Re: Password protected ZIP files and Email worms

From: Hughes, Bruce (bhughes_at_ICSALABS.COM)
Date: 03/02/04

  • Next message: Jeff Moss: "Announcing The Black Hat Briefings call for papers" 
    Date:         Tue, 2 Mar 2004 16:32:57 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I approved this submission because It included and interesting mitigation
    that someone could add to the list of file types they are already blocking.
    I do not believe however that it will be the same across the board for all
    AV products.

    Now I would like to ask the following:

    1. What are you doing to stop malcode that comes inside files with the *.zip
    file extension?
    2. What about malcode using password protected *.zip files?

    Send me what you are doing, email the list or me personally at
    bhughes@icsalabs.com. I will not post every message to the list but will
    produce a list together of tips and tricks and post it back to NTBugTraq in
    a couple of days.

    Feel free to send me information on products that you use to do this or
    solutions that anyone has come up with.

    Thanks,

    Bruce Hughes
    NTBugTraq Editor - Until Russ returns from vacation.

    -----Original Message-----
    From: Windows NTBugtraq Mailing List
    [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Michael_Maloney
    Sent: Tuesday, March 02, 2004 3:27 PM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: Password protected ZIP files and Email worms

    With the release of Beagle.H and Beagle.I, virus writers started enclosing
    the infected files within password protected ZIP files. This negated the
    ability of A/V software to view the enclosed file within.

    I've found that the A/V software does see the file within the ZIP archive,
    but cannot process it because it does not recognize the extension. When the
    archive is password protected, the file enclosed receives a "+" character at
    the end of the extension (ie test.exe becomes test.exe+) Since the A/V
    software doesn't recognize that kind of extension, it lets it pass thru.

    I found that by adding the "+" character to file extensions that are blocked
    (.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file
    extension and perform the necessary actions on it.

    I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it
    should work on the other A/V software programs.

    ********************************************
    Mike Maloney
    Sr. System Engineer
    Middlesex County College
    2600 Woodbridge Avenue
    Edison, NJ 08818
    Phone: 732-906-7754
    Cell: 908-217-2086
    Fax: 732-906-4266
    Email: Michael_Maloney@middlesexcc.edu
    ********************************************

    -----
    NTBugtraq Editor's Note:

    Most viruses these days use spoofed email addresses. As such, using an
    Anti-Virus product which automatically notifies the perceived sender of a
    message it believes is infected may well cause more harm than good. Someone
    who did not actually send you a virus may receive the notification and
    scramble their support staff to find an infection which never existed in the
    first place. Suggest such notifications be disabled by whomever is
    responsible for your AV, or at least that the idea is considered.
    -----

    ***********************************************************************
    This message is intended only for the use of the intended recipient and
    may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
    are not the intended recipient, you are hereby notified that any use,
    dissemination, disclosure or copying of this communication is strictly
    prohibited. If you have received this communication in error, please
    destroy all copies of this message and its attachments and notify us
    immediately.
    ***********************************************************************

    -----
    NTBugtraq Editor's Note:

    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    -----

  • Next message: Jeff Moss: "Announcing The Black Hat Briefings call for papers"

    Relevant Pages

    • RE: tool for user disk quota
      ... It can sort by largest directory or by extension ... tool for user disk quota ... and may be read or used only by the intended recipient. ... are not the intended recipient of the email or any of its attachments, ...
      (Focus-Microsoft)
    • scope issue of variable in iterator
      ... Mohammad Khan | Software Engineer ... CONTAIN LEGALLY PRIVILEGED INFORMATION. ... is not the intended recipient or an agent responsible for delivering ... tel;work:227-4469 Extension 218 ...
      (comp.lang.ruby)
    • Re: Password protected ZIP files and Email worms
      ... protected zip file viruses: you might want to try it at work. ... > software to view the enclosed file within. ... > I've found that the A/V software does see the file within the ... > end of the extension Since ...
      (NT-Bugtraq)
    • Password protected ZIP files and Email worms
      ... With the release of Beagle.H and Beagle.I, virus writers started enclosing ... I've found that the A/V software does see the file within the ZIP archive, ... the end of the extension Since the A/V ... I found that by adding the "+" character to file extensions that are blocked ...
      (NT-Bugtraq)
    • Re: Sending .exe files?
      ... Windows Vista mail won't let me send a file with an .exe extension because the program thinks this is a virus. ... You won't be able to reliably send these files; many mail servers will block delivery of EXE attachments for basic security reasons. ... You will have precisely zero control over whether the intended recipient actually gets the mail at all, ...
      (microsoft.public.windows.vista.mail)