[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: lists2 at onryou.com (Cael Abal)
Subject: Backdoor not recognized by Kaspersky
>> Another variant against the Netsky virus. It's is packed with
>> UPX. It spreads with the password protected zip file, which
>> gets bypassed through all most all the AV scanners with
>> latest signature updates because No AV can decrypt it
>> without the password. (though password is in the message
>> content), we humans tend to open it after reading the message.
>
> Kaspersky, NAI and possibly some other AV-vendors now parse the password
> from the body of the email to extract the zip and then scan it.
> Obviously this only helps if it can scan the complete email i.e. on the
> mailserver. They might need to adapt to new varitions of how the
> password is included in the body, which will take some analysis when new
> variants emerge.
Does anyone else find this new development a bad idea?
I'm of the mindset that anti-virus companies should stick with what
they're good at -- namely, detecting and handling infected files. It
seems a bad idea to start down the natural language processing road.
Are they scanning just for Bagle/Beagle style e-mail, or are their
methods more general? What about messages of the form:
'Password is a long yellow fruit enjoyed by monkeys.'
What about messages in languages other than English? I can easily see
this becoming an arms-race, and one the anti-virus folks have no chance
of winning.
Leave passworded .zips alone -- take the sensible approach and catch an
infected file once it's been extracted.
Cael
Powered by blists - more mailing lists