Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, 2 Mar 2004 04:14:52 -0800 (PST) [EMAIL PROTECTED] exclaimed: Worm.Bagle.H found in unzipped file. It\'s impossible to create signature of encrypted zip file. This new infection method is likely to drive us nuts. This is the password-less workaround I've come up with and your input is appreciated. The unix unzip output looks like so: $ uvscan -lv virus.zip Archive: TextDocument.zip Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 21150 Stored21150 0% 03-01-04 19:33 7ac0095f hifrm.scr --- ------ 2115021150 0%1 file Fortunately we can get the file crc w/o actually extracting the file. Can zip file crc's count as sigs? A quick/crude perl hack to test for this at the MTA seems to work pretty well: if (!open(UNZIP, -|)) { exec(/usr/bin/unzip, '-lv', $file); } while (UNZIP) { if (/7ac0095f/) { close(UNZIP); print Found the w32nsc/Bagle.H-zip virus !!!\n; found_virus(); } } close(UNZIP); Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? Except that I have 3 files, all ID'd the same when unzipped. But they have different CRC's. They all show as stored though Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 21816 Stored21816 0% 03-03-04 18:03 b036a836 xooas.exe --- ------ 2181621816 0%1 file ~/virus/encrypted$ clamscan xooas.exe xooas.exe: Worm.Bagle.Gen-2 FOUND Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 21512 Stored21512 0% 03-02-04 15:40 5399d9c7 ruqxq.scr --- ------ 2151221512 0%1 file ~/virus/encrypted$ clamscan ruqxq.scr ruqxq.scr: Worm.Bagle.Gen-2 FOUND Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 21378 Stored21378 0% 03-03-04 16:31 331840c6 ludkesb.exe --- ------ 2137821378 0%1 file ~/virus/encrypted$ clamscan ludkesb.exe ludkesb.exe: Worm.Bagle.Gen-2 FOUND Shawn --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, Mar 02, 2004 at 09:38:11PM -0800, Shawn Tayler wrote: On Tue, 2 Mar 2004 17:07:53 +0100 Erik Corry [EMAIL PROTECTED] exclaimed: The question is how much of a problem it really is. Are users really that dumb? What I'm wondering is whether the encrypted version of the virus can be created by the unencrypted version, or whether the encrypted versions of the virus we have seen have all been produced by actual encrypted-zip infections. Anyone know? Well, Given the level of replication I'm seeing on this bug, I'd say the answer is yes. You didn't read my second paragraph! You getting encrypted zip files doesn't prove that anyone was infected with an encrypted file. The mail could have been produced by a machine infected with the unencrypted version! -- Erik Corry I'd be a Libertarian, if they weren't all a [EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] password-protected Worm.Bagle.H
That's got my vote - can the core team give some indication of options being considered and what general direction we'll go here? Thanks. m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Dills Sent: Tuesday, March 02, 2004 11:05 PM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] password-protected Worm.Bagle.H I think clamav should return a certain value if the zip file is deemed clean because it's encrypted, so that glue programs like amavisd-new can allow people to control when encrypted zips are allowed through. This is a reasonable thing for clamav to do regardless, if you think about it; isn't that essentially an error condition (can't scan zipfile)? It would seem a simple fix for somebody familiar with the code. Developers, any comments? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
Worm.Bagle.H found in unzipped file. It\'s impossible to create signature of encrypted zip file. This new infection method is likely to drive us nuts. This is the password-less workaround I've come up with and your input is appreciated. The unix unzip output looks like so: $ uvscan -lv virus.zip Archive: TextDocument.zip Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 21150 Stored21150 0% 03-01-04 19:33 7ac0095f hifrm.scr --- ------ 2115021150 0%1 file Fortunately we can get the file crc w/o actually extracting the file. Can zip file crc's count as sigs? A quick/crude perl hack to test for this at the MTA seems to work pretty well: if (!open(UNZIP, -|)) { exec(/usr/bin/unzip, '-lv', $file); } while (UNZIP) { if (/7ac0095f/) { close(UNZIP); print Found the w32nsc/Bagle.H-zip virus !!!\n; found_virus(); } } close(UNZIP); Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, 02 Mar 2004 at 4:14:52 -0800, [EMAIL PROTECTED] wrote: Worm.Bagle.H found in unzipped file. It\'s impossible to create signature of encrypted zip file. This new infection method is likely to drive us nuts. This is the password-less workaround I've come up with and your input is appreciated. The unix unzip output looks like so: [...] 21150 Stored21150 0% 03-01-04 19:33 7ac0095f hifrm.scr [...] Fortunately we can get the file crc w/o actually extracting the file. [...] It gives nothing as copies of Worm.Bagle.H (and previous variants also) vary in their contents and even sizes. So checksums are different. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] password-protected Worm.Bagle.H
