| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: broken virus / worm email has attachment not found by grisoft proxy scanner Denis McMahon wrote: > I've had a couple of suspicious emails this week with headers, blank > line, a line of text, mime headers. And that is _all_ ??? If so, what are you worrying about? If not, why didn't you describe all the sections in the message structure? > Thunderbird doesn't see the mime attachment due to the broken headers, _Which_ headers are broken? Do you mean there is something "bad" (c.f. the relevant RFCs) in the Email headers, or in the MIME headers??? > which is good, but nor does the grisoft email proxy scanner, which is > bad, especially as I guess that certain broken applications (no I don't > have outlook [express] on my system) might try and be snart and find the > attachment. But your description of the structure of these messages above says nothing about any "attachments"... > This might be broken malware sending unusable stuff out, but my worry is > that somene may have found a technique that will sneak an attachment > past some a-v scanners in a "broken" format that certain popular email > apps will try and fix, possibly putting active malware on the hard disk. Are these "attachments" in the ~1.5KB - 2KB size range? If so, I'd say there is a reasonable chance they are the "IPs I've already hit" log-only (aka "corrupted") Mydoom.O messages. These _should_ appear in any of the forms of message Mydoom.O can produce which includes attachment-only (blank message part) through various "clever" SE message forms to "binary gibberish" messages. Further, the base64 encoded attachment can also be "normal" or "corrupted" (spaces, odd line-breaks inserted where they are not allowed by the spec -- Outlook and OE (and several other MUAs) happily ignore these "encoding errors" and "correctly" decode the intended attachment. > I tried to talk to grisoft about this, but all I get back is "you have > to pay to talk to us cheapskate" ... whilst I can agree that they might > not want to provide tech support to users of their free scanner, does > anyone have an email address at grisoft for submitting suspicious items > that have got past their proxy scanner? Yes but you'll have to contact me off-list as I won't publish the details here. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists