Re: [Clamav-users] Password-protected .zip file viruses
uvscan is detecting zipped/passworded bagle zip's as Worm.Bagle.Gen-zippwd. Any ideas as to how they might be doing this? -Eric On Wed, 3 Mar 2004, Lucas Albers wrote: Tomasz Papszun said: WE ASK USERS TO NOT SUBMIT naked zip files IF their contents is DETECTED as infected by ClamAV AFTER UNZIPPING. It's a utter waste of our time, which results in delays in processing really significant samples! Why not add this on the web submittal nag screen? Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Password-protected .zip file viruses
On Fri, 5 Mar 2004 13:31:35 -0800 (PST) [EMAIL PROTECTED] wrote: uvscan is detecting zipped/passworded bagle zip's as Worm.Bagle.Gen-zippwd. Any ideas as to how they might be doing this? Please don't top post. That's not your uvscan but ClamAV detecting the worm. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Mar 5 23:10:04 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Password-protected .zip file viruses
Paul Boven wrote: How about only trying every word in the mail-body as a key to try, instead of brute-forcing? The virus(-writer) cannot afford to fudge the password in the mail-body: One would hope that the subset of users that is clever enough to reconstruct the password, yet stupid enough to use that to open it, is small enough to make the virus unviable. Good point. That should take less than a second. My 700 MHz machine can try every word in an unabridged English dictionary in about 15 seconds. Though there could be HTML bodies with the pass!-- obscured --word. -- Chris --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Password-protected .zip file viruses
But... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Meadors Sent: Tuesday, March 02, 2004 11:44 PM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Password-protected .zip file viruses Paul Boven wrote: How about only trying every word in the mail-body as a key to try, instead of brute-forcing? The virus(-writer) cannot afford to fudge the password in the mail-body: One would hope that the subset of users that is clever enough to reconstruct the password, yet stupid enough to use that to open it, is small enough to make the virus unviable. The problem is that the virus could send an HTML message... in an HTML message, character encodings, fonts with small spaces between, etc. could be enough to fool software but not a human: For example (don't take this too literally):: the password is dsmallnbsp;/smallosmallnbsp;/smallggsmallnbsp;/smally will look like doggy m/ --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Password-protected .zip file viruses
Jesper Juhl wrote: What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... I dont believe this is possible, or the right way to do it. My best idea at the time is to add text to the email explaining that the virus-scanner can't handle password protected .zip-files, so the attachment is unchecked for viruses. But this should not be done by the virusscanner but rather by the integration software. ClamAV could use a special return code for unscannable attachments, like passwd protected zips and pgp encrypted stuff. //daniel wiberg --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Password-protected .zip file viruses
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Jesper Juhl Sent: 3. marts 2004 02:55 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Password-protected .zip file viruses What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... Since you know what the extracted content would be, you should be able to cut some BIG corners instead of a full brute-force-crack. Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Password-protected .zip file viruses
There used to be a utility, way back in my OS/2 days, I think it was called Stripper or something like that. It removed the HTML crap from files leaving only the plain text... Shawn On Wed, 03 Mar 2004 07:43:35 + Chris Meadors [EMAIL PROTECTED] exclaimed: Good point. That should take less than a second. My 700 MHz machine can try every word in an unabridged English dictionary in about 15 seconds. Though there could be HTML bodies with the pass!-- obscured --word. -- Chris --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Password-protected .zip file viruses
Tomasz Papszun said: WE ASK USERS TO NOT SUBMIT naked zip files IF their contents is DETECTED as infected by ClamAV AFTER UNZIPPING. It's a utter waste of our time, which results in delays in processing really significant samples! Why not add this on the web submittal nag screen? Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Password-protected .zip file viruses
Clearly the virus DB maintainers are inundated with password-protected .zip files with viruses inside. I think I understand the technical impossibility of making a signature for these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. We don't want to waste your time submitting these - would it be useful to put a comment on the virus submission page that you just don't want these? I see that there have been a few rejected, stating that you'd need the *complete* E-mail - are you looking for other characteristics of the complete E-mail message, something not specifically tied to the attachment? -- Charlie Watts Brainstorm Internet 970 247-1442 x113 [EMAIL PROTECTED] http://www.brainstorminternet.net/ --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Password-protected .zip file viruses
