RE: [Full-Disclosure] A worm...
From: Richard M. Smith (rms_at_computerbytesman.com)
Date: 06/26/03
- Previous message: Joel Eriksson: "[Full-Disclosure] Bahamut IRCd <= 1.4.35 and several derived daemons"
- In reply to: Peter Kruse: "SV: [Full-Disclosure] A worm..."
- Next in thread: ATD: "RE: [Full-Disclosure] A worm..."
- Reply: ATD: "RE: [Full-Disclosure] A worm..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <full-disclosure@lists.netsys.com> Date: Thu, 26 Jun 2003 09:43:41 -0400
Hi Peter,
Thanks for the background info. Because of the password issue, any
security protections for .ZIP files need to be built into a unzipper
program. As a minimum, Microsoft needs to put a warning dialog in the
Windows unzipper when double-clicking on an executable file in a .ZIP
file that comes attached to an email message. Better yet, don't allow
.ZIP files to be opened from an email message. Force people to save
them first. Netscape had this second basic protection scheme in
Communicator years ago.
Richard
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Peter Kruse
Sent: Thursday, June 26, 2003 8:57 AM
To: full-disclosure@lists.netsys.com
Subject: SV: [Full-Disclosure] A worm...
Hi Richard,
Well, it might be the first wide-spread of itīs kind but itīs certainly
not the first to use zip to hide itself. Also itīs trendy to put
malicious code inside the new rar format and spread it. I suppose itīs
fairly easy to write a worm that packs itself with a random password and
inserts this into a e-mail sent to the victim. This way it will pass
most AV-gateway scanners since they won't have access to scan inside the
zipe archive.
Also XP is quite vulnerable to this type of trick. If you attach a zip
file and opens it open a Windows XP to build in zip-feature will open
the zipped file in a new window from where the user can active the
malicious directly without unziping the files :-(
Others that have used the zip trick is bogusbear. A search on google
will give you plenty hits.
I diod write a article about this back in October 2002. Unfortunately
itīs in Danish so many of you guys won't understand a word. Anyways, I
pointed out that this would be used in future malicious code and so it
happened - I guess I got "lucky".
http://www.comon.dk/index.php?page=news:show,id=12315
Med venlig hilsen // Kind regards
Peter Kruse
Kruse Security
http://www.krusesecurity.dk
> -----Oprindelig meddelelse-----
> Fra: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] På vegne af
> Richard M. Smith
> Sendt: 26. juni 2003 13:55
> Til: full-disclosure@lists.netsys.com
> Emne: RE: [Full-Disclosure] A worm...
>
>
> This is the first worm that I am aware of that hides itself
> inside of a .ZIP file. This trick prevents the worm
> executable from being deleted by the Outlook Security Update.
> Looks like Microsoft will need to now think about how to
> deal with malicous code inside of attached .ZIP files.
> Outlook 2002 does provide a security warning when opening the
> .ZIP file. But everyone knows that .ZIP files are safe,
> right? I don't believe there is any security warning when
> running the .PIF file inside of the .ZIP, but I didn't try
> this particular experiment. ;-)
>
> Richard
>
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of KF
> Sent: Wednesday, June 25, 2003 9:11 PM
> To: full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] A worm...
>
>
> I believe Simon is well aware of what virus this is... the
> question was
> in relation to the zipping of the payload. I believe he was
> wondering if
>
> this (zipping of payload) was some new Antivirus evasion trick or if
> there was something more to it (like simply hoping a retarded
> user would
>
> unzip and run the .pif).
>
> >>I know what it is, but since when did the pif worm start zipping
> itself?
> >>did I miss something?
> >>
> -KF
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Joel Eriksson: "[Full-Disclosure] Bahamut IRCd <= 1.4.35 and several derived daemons"
- In reply to: Peter Kruse: "SV: [Full-Disclosure] A worm..."
- Next in thread: ATD: "RE: [Full-Disclosure] A worm..."
- Reply: ATD: "RE: [Full-Disclosure] A worm..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
