Re: [Clamav-users] Password-protected .zip file viruses

[clamav]

uvscan is detecting zipped/passworded bagle zip's as 
Worm.Bagle.Gen-zippwd.  Any ideas as to how they might be doing this?

-Eric

On Wed, 3 Mar 2004, Lucas Albers wrote:

 Tomasz Papszun said:
 WE ASK USERS TO NOT SUBMIT naked zip files IF their contents is DETECTED
 as infected by ClamAV AFTER UNZIPPING. It's a utter waste of our time,
 which results in delays in processing really significant samples!
 
 Why not add this on the web submittal nag screen?
 
 
 Luke Computer Science System Administrator
 Security Administrator,College of Engineering
 Montana State University-Bozeman,Montana
 
 
 
 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Password-protected .zip file viruses

[Tomasz Kojm]

On Fri, 5 Mar 2004 13:31:35 -0800 (PST)
[EMAIL PROTECTED] wrote:

 
 uvscan is detecting zipped/passworded bagle zip's as 
 Worm.Bagle.Gen-zippwd.  Any ideas as to how they might be doing this?

Please don't top post.

That's not your uvscan but ClamAV detecting the worm.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar  5 23:10:04 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Password-protected .zip file viruses

[Chris Meadors]

Paul Boven wrote:

How about only trying every word in the mail-body as a key to try, 
instead of brute-forcing? The virus(-writer) cannot afford to fudge the 
password in the mail-body: One would hope that the subset of users that 
is clever enough to reconstruct the password, yet stupid enough to use 
that to open it, is small enough to make the virus unviable.
Good point.  That should take less than a second.  My 700 MHz machine 
can try every word in an unabridged English dictionary in about 15 seconds.

Though there could be HTML bodies with the pass!-- obscured --word.

--
Chris
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Password-protected .zip file viruses

[Mitch \(WebCob\)]

But...

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Chris
 Meadors
 Sent: Tuesday, March 02, 2004 11:44 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Password-protected .zip file viruses


 Paul Boven wrote:

  How about only trying every word in the mail-body as a key to try,
  instead of brute-forcing? The virus(-writer) cannot afford to fudge the
  password in the mail-body: One would hope that the subset of users that
  is clever enough to reconstruct the password, yet stupid enough to use
  that to open it, is small enough to make the virus unviable.

The problem is that the virus could send an HTML message... in an HTML
message, character encodings, fonts with small spaces between, etc. could be
enough to fool software but not a human:

For example (don't take this too literally)::

the password is
dsmallnbsp;/smallosmallnbsp;/smallggsmallnbsp;/smally

will look like doggy

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Password-protected .zip file viruses

[Daniel Wiberg]

Jesper Juhl wrote:

What I'm thinking is; Would it be feasible to add an option to attempt to
brute-force-crack the passwords on zip files when scanning them?
Yes, it would slow down scanning immensely, and there's *no* way it should
ever be a default option, but zip file passwords are /resonably/ simple to
crack, so it is doable (although it takes time)...
I could whip some code together for this if it has any interrest at all...
 

I dont believe this is possible, or the right way to do it. My best idea 
at the time is to add text to the email explaining that the 
virus-scanner can't handle password protected .zip-files, so the 
attachment is unchecked for viruses.

But this should not be done by the virusscanner but rather by the 
integration software. ClamAV could use a special return code for 
unscannable attachments, like passwd protected zips and pgp encrypted stuff.

//daniel wiberg



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Password-protected .zip file viruses

[Diego d'Ambra]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:clamav-users-
 [EMAIL PROTECTED] On Behalf Of Jesper Juhl
 Sent: 3. marts 2004 02:55
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Password-protected .zip file viruses
 
 What I'm thinking is; Would it be feasible to add an option to attempt
to
 brute-force-crack the passwords on zip files when scanning them?
 Yes, it would slow down scanning immensely, and there's *no* way it
should
 ever be a default option, but zip file passwords are /resonably/
simple to
 crack, so it is doable (although it takes time)...
 

Since you know what the extracted content would be, you should be able
to cut some BIG corners instead of a full brute-force-crack.

Best regards,
Diego d'Ambra


smime.p7s
Description: S/MIME cryptographic signature

Re: [Clamav-users] Password-protected .zip file viruses

[Shawn Tayler]

There used to be a utility, way back in my OS/2 days, I think it was called
Stripper or something like that.  It removed the HTML crap from files
leaving only the plain text...

