lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <BB702670-6D46-11D8-A6A1-000A95A9E360@comcast.net> From: stefmit at comcast.net (Stef) Subject: Backdoor not recognized by Kaspersky On Mar 3, 2004, at 10:22 AM, Schmehl, Paul L wrote: >> -----Original Message----- >> From: full-disclosure-admin@...ts.netsys.com >> >> Another variant against the Netsky virus. It's is packed with >> UPX. It spreads with the password protected zip file, which >> gets bypassed through all most all the AV scanners with >> latest signature updates because No AV can decrypt it without >> the password. (though password is in the message content), we >> humans tend to open it after reading the message. >> > McAfee now detects the password protected zip files. (There are other > things you can look for besides trying to decrypt the contents of the > zip filel Also, zip passwords are weak and easily broken anyway.) > > BTW, there is a war going on right now between three virus groups, so > you will continue to see new variants of Bagle, Netsky and Mydoom for > the foreseeable future. Should be a very interesting month. > > Paul Schmehl (pauls@...allas.edu) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ Someone on the ntbugtrack list mentioned earlier another possible solution for A/V gateways: checking for the extension of known-to-be-infected files, and appending the "+" sign at the end (e.g. .exe+). I have tried this on my first layer Norton Gateway, as well as my second tier email A/V - the TrendMicro one (and variations of such - e.g. *.exe+, *.exe*, *exe+, etc.), and have not been successful ... anybody else having attempted something similar (the reason for the "+" is the obvious extension name change inside the ZIP, if there is a password protected file) ? Stef
Powered by blists - more mailing lists