Re: [Full-Disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 08/03/04

  • Next message: Wehner, Paul (wehnerpl): "RE: [Full-Disclosure] Key loggers and Anti Key loggers"
    To: fd <full-disclosure@lists.netsys.com>
    Date: Wed, 04 Aug 2004 01:30:28 +1200
    
    

    Denis McMahon wrote:

    > I've had a couple of suspicious emails this week with headers, blank
    > line, a line of text, mime headers.

    And that is _all_ ???

    If so, what are you worrying about?

    If not, why didn't you describe all the sections in the message
    structure?

    > Thunderbird doesn't see the mime attachment due to the broken headers,

    _Which_ headers are broken?

    Do you mean there is something "bad" (c.f. the relevant RFCs) in the
    Email headers, or in the MIME headers???

    > which is good, but nor does the grisoft email proxy scanner, which is
    > bad, especially as I guess that certain broken applications (no I don't
    > have outlook [express] on my system) might try and be snart and find the
    > attachment.

    But your description of the structure of these messages above says
    nothing about any "attachments"...

    > This might be broken malware sending unusable stuff out, but my worry is
    > that somene may have found a technique that will sneak an attachment
    > past some a-v scanners in a "broken" format that certain popular email
    > apps will try and fix, possibly putting active malware on the hard disk.

    Are these "attachments" in the ~1.5KB - 2KB size range?

    If so, I'd say there is a reasonable chance they are the "IPs I've
    already hit" log-only (aka "corrupted") Mydoom.O messages. These
    _should_ appear in any of the forms of message Mydoom.O can produce
    which includes attachment-only (blank message part) through various
    "clever" SE message forms to "binary gibberish" messages. Further, the
    base64 encoded attachment can also be "normal" or "corrupted" (spaces,
    odd line-breaks inserted where they are not allowed by the spec --
    Outlook and OE (and several other MUAs) happily ignore these "encoding
    errors" and "correctly" decode the intended attachment.

    > I tried to talk to grisoft about this, but all I get back is "you have
    > to pay to talk to us cheapskate" ... whilst I can agree that they might
    > not want to provide tech support to users of their free scanner, does
    > anyone have an email address at grisoft for submitting suspicious items
    > that have got past their proxy scanner?

    Yes but you'll have to contact me off-list as I won't publish the
    details here.

    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Wehner, Paul (wehnerpl): "RE: [Full-Disclosure] Key loggers and Anti Key loggers"