lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4045F222.8060901@onryou.com>
From: lists2 at onryou.com (Cael Abal)
Subject: Backdoor not recognized by Kaspersky

>> Another variant against the Netsky virus. It's is packed with
>> UPX. It spreads with the password protected zip file, which
>> gets bypassed through all most all the AV scanners with
>> latest signature updates because No AV can decrypt it
>> without the password. (though password is in the message
>> content), we humans tend to open it after reading the message.
> 
> Kaspersky, NAI and possibly some other AV-vendors now parse the password 
> from the body of the email to extract the zip and then scan it. 
> Obviously this only helps if it can scan the complete email i.e. on the 
> mailserver. They might need to adapt to new varitions of how the 
> password is included in the body, which will take some analysis when new 
> variants emerge.

Does anyone else find this new development a bad idea?

I'm of the mindset that anti-virus companies should stick with what 
they're good at -- namely, detecting and handling infected files.  It 
seems a bad idea to start down the natural language processing road. 
Are they scanning just for Bagle/Beagle style e-mail, or are their 
methods more general?  What about messages of the form:

'Password is a long yellow fruit enjoyed by monkeys.'

What about messages in languages other than English?  I can easily see 
this becoming an arms-race, and one the anti-virus folks have no chance 
of winning.

Leave passworded .zips alone -- take the sensible approach and catch an 
infected file once it's been extracted.

Cael


Powered by blists - more mailing lists