RE: [Full-Disclosure] A worm...
From: ATD (simon_at_snosoft.com)
Date: 06/26/03
- Previous message: ATD: "RE: [Full-Disclosure] A worm..."
- In reply to: Richard M. Smith: "RE: [Full-Disclosure] A worm..."
- Next in thread: Nexus: "Re: [Full-Disclosure] A worm..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Richard M. Smith" <rms@computerbytesman.com> Date: 26 Jun 2003 11:17:30 -0400
Yes,
But we all know that IE caters to the lazy people in each of us. =]
On Thu, 2003-06-26 at 09:43, Richard M. Smith wrote:
> Hi Peter,
>
> Thanks for the background info. Because of the password issue, any
> security protections for .ZIP files need to be built into a unzipper
> program. As a minimum, Microsoft needs to put a warning dialog in the
> Windows unzipper when double-clicking on an executable file in a .ZIP
> file that comes attached to an email message. Better yet, don't allow
> .ZIP files to be opened from an email message. Force people to save
> them first. Netscape had this second basic protection scheme in
> Communicator years ago.
>
> Richard
>
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Peter Kruse
> Sent: Thursday, June 26, 2003 8:57 AM
> To: full-disclosure@lists.netsys.com
> Subject: SV: [Full-Disclosure] A worm...
>
>
> Hi Richard,
>
> Well, it might be the first wide-spread of itīs kind but itīs certainly
> not the first to use zip to hide itself. Also itīs trendy to put
> malicious code inside the new rar format and spread it. I suppose itīs
> fairly easy to write a worm that packs itself with a random password and
> inserts this into a e-mail sent to the victim. This way it will pass
> most AV-gateway scanners since they won't have access to scan inside the
> zipe archive.
>
> Also XP is quite vulnerable to this type of trick. If you attach a zip
> file and opens it open a Windows XP to build in zip-feature will open
> the zipped file in a new window from where the user can active the
> malicious directly without unziping the files :-(
>
> Others that have used the zip trick is bogusbear. A search on google
> will give you plenty hits.
>
> I diod write a article about this back in October 2002. Unfortunately
> itīs in Danish so many of you guys won't understand a word. Anyways, I
> pointed out that this would be used in future malicious code and so it
> happened - I guess I got "lucky".
> http://www.comon.dk/index.php?page=news:show,id=12315
>
> Med venlig hilsen // Kind regards
>
> Peter Kruse
> Kruse Security
> http://www.krusesecurity.dk
>
>
>
> > -----Oprindelig meddelelse-----
> > Fra: full-disclosure-admin@lists.netsys.com
> > [mailto:full-disclosure-admin@lists.netsys.com] På vegne af
> > Richard M. Smith
> > Sendt: 26. juni 2003 13:55
> > Til: full-disclosure@lists.netsys.com
> > Emne: RE: [Full-Disclosure] A worm...
> >
> >
> > This is the first worm that I am aware of that hides itself
> > inside of a .ZIP file. This trick prevents the worm
> > executable from being deleted by the Outlook Security Update.
> > Looks like Microsoft will need to now think about how to
> > deal with malicous code inside of attached .ZIP files.
> > Outlook 2002 does provide a security warning when opening the
> > .ZIP file. But everyone knows that .ZIP files are safe,
> > right? I don't believe there is any security warning when
> > running the .PIF file inside of the .ZIP, but I didn't try
> > this particular experiment. ;-)
> >
> > Richard
> >
> > -----Original Message-----
> > From: full-disclosure-admin@lists.netsys.com
> > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of KF
> > Sent: Wednesday, June 25, 2003 9:11 PM
> > To: full-disclosure@lists.netsys.com
> > Subject: Re: [Full-Disclosure] A worm...
> >
> >
> > I believe Simon is well aware of what virus this is... the
> > question was
> > in relation to the zipping of the payload. I believe he was
> > wondering if
> >
> > this (zipping of payload) was some new Antivirus evasion trick or if
> > there was something more to it (like simply hoping a retarded
> > user would
> >
> > unzip and run the .pif).
> >
> > >>I know what it is, but since when did the pif worm start zipping
> > itself?
> > >>did I miss something?
> > >>
> > -KF
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: ATD: "RE: [Full-Disclosure] A worm..."
- In reply to: Richard M. Smith: "RE: [Full-Disclosure] A worm..."
- Next in thread: Nexus: "Re: [Full-Disclosure] A worm..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