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf This new infection method is likely to drive us nuts. This is the password-less workaround I've come up with and your input is appreciated. The unix unzip output looks like so: $ uvscan -lv virus.zip Archive: TextDocument.zip Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 21150 Stored21150 0% 03-01-04 19:33 7ac0095f hifrm.scr --- ------ 2115021150 0%1 file Fortunately we can get the file crc w/o actually extracting the file. Can zip file crc's count as sigs? A quick/crude perl hack to test for this at the MTA seems to work pretty well: ---SNIP--- Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? I'd say that if you're doing that you want to include the other key information, namely the size and the compression ratio. That way the chances of a collision are minimal (the odds are reasonable that there is another zip file with a single file that has the same CRC, the odds decrease however if you also use the size and compression ratio). -- PLEASE - keep list traffic on the list. Don't CC or send me mail directly. Rob MacGregor (BOFH) --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] password-protected Worm.Bagle.H
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 2. marts 2004 13:15 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] password-protected Worm.Bagle.H Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? From the (unzipped) samples I've access to they differ in size, so MD5 or other checksums are useless. Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
RE: [Clamav-users] password-protected Worm.Bagle.H
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Diego d'Ambra Sent: Tuesday, March 02, 2004 4:55 AM To: [EMAIL PROTECTED] Subject: RE: [Clamav-users] password-protected Worm.Bagle.H -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 2. marts 2004 13:15 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] password-protected Worm.Bagle.H Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? From the (unzipped) samples I've access to they differ in size, so MD5 or other checksums are useless. Best regards, Diego d'Ambra Seeing how quickly this could get out of hand, and how hard it would be to write code to read the password from the mail - how about a simple option that allows full rejection of password encrypted archives - or optional (based on db lookup) but I'm probably hoping too much there... I run virtual users out of a mysql database - the user emails are in one field - options controlling mail handling are in others ('Y' / 'N' enums). Being able to control this would be ideal, but being able to outright reject them would be an improvement. Another tack on this might be accomplished through procmail / maildrop if unzip will report if archived files are in fact password protected... does anyone know if there is a way to list passworded file besides trying to extract them? Just a few thoughts - as always thank you for the excellent tool m/ --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, Mar 02, 2004 at 07:38:59AM -0800, Mitch (WebCob) wrote: Seeing how quickly this could get out of hand, and how hard it would be to write code to read the password from the mail - how about a simple option that allows full rejection of password encrypted archives - or optional (based on db lookup) but I'm probably hoping too much there... The question is how much of a problem it really is. Are users really that dumb? What I'm wondering is whether the encrypted version of the virus can be created by the unencrypted version, or whether the encrypted versions of the virus we have seen have all been produced by actual encrypted-zip infections. Anyone know? -- Erik Corry I'd be a Libertarian, if they weren't all a [EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] password-protected Worm.Bagle.H
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Corry The question is how much of a problem it really is. Are users really that dumb? What I'm wondering is whether the encrypted version of the virus can be created by the unencrypted version, or whether the encrypted versions of the virus we have seen have all been produced by actual encrypted-zip infections. Anyone know? Yes, people really are that dumb. Heck, I talked with somebody earlier today who infected himself with Netsky-D, and this is somebody normally pretty smart... PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
The question is how much of a problem it really is. Are users really that dumb? What I'm wondering is whether the encrypted version of the virus can be created by the unencrypted version, or whether the encrypted versions of the virus we have seen have all been produced by actual encrypted-zip infections. Anyone know? yes, they are. i've gotten about 10 of those in the last 3 days. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, Mar 02, 2004 at 11:59:19AM -0600, John Jolet wrote: The question is how much of a problem it really is. Are users really that dumb? yes, they are. i've gotten about 10 of those in the last 3 days. That doesn't actually prove that anyone typed in the password and got infected. The version with unencrypted zip file can send the version with encrypted zip file to others. The best defence against it (if it really is a problem) might be blocking encrypted zip files with suspicious filenames in them. You can see that the file contains a .exe .pif, etc. ending without the password. That's probably not a task for clamav though, more like MIMEDefang: http://www.mimedefang.org/ Someone seems to have been giving this some thought: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html -- Erik Corry I'd be a Libertarian, if they weren't all a [EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
