Administrivia #29414 - Virus/Exploit detected in NTBugtraq messages

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 01/13/05

  • Next message: Assaf: "Windows ANI File Parsing Proof Of Concept (MS05-002)" 
    Date:         Wed, 12 Jan 2005 18:12:53 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Time for a reminder regarding your AV products and messages from
    NTBugtraq.

    From time to time, NTBugtraq messages contain code snippets of exploits.
    Usually these are snippets of some sort of HTML scripting. Occasionally,
    these messages come out after other lists have published them, or, they
    are variations on previously published code snippets.

    As such, AV Vendors may have already created a definition which finds
    the snippet to be a virus. Typically it is identified as being some sort
    of generic virus type. Depending on your AV settings, it may be blocked
    completely and a report generated.

    Here is some information that will hopefully help you understand what
    has happened and what you can do about it;

    1. NTBugtraq messages are always "plain/text", never HTML. As such, code
    snippets shouldn't run. That said, some email clients might render HTML
    code snippets in plain text messages. Which client will do what is
    unknown to me, and any that do render HTML code in plain text messages
    are brain-dead IMO. Outlook will render anything that looks like a URL
    as a clickable URL, it will not however render a code snippet.

    2. Your AV products detect code snippets regardless of what the message
    type is. They don't concern themselves with whether or not the message
    format could produce an exploit, they simply look at the plain text and
    see if it looks like known code snippets. If there's a sufficient match,
    it detects and blocks the message. This sucks IMO, but they are probably
    equally unsure of what email client will do what. Better safe than
    sorry.

    So you may very well get an alert about an NTBugtraq message when, in
    fact, there is, IMO, no good reason for the alert.

    3. Links contained in NTBugtraq messages may lead you to a page which
    describes how to run a Proof of Concept, or, they may take you directly
    to a Proof of Concept. I make every effort to test all links prior to
    sending the messages through, and I try to verify that the PoC is
    benign. I make no guarantees, however, just my best efforts.

    Nobody should be following a link to any site mentioned in an NTBugtraq
    message without first seriously considering the potential for exploit as
    a result of doing so. The very nature of the list lends itself well to
    alleged security information being offered from a site that may, for
    example, exploit you quietly while you retrieve the security info
    contained there.

    You've been warned!

    4. The NTBugtraq email address, as well as my own, are in use in a
    variety of viruses. Nothing I can do about that, unfortunately, but it
    means that you may very well receive a valid virus alert pertaining to a
    message that seems to have been sent by me or the list. Of course proper
    inspection of the headers will show you that such messages aren't coming
    from me or the list.

    5. AV programs often are configured to send an alert notification to a
    variety of addresses. So if any AV product is detecting any part of an
    NTBugtraq message as alert-able, I get hundreds of such alerts
    automatically. This means its unnecessary for anyone on the list to send
    me a message telling me a message was detected. Trust me, I know.

    I have said for years that such notifications should be turned off. I've
    long believed that they cause more harm than good. I get hundreds of
    notifications every day due to messages that contain one of my
    addresses, where in fact the message never originated from my systems.
    No doubt many people are in the same situation. As such, these messages
    are more likely to be ignored today than heeded. You waste your
    bandwidth responding to people who have no idea what you're talking
    about.

    So, what should you do when you receive such a notification about an
    NTBugtraq message or a site referenced in an NTBugtraq message?

    Well, if your AV blocks a message, the first thing is to go to the
    NTBugtraq online web archives;

    http://www.ntbugtraq.com

    and then click on the Archives link at the top of the page. You can then
    view all of the messages for the current month, including the message
    that caused your alert.

    Depending on what security software you are using, you may in fact end
    up getting another alert when you attempt to view the message. If it
    cannot tell whether the code snippet can execute, or doesn't try to
    determine this, some proxies and such may block viewing the web version
    too. Again, since the message in the NTBugtraq archive is plain text it
    will not be executable code there either, but your security products may
    err on the side of caution again.

    If you cannot view the web archive version either, you probably need to
    reconsider a couple of things;

    a) Maybe NTBugtraq isn't a good list for you to be subscribed to. I'm
    not going to dumb down such messages in order to try and get them past
    security products, so you're likely going to encounter this problem
    repeatedly. I doubt you'd be able to see the information on any list or
    site anyway.

    b) Use a tool that allows you to retrieve the contents of the page as
    plain text and view it in Notepad.

    If you get an alert from a site linked in an NTBugtraq message, feel
    free to let me know what you got. I'm not interested in hearing about
    PoC sites, I've looked at those myself already. If, however, you get a
    silent delivery from a site linked, say a Spyware installation or
    something similar, then definitely let me know.

    I hope this explains things a bit better regarding messages you received
    today.

    Cheers,
    Russ - NTBugtraq Editor 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Assaf: "Windows ANI File Parsing Proof Of Concept (MS05-002)"