Greg,
Plain text E-mail will not link in Outlook unless it appears as a URL that begins with "www", and that means that it is very unlikely that a successful exploit could be constructed in plain text as the infected computers won't have A records pointing at them that begin with "www".
As far as links go of this variety, they would need to be embedded in text/html segments, and they would almost definitely come by way of a linked IP instead of using the FQDN of the exploited machine since many reverse DNS entries won't resolve to A records, and many computers don't have reverse DNS entries (primarily in other areas of the world). It is unfortunately possible that someone might get creative and use some reverse DNS entries, but that would be unnecessary if they are successful at this form of exploit by using just an IP. It seems like it would therefore be safe and prudent to simply expand PRESCAN to include messages that are linked with IP's, regardless of also having a port since that isn't necessary. This would only add a modicum of overhead related to the additional messages that might be sent to the virus scanner, and it would enable many of the phish attempts to be scanned as well without needing to scan everything since most phishing attempts make use of IP's in links these days (domains are generally quickly killed when used for phishing, but the IP will live as long as the host allows it).
This is actually the second virus to have tried linking to the exploit that I am aware of. The first one was a Bagel variant if I recall correctly, but it used a known universe of about 500 hosts that were 99% removed by the various ISP's within 12 hours of the virus being detected, so this method was ineffective. It also was making use of an exploit that had been patched for almost a year, so it went nowhere.
This virus was easy for me to block, though I might cause some false positives on discussions of the virus. If it came as an IP link, but without the fixed ports, I would have had to spend a lot more time coding something up to protect from this based on content, and as things stand, this will probably have to remain on my system for more than a year, and with other variants likely to come still. My second scanner is McAfee though, and turning PRESCAN OFF might soon become my only realistic choice. I'm going to guess that this might remove more than 25% of my system's capacity however, and that gets costly.
Matt
Greg Little wrote:
We are on exactly the same track.
If this kind of attack catches on, and the e-mail can look like almost anything. Passing everything to the more CPU consuming AV engine may be needed.
This attack will work just fine in a plain text (non-HTLM) e-mail. (Will the link work easy?)
Greg
Matt wrote:
Maybe the new MyDoom virus suggests a change in the way that PRESCAN qualifies messages?
--- [This E-mail scanned for viruses by Findlay Internet]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
