lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0HH400K7HC2MIF@smtp2.clear.net.nz>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: A worm...

"M. Osten" <lists@...epyou.com> to ATD:

> > 	And this was my point. Are the crafty "worm gods" creating worms that
> > evade detection by using compression and other methods?  If they are
> > doing this, and if they are creating the "stealth worms" whats next. Zip
> > files would be just one of hundreds of ways to hide worms. Maybe the
> > virus scanning technology needs to be kicked up a notch or two.
> 
> Do most virus scanners *not* scan compressed files?  We scan all
> incoming mail using Amavis (on linux) with the NAI engine which does
> scanning of all the common compression schemes.

Most virus scanners do, by default, scan inside archive files (at 
least in their "on demand" forms and when in Email gateway and/or 
content inspection type roles).

The main point is not whether scanners look inside archive files 
or not.  The point is, if you are a new and thus "unknown to the 
scanners" malware, how do you get past the "security controls" in 
Outlook and Outlook Express and/or past the "block arbitrary files of 
this type regardless of what the virus scanner says" policies of many 
corporate Email gateway content scanners.

Sobig.E's "ZIP trick" allows it to get past the attachment "security" 
restrictions of Outlook and the recent OE 6.0 service pack and, so 
long as a virus scanner's heuristic's did not fire on the executable 
inside the ZIP, would also allow it pass through many corporate Email 
attachment scanning policies too.

That may only buy it a few more hours "freedom" but that can be more 
than enough to "get lucky" at some large corporate and thereby get 
sent to half the planet.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