Shawn

On Wed, 03 Mar 2004 07:43:35 + Chris Meadors [EMAIL PROTECTED]
exclaimed:

 Good point.  That should take less than a second.  My 700 MHz machine 
 can try every word in an unabridged English dictionary in about 15
 seconds.
 
 Though there could be HTML bodies with the pass!-- obscured --word.
 
 -- 
 Chris


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Password-protected .zip file viruses

[Lucas Albers]

Tomasz Papszun said:
WE ASK USERS TO NOT SUBMIT naked zip files IF their contents is DETECTED
as infected by ClamAV AFTER UNZIPPING. It's a utter waste of our time,
which results in delays in processing really significant samples!

Why not add this on the web submittal nag screen?


Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Password-protected .zip file viruses

[Charlie Watts]

Clearly the virus DB maintainers are inundated with password-protected
.zip files with viruses inside.

I think I understand the technical impossibility of making a signature for
these - the .zip header is the same, and then the filenames inside are
randomized, as is the password, and thus the encrypted body has nothing
recognizable - so there isn't anything available to make a signature off
of.

We don't want to waste your time submitting these - would it be useful to
put a comment on the virus submission page that you just don't want these?


I see that there have been a few rejected, stating that you'd need the
*complete* E-mail - are you looking for other characteristics of the
complete E-mail message, something not specifically tied to the
attachment?

-- 
Charlie Watts
Brainstorm Internet
970 247-1442 x113
[EMAIL PROTECTED]
http://www.brainstorminternet.net/


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Password-protected .zip file viruses

[Jesper Juhl]

On Tue, 2 Mar 2004, Charlie Watts wrote:

 Clearly the virus DB maintainers are inundated with password-protected
 .zip files with viruses inside.

 I think I understand the technical impossibility of making a signature for
 these - the .zip header is the same, and then the filenames inside are
 randomized, as is the password, and thus the encrypted body has nothing
 recognizable - so there isn't anything available to make a signature off
 of.


What I'm thinking is; Would it be feasible to add an option to attempt to
brute-force-crack the passwords on zip files when scanning them?
Yes, it would slow down scanning immensely, and there's *no* way it should
ever be a default option, but zip file passwords are /resonably/ simple to
crack, so it is doable (although it takes time)...

I could whip some code together for this if it has any interrest at all...


-- 
Jesper Juhl [EMAIL PROTECTED]
Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation
Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html
Please send plain text emails only  http://www.expita.com/nomime.html


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Password-protected .zip file viruses

[Rembrandt]

On Wed, 3 Mar 2004 02:54:35 +0100 (CET)
[EMAIL PROTECTED] (Jesper Juhl) wrote:

 On Tue, 2 Mar 2004, Charlie Watts wrote:
 
  Clearly the virus DB maintainers are inundated with
  password-protected.zip files with viruses inside.
 
  I think I understand the technical impossibility of making a
  signature fo
 r
  these - the .zip header is the same, and then the filenames inside
  are randomized, as is the password, and thus the encrypted body has
  nothing recognizable - so there isn't anything available to make a
  signature off of.
 
 
 What I'm thinking is; Would it be feasible to add an option to attempt
 to brute-force-crack the passwords on zip files when scanning them?
 Yes, it would slow down scanning immensely, and there's *no* way it
 should ever be a default option, but zip file passwords are
 /resonably/ simple to crack, so it is doable (although it takes
 time)...
 
 I could whip some code together for this if it has any interrest at
 all...

There 2 ways to see this fact:

1. The AV is able to clean/scan EACH file coretly, well! But on the
other hand what's with ACE, RAR and many others?

2. On the other hand there's my point of view and (sure.. :) ) it's the
right point of view:

NO!
I don't angree!
I will stop all work for clamAV and other things!
I wont ask old contacts anymore if this feauture will be included.

Why?
a) Huge Mailsers CAN'T crack each file... there's not enough CPU-Power
b) That's the way the damn GOV-GUYS work, it's not my way... and so I
say hard NO couse if you break a encryption enabled by a user you could
spy his personal data and so on.

And you're wrong!
ZIP-PWs aren't easy to crack. The old PW, well..
But GZ use blowfish and i read somewhere that WinZIP will use AES soon.


