Just an interesting note here and maybe a request for feedback. I first
found the virus yesterday after I got back from lunch and had something like
10-15 e-mails from the users here in my office... all the virus. Four users
here had opened the attachment before I could stop them. Since I had just,
minutes before, received those e-mails, I ran to the server and yanked the
connection between the firewall and the mail server.... deleted all outbound
e-mails from the exchange server queue (users will at least get a
non-delivery if it was genuine business).... cleaned off the PC's and then
re-connected the server. Now, I work in a small office (~25 users) so I can
do this sort of thing with impunity where some of you guys in bigger
installations probably can't, but my real question here is: are there any
good Exchange virus/content scan agents out there? I took a look at a few a
short while back and again yesterday and was discouraged to note that not a
single one would identify the Kournikova virus unless you had updated the
software with a patch released sometime yesterday.... probably a little too
late. I suppose I could purchase one of these and simply quarantine any
.vbs/.js/any executable that came through until I looked at it, but I was
hoping for something a little more automated. Just a pipe dream? Any
products of note out there you guys have experience with?
Thanks,
Matt Rogghe
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 13, 2001 10:53 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Matt Rogghe;
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE:
I only meant that I use debug.
> ----------
> From: Gibson, Brian
> Sent: 13 February 2001 15:42
> To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE:
>
> Just curious but what exactly is the inherent risk in opening
> attachments in a text only editor? I often use a text editor to
> quickly review attachments for malicious intent. If they are binary
> files then I go with an analyzer but for script attacks why is a text
> editor a poor choice?
>
> If that wasn't your implications I apologize for misreading your
> statement.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [
> mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 13, 2001 8:31 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: RE:
>
>
> Que?
>
> I was not complaining about the e-mail informing us that is was a
> 'nasty
> little script'. I was highlighting the point that a mailing list whose
>
> focus is IT Security was used to prolifferate malware.
>
> Let me see if I have you straight here. OK its nice to see the A.V.
> and
> content analysis tools you have spent much resource on working as
> intended (Cheers for the the sample guys). But you can't seriously be
> telling me that the fact that this script was (Apparently/allegedly)
> sent to every e-mail address in Mr Rollie's Address Book, and that it
> was forwarded on to all of us is a usefull service?
>
> As one security professional to another. Even if it had no effect on
> any
> recipient. What would your response be when one of your company's
> customers calls up to complain about being sent a virus via e-mail
> from
> one of your users. Let me see if I can guess....
>
> To give you some comfort ( as you are obviosuly concerned for my well
> being ) Of course I don't trust attachments. I do examine suspicious
> attachments with something a little more sophisticated than Notepad
> (or
> is that vi).
>
> My appologies to all on the list. My mail was supposed to address what
> I
> considered to be a serious issue. My intention was not to flame the
> guys
> who run this list or to start a flame war on the list. However, I fear
>
> that may be the result.
>
> Liam.
>
> > ----------
> > From: Bill Royds
> > Sent: 13 February 2001 13:00
> > To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED];
> > [EMAIL PROTECTED]
> > Subject: RE:
> >
> > Actually that message was very useful to me. It gave me early
> warning
> > about the virus by showing that it leaked through our email
> anti-virus
> > and the code gave me some strings to scan for on our IDS.
> > As a security professional, I never execute anything I get in
> email,
> > but I do examine it with text only tools to look for problems. Don't
>
> > you
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [ mailto:[EMAIL PROTECTED]]On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Tuesday, February 13, 2001 06:03
> > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: RE:
> > Importance: High
> >
> >
> > I have to say that it is a pretty sad state of affairs when a
> mailing
> > list that is dedicated to IT security issues falls foul of this type
>
> > of
> > problem.
> >
> > Is there any need to allow attachments on this forum?
> >
> > I assume that there is some form of content analysis performed on
> the
> > traffic through this list.....?
> >
> > I would assume that most people on this list have some form of
> content
> > analyser implemented on their mail gateway. I would further assume
> > that
> > if you were not covered when the first VBS was distributed then you
> > were
> > pretty soon afterwards ( weren't you? ). This is the responsible
> thing
> > to do. I am sure that the guys who run this list would think so too.
>
> >
> > I know that this list is run (pretty smoothly) as a free service to
> us
> > and the relevant T&Cs are in place, but people have been put on RBL
> > for
> > less. Is there a cheep and simple method you guys could implement by
>
> > which attachments could be prohibited on this list?
> >
> > Cheers,Liam.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > > ----------
> > > From: Matt Rogghe
> > > Sent: 12 February 2001 20:55
> > > To: 'Gary Rollie'; [EMAIL PROTECTED]
> > >
> > > That last post to here was a nasty little replicator script.
> Looks
> > > like
> > > it's just hitting the global address list so far on the exchange
> > > server.
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
