filter on a line that matches the .scr/.pif
version of the virus.

My filter is only about 90% effective, since a .zip with no identifiable
text can still get through.  Unfortunately I don't see a way to improve
on that, since the filenames in the zip are random, so the entire zip
body gets randomized.  If anyone has suggestions, I'd be interested to
hear them.

> (That two different sigs are required suggests there are two versions
> of the virus in circulation.)

No, the first gets the .scr/.pif version, and the second gets the .zip
version.  Not two viruses, just two forms of spreading.

> No silver bullet for auto-notification messages, unfortunately :(

Kill the admin of the machine that sent them.  You may use silver or
lead, as you deem economical.

Damian Menscher
-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| UIUC CITES Security Group || Beckman Imaging Technology Group |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| <menscher () uiuc edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-

---------------------------------------------------------------------------
----------------------------------------------------------------------------