lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1056640649.32765.46.camel@localhost.localdomain>
From: simon at snosoft.com (ATD)
Subject: A worm...

Yes, 
	But we all know that IE caters to the lazy people in each of us. =]


On Thu, 2003-06-26 at 09:43, Richard M. Smith wrote:
> Hi Peter,
> 
> Thanks for the background info.  Because of the password issue, any
> security protections for .ZIP files need to be built into a unzipper
> program.  As a minimum, Microsoft needs to put a warning dialog in the
> Windows unzipper when double-clicking on an executable file in a .ZIP
> file that comes attached to an email message.  Better yet, don't allow
> .ZIP files to be opened from an email message.  Force people to save
> them first.  Netscape had this second basic protection scheme in
> Communicator years ago.
> 
> Richard
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Peter Kruse
> Sent: Thursday, June 26, 2003 8:57 AM
> To: full-disclosure@...ts.netsys.com
> Subject: SV: [Full-Disclosure] A worm...
> 
> 
> Hi Richard,
> 
> Well, it might be the first wide-spread of it?s kind but it?s certainly
> not the first to use zip to hide itself. Also it?s trendy to put
> malicious code inside the new rar format and spread it. I suppose it?s
> fairly easy to write a worm that packs itself with a random password and
> inserts this into a e-mail sent to the victim. This way it will pass
> most AV-gateway scanners since they won't have access to scan inside the
> zipe archive. 
> 
> Also XP is quite vulnerable to this type of trick. If you attach a zip
> file and opens it open a Windows XP to build in zip-feature will open
> the zipped file in a new window from where the user can active the
> malicious directly without unziping the files :-(
> 
> Others that have used the zip trick is bogusbear. A search on google
> will give you plenty hits.
> 
> I diod write a article about this back in October 2002. Unfortunately
> it?s in Danish so many of you guys won't understand a word. Anyways, I
> pointed out that this would be used in future malicious code and so it
> happened - I guess I got "lucky".
> http://www.comon.dk/index.php?page=news:show,id=12315
> 
> Med venlig hilsen // Kind regards
> 
> Peter Kruse
> Kruse Security
> http://www.krusesecurity.dk
> 
> 
> 
> > -----Oprindelig meddelelse-----
> > Fra: full-disclosure-admin@...ts.netsys.com 
> > [mailto:full-disclosure-admin@...ts.netsys.com] P? vegne af 
> > Richard M. Smith
> > Sendt: 26. juni 2003 13:55
> > Til: full-disclosure@...ts.netsys.com
> > Emne: RE: [Full-Disclosure] A worm...
> > 
> > 
> > This is the first worm that I am aware of that hides itself 
> > inside of a .ZIP file.  This trick prevents the worm 
> > executable from being deleted by the Outlook Security Update. 
> >  Looks like Microsoft will need to now think about how to 
> > deal with malicous code inside of attached .ZIP files.  
> > Outlook 2002 does provide a security warning when opening the 
> > .ZIP file.  But everyone knows that .ZIP files are safe, 
> > right?  I don't believe there is any security warning when 
> > running the .PIF file inside of the .ZIP, but I didn't try 
> > this particular experiment. ;-)
> > 
> > Richard
> > 
> > -----Original Message-----
> > From: full-disclosure-admin@...ts.netsys.com
> > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of KF
> > Sent: Wednesday, June 25, 2003 9:11 PM
> > To: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] A worm...
> > 
> > 
> > I believe Simon is well aware of what virus this is... the 
> > question was 
> > in relation to the zipping of the payload. I believe he was 
> > wondering if
> > 
> > this (zipping of payload) was some new Antivirus evasion trick or if 
> > there was something more to it (like simply hoping a retarded 
> > user would
> > 
> > unzip and run the .pif).
> > 
> > >>I know what it is, but since when did the pif worm start zipping
> > itself?
> > >>did I miss something?
> > >>
> > -KF
> > 
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030626/c32f210a/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