lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BB702670-6D46-11D8-A6A1-000A95A9E360@comcast.net>
From: stefmit at comcast.net (Stef)
Subject: Backdoor not recognized by Kaspersky

On Mar 3, 2004, at 10:22 AM, Schmehl, Paul L wrote:

>> -----Original Message-----
>> From: full-disclosure-admin@...ts.netsys.com
>>
>> Another variant against the Netsky virus. It's is packed with
>> UPX. It spreads with the password protected zip file, which
>> gets bypassed through all most all the AV scanners with
>> latest signature updates because No AV can decrypt it without
>> the password. (though password is in the message content), we
>> humans tend to open it after reading the message.
>>
> McAfee now detects the password protected zip files.  (There are other
> things you can look for besides trying to decrypt the contents of the
> zip filel  Also, zip passwords are weak and easily broken anyway.)
>
> BTW, there is a war going on right now between three virus groups, so
> you will continue to see new variants of Bagle, Netsky and Mydoom for
> the foreseeable future.  Should be a very interesting month.
>
> Paul Schmehl (pauls@...allas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/

Someone on the ntbugtrack list mentioned earlier another possible 
solution for A/V gateways: checking for the extension of 
known-to-be-infected files, and appending the "+" sign at the end (e.g. 
.exe+). I have tried this on my first layer Norton Gateway, as well as 
my second tier email A/V - the TrendMicro one (and variations of such - 
e.g. *.exe+, *.exe*, *exe+, etc.), and have not been successful ... 
anybody else having attempted something similar (the reason for the "+" 
is the obvious extension name change inside the ZIP, if there is a 
password protected file) ?

Stef


Powered by blists - more mailing lists