Re: [Declude.Virus] Encoded viruses...worried

[Scott Fisher]

Am I the only one that is wondering why there wouldn't have been an official response to this from Declude?   While I have added the extension listed to block attachments, (and FProt did detect on all of my instances), when a potential flaw is pointed out, it would be nice to have an official response to the message. ----- Original Message ----- From: Matt To: Declude.Virus@declude.com Sent: Tuesday, January 31, 2006 6:49 PM Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files.  It's really nasty.  More can be found at these links:     http://isc.sans.org/diary.php?storyid=1067     http://vil.nai.com/vil/content/v_138027.htm This started hitting my system on the 17th, possibly seeded through Yahoo! Groups.  The problem is that it often sent encoded attachments in BinHex (BHX, HQX), Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), and I'm not sure that Declude is decoding all of these to see what is inside.  For instance, I found that some BHX files that clearly contained an executable payload, showed up in my Virus logs like so: 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: [text/html][7bit; Length=1953 Checksum=154023] 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: Attachments001.BHX [base64; Length=134042 Checksum=8624521] There was no mention about the payload inside of it, and there almost definitely was.  The same attachment name with the same length was repeatedly detected as a virus later on that day.  This likely was a PIF file inside, though it could also have been a JPG according the notes on this virus.  I, like most of us here, don't allow PIF's to be sent through our system, but when the PIF is encoded in at least BinHex format, it gets past this type of protection. Here's the conundrum.  This mechanism could be exploited just like the Zip files were by the Sober writers and continually seeded, but instead of requiring some of us to at least temporarily block Zips with executables inside, an outbreak of continually seeded variants with executables within one of these standard encoding mechanisms would cause us to have to block all such encodings.  I therefore think it would be prudent for Declude to support banned extensions within any of these encoding mechanisms if it doesn't already.  I readily admit that this could be a lot of work, but it could be very bad if this mechanism becomes more common.  This particular virus is so destructive that a single copy could cause severe damage to one's enterprise.  I cross my fingers hoping that none of this would be necessary, but that's not enough to be safe. Matt