Rembrandt


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Password-protected .zip file viruses

[Jesper Juhl]

On Wed, 3 Mar 2004, Rembrandt wrote:

 On Wed, 3 Mar 2004 02:54:35 +0100 (CET)
 [EMAIL PROTECTED] (Jesper Juhl) wrote:

  On Tue, 2 Mar 2004, Charlie Watts wrote:
 
   Clearly the virus DB maintainers are inundated with
   password-protected.zip files with viruses inside.
  
   I think I understand the technical impossibility of making a
   signature fo
  r
   these - the .zip header is the same, and then the filenames inside
   are randomized, as is the password, and thus the encrypted body has
   nothing recognizable - so there isn't anything available to make a
   signature off of.
  
 
  What I'm thinking is; Would it be feasible to add an option to attempt
  to brute-force-crack the passwords on zip files when scanning them?
  Yes, it would slow down scanning immensely, and there's *no* way it
  should ever be a default option, but zip file passwords are
  /resonably/ simple to crack, so it is doable (although it takes
  time)...
 
  I could whip some code together for this if it has any interrest at
  all...

 There 2 ways to see this fact:

 1. The AV is able to clean/scan EACH file coretly, well! But on the
 other hand what's with ACE, RAR and many others?

 2. On the other hand there's my point of view and (sure.. :) ) it's the
 right point of view:

 NO!
 I don't angree!
 I will stop all work for clamAV and other things!
 I wont ask old contacts anymore if this feauture will be included.

Calm down. I just suggested it as something to optionally do. I know it's
not something that is actually resonable to do on every file, but I
thought that it might be useful for some people. It was/is just a
suggestion.


 Why?
 a) Huge Mailsers CAN'T crack each file... there's not enough CPU-Power

agreed.

 b) That's the way the damn GOV-GUYS work, it's not my way... and so I
 say hard NO couse if you break a encryption enabled by a user you could
 spy his personal data and so on.


Well, mails pass through your mailserver - plenty of ways to spy on
personal data if that's what you want to do. I suggested this as a way to
scan inside protected archives, not as a way of spying on anyone. Besides,
if the data is so sensible, the person who send it should use encryption
strong enough that it can't be broken before the sun goes out... But,
that's just my personal oppinion...


 And you're wrong!
 ZIP-PWs aren't easy to crack. The old PW, well..

Well, I was thinking of the old password protection - all I have actual
experience with.

 But GZ use blowfish and i read somewhere that WinZIP will use AES soon.

In that case it would take ages ;)


-- 
Jesper Juhl [EMAIL PROTECTED]
Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation
Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html
Please send plain text emails only  http://www.expita.com/nomime.html


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Password-protected .zip file viruses

[Mitch \(WebCob\)]

My understanding of reliable zip password checking was that you needed two
or more files encoded with the same password in the archive to allow a good
check...

Maybe I'm wrong on that, but still I'd rather a setting that allows me to
reject unscannable attachements. Preferably as mentioned before somehow by
user - if this was a command line argument ignore unscannable archives vs.
reject unscannable archives.

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Jesper
 Juhl
 Sent: Tuesday, March 02, 2004 5:55 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Password-protected .zip file viruses


 On Tue, 2 Mar 2004, Charlie Watts wrote:

  Clearly the virus DB maintainers are inundated with password-protected
  .zip files with viruses inside.
 
  I think I understand the technical impossibility of making a
 signature for
  these - the .zip header is the same, and then the filenames inside are
  randomized, as is the password, and thus the encrypted body has nothing
  recognizable - so there isn't anything available to make a signature off
  of.
 

 What I'm thinking is; Would it be feasible to add an option to attempt to
 brute-force-crack the passwords on zip files when scanning them?
 Yes, it would slow down scanning immensely, and there's *no* way it should
 ever be a default option, but zip file passwords are /resonably/ simple to
 crack, so it is doable (although it takes time)...

 I could whip some code together for this if it has any interrest at all...


 --
 Jesper Juhl [EMAIL PROTECTED]
 Systems Administrator, Danmarks Idræts-Forbund / The Danish
 Sports Federation
 Please don't top-post
 http://www.catb.org/~esr/jargon/html/T/top-post.html
 Please send plain text emails only
 http://www.expita.com/nomime.html


 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id56alloc_id438op=ick
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users