On Tue, 2 Mar 2004, Charlie Watts wrote: Clearly the virus DB maintainers are inundated with password-protected .zip files with viruses inside. I think I understand the technical impossibility of making a signature for these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... -- Jesper Juhl [EMAIL PROTECTED] Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html Please send plain text emails only http://www.expita.com/nomime.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Password-protected .zip file viruses
On Wed, 3 Mar 2004 02:54:35 +0100 (CET) [EMAIL PROTECTED] (Jesper Juhl) wrote: On Tue, 2 Mar 2004, Charlie Watts wrote: Clearly the virus DB maintainers are inundated with password-protected.zip files with viruses inside. I think I understand the technical impossibility of making a signature fo r these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... There 2 ways to see this fact: 1. The AV is able to clean/scan EACH file coretly, well! But on the other hand what's with ACE, RAR and many others? 2. On the other hand there's my point of view and (sure.. :) ) it's the right point of view: NO! I don't angree! I will stop all work for clamAV and other things! I wont ask old contacts anymore if this feauture will be included. Why? a) Huge Mailsers CAN'T crack each file... there's not enough CPU-Power b) That's the way the damn GOV-GUYS work, it's not my way... and so I say hard NO couse if you break a encryption enabled by a user you could spy his personal data and so on. And you're wrong! ZIP-PWs aren't easy to crack. The old PW, well.. But GZ use blowfish and i read somewhere that WinZIP will use AES soon. Rembrandt pgp0.pgp Description: PGP signature
Re: [Clamav-users] Password-protected .zip file viruses
On Wed, 3 Mar 2004, Rembrandt wrote: On Wed, 3 Mar 2004 02:54:35 +0100 (CET) [EMAIL PROTECTED] (Jesper Juhl) wrote: On Tue, 2 Mar 2004, Charlie Watts wrote: Clearly the virus DB maintainers are inundated with password-protected.zip files with viruses inside. I think I understand the technical impossibility of making a signature fo r these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... There 2 ways to see this fact: 1. The AV is able to clean/scan EACH file coretly, well! But on the other hand what's with ACE, RAR and many others? 2. On the other hand there's my point of view and (sure.. :) ) it's the right point of view: NO! I don't angree! I will stop all work for clamAV and other things! I wont ask old contacts anymore if this feauture will be included. Calm down. I just suggested it as something to optionally do. I know it's not something that is actually resonable to do on every file, but I thought that it might be useful for some people. It was/is just a suggestion. Why? a) Huge Mailsers CAN'T crack each file... there's not enough CPU-Power agreed. b) That's the way the damn GOV-GUYS work, it's not my way... and so I say hard NO couse if you break a encryption enabled by a user you could spy his personal data and so on. Well, mails pass through your mailserver - plenty of ways to spy on personal data if that's what you want to do. I suggested this as a way to scan inside protected archives, not as a way of spying on anyone. Besides, if the data is so sensible, the person who send it should use encryption strong enough that it can't be broken before the sun goes out... But, that's just my personal oppinion... And you're wrong! ZIP-PWs aren't easy to crack. The old PW, well.. Well, I was thinking of the old password protection - all I have actual experience with. But GZ use blowfish and i read somewhere that WinZIP will use AES soon. In that case it would take ages ;) -- Jesper Juhl [EMAIL PROTECTED] Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html Please send plain text emails only http://www.expita.com/nomime.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Password-protected .zip file viruses
My understanding of reliable zip password checking was that you needed two or more files encoded with the same password in the archive to allow a good check... Maybe I'm wrong on that, but still I'd rather a setting that allows me to reject unscannable attachements. Preferably as mentioned before somehow by user - if this was a command line argument ignore unscannable archives vs. reject unscannable archives. m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jesper Juhl Sent: Tuesday, March 02, 2004 5:55 PM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Password-protected .zip file viruses On Tue, 2 Mar 2004, Charlie Watts wrote: Clearly the virus DB maintainers are inundated with password-protected .zip files with viruses inside. I think I understand the technical impossibility of making a signature for these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... -- Jesper Juhl [EMAIL PROTECTED] Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation Please don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html Please send plain text emails only http://www.expita.com/nomime.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=ick ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users