on my qmail server qmail-scanner do this job for me. google for qmail-scanner - Original Message - From: Erik Corry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 9:11 PM Subject: Re: [Clamav-users] password-protected Worm.Bagle.H On Tue, Mar 02, 2004 at 11:59:19AM -0600, John Jolet wrote: The question is how much of a problem it really is. Are users really that dumb? yes, they are. i've gotten about 10 of those in the last 3 days. That doesn't actually prove that anyone typed in the password and got infected. The version with unencrypted zip file can send the version with encrypted zip file to others. The best defence against it (if it really is a problem) might be blocking encrypted zip files with suspicious filenames in them. You can see that the file contains a .exe .pif, etc. ending without the password. That's probably not a task for clamav though, more like MIMEDefang: http://www.mimedefang.org/ Someone seems to have been giving this some thought: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html -- Erik Corry I'd be a Libertarian, if they weren't all a [EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
It gives nothing as copies of Worm.Bagle.H (and previous variants also) vary in their contents and even sizes. So checksums are different. We have started to see this as well -- we only caught a few w/ the hard-coded crc hack. This is not perfect either and it falls in line with one gentleman's procmail filter. Still, this may help some users. We have updated our virus filter to look something like this: if ((stat($file))[7] 10) # filesize { if (!open(UNZIP, -|)) { close(STDERR); open(STDERR, STDOUT); exec(/usr/bin/unzip, '-t', '-P', '', $file); } while (UNZIP) { if (/incorrect password/) { close(UNZIP); print Found the w32nsc/crypt-zip.gen virus !!!\n; found_virus(); } } close(UNZIP); } We are /hoping/ that virus .zip's are 100k. If anyone sends a legitimate message which is an encrypted zip that is 100k we still quarantine it if the user need to have a copy and they are notified of the quarantine. After a few tests, it does not appear that it will mark unpassworded zips falsely since a zip w/o password and a zip w/ a password of '' appear to be equivalent. Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, 2 Mar 2004 18:08:15 -0800 (PST) [EMAIL PROTECTED] wrote: It gives nothing as copies of Worm.Bagle.H (and previous variants also) vary in their contents and even sizes. So checksums are different. We have started to see this as well -- we only caught a few w/ the hard-coded crc hack. This is not perfect either and it falls in line with one gentleman's procmail filter. Still, this may help some users. We have updated our virus filter to look something like this: if ((stat($file))[7] 10) # filesize { if (!open(UNZIP, -|)) { close(STDERR); open(STDERR, STDOUT); exec(/usr/bin/unzip, '-t', '-P', '', $file); } while (UNZIP) { if (/incorrect password/) { close(UNZIP); print Found the w32nsc/crypt-zip.gen virus !!!\n; found_virus(); } } close(UNZIP); } We are /hoping/ that virus .zip's are 100k. If anyone sends a legitimate message which is an encrypted zip that is 100k we still quarantine it if the user need to have a copy and they are notified of the quarantine. After a few tests, it does not appear that it will mark unpassworded zips falsely since a zip w/o password and a zip w/ a password of '' appear to be equivalent. I also recived such a Mail today from an OpenBSD-Mailinglist (sorry but: Damn WindowsKiddys wich are not able to hold their fingers far away from the left mousebutton). I saw 2 things: 1. An encrypted ZIP 2. A password in the mail Now I asked myself: - Does the worm use everytime the same password or does the worm generate new passwords. - Maybe a skilled user could write a script wich lookes for a PW into the mail. If a PW is detected the user should became a warning. The archive shouldn't be decrypted. Rembrandt pgp0.pgp Description: PGP signature
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, 2 Mar 2004 17:07:53 +0100 Erik Corry [EMAIL PROTECTED] exclaimed: The question is how much of a problem it really is. Are users really that dumb? What I'm wondering is whether the encrypted version of the virus can be created by the unencrypted version, or whether the encrypted versions of the virus we have seen have all been produced by actual encrypted-zip infections. Anyone know? Well, Given the level of replication I'm seeing on this bug, I'd say the answer is yes. Shawn --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, 2 Mar 2004, Erik Corry wrote: On Tue, Mar 02, 2004 at 11:59:19AM -0600, John Jolet wrote: The question is how much of a problem it really is. Are users really that dumb? yes, they are. i've gotten about 10 of those in the last 3 days. That doesn't actually prove that anyone typed in the password and got infected. The version with unencrypted zip file can send the version with encrypted zip file to others. The best defence against it (if it really is a problem) might be blocking encrypted zip files with suspicious filenames in them. You can see that the file contains a .exe .pif, etc. ending without the password. That's probably not a task for clamav though, more like MIMEDefang: http://www.mimedefang.org/ Someone seems to have been giving this some thought: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html I think clamav should return a certain value if the zip file is deemed clean because it's encrypted, so that glue programs like amavisd-new can allow people to control when encrypted zips are allowed through. This is a reasonable thing for clamav to do regardless, if you think about it; isn't that essentially an error condition (can't scan zipfile)? It would seem a simple fix for somebody familiar with the code. Developers, any comments? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users