Re: [Full-Disclosure] f-prot not catching mimail ?
update your f-prot version to 4.1.2 then it work´s (amavisd-new too) and sorry for this late answer On Sat, 02 Aug 2003 14:33:35 -0400 Mike Tancsa <[EMAIL PROTECTED]> wrote: > > I have a few copies of the mimail virus from yesterday that f-prot even > with its latest updates do not catch. Both the Windows and FreeBSD version > fail to identify the two main variants I have got sent my way. > > e.g. > avscan1% md5 *.DEF > MD5 (MACRO.DEF) = fc09bc864e62639bc3424e3425083421 > MD5 (SIGN.DEF) = a5d8c14285b2c866e3261421f7f3a0d2 > MD5 (SIGN2.DEF) = 12c403a108c398aeaca01a2a4da68de4 > avscan1% f-prot -verno > F-PROT ANTIVIRUS > Program version: 4.1.0 > Engine version: 3.13.3 > > VIRUS SIGNATURE FILES > SIGN.DEF created 1 August 2003 > SIGN2.DEF created 1 August 2003 > MACRO.DEF created 28 July 2003 > avscan1% > > > avscan1% f-prot message*.html > Virus scanning report - 2 August 2003 @ 14:29 > > F-PROT ANTIVIRUS > Program version: 4.1.0 > Engine version: 3.13.3 > > VIRUS SIGNATURE FILES > SIGN.DEF created 1 August 2003 > SIGN2.DEF created 1 August 2003 > MACRO.DEF created 28 July 2003 > > Search: message.html message2.html > Action: Report only > Files: Attempt to identify files > Switches: > > > Results of virus scanning: > > Files: 2 > MBRs: 0 > Boot sectors: 0 > Objects scanned: 0 > > Time: 0:00 > > No viruses or suspicious files/boot sectors were found. > avscan1% md5 message*.html > MD5 (message.html) = d1f0f5dd1f4ebbeebbd61e884ed1669c > MD5 (message2.html) = d7b72f9b8370aa3b132069a878b5b5c8 > avscan1% > > These are both caught by other scanners but passed by f-prot. Anyone with > f-prot successfully identify this virus ? > > avscan1% f-prot -virlist | grep -i mimail > [EMAIL PROTECTED] > JS/Mimail.dropper > avscan1% > > I sent email yesterday about this to frisk, but just got a "we will submit > to the lab." That was before their update so I wonder if they figure they > are covered. > > ---Mike > > Mike Tancsa,tel +1 519 651 3400 > Sentex Communications, [EMAIL PROTECTED] > Providing Internet since 1994www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- Martin "dizzy" Kujawski Müller und Kujawski GbR event-media Invalidenstr. 50-51 10557 Berlin Germany Tel.: +49 30 390 318 12 Fax: +49 30 390 318 13 mail: [EMAIL PROTECTED] web: http://www.event-media.de ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] f-prot not catching mimail ?
Nick FitzGerald <[EMAIL PROTECTED]> wrote: I cannot see anything "special" in the MIME structure of Mimail that would cause f-prot to miss the ZIP attachment (or maybe it is the structure of the ZIP that f-prot cannot unpack?). >>> >>> I was told its the encoding scheme in the .html file thats the problem. >>> Currently the scanner does not support that type of encoding. >> >> It seems to me that the HTML contains the binary EXE without any encoding: >> >> $ cat -v message.html | fold | head -5 >> MIME-Version: 1.0 >> Content-Location:File://foo.exe > > What's that then? > Moon dust Yes :-) Does not f-prot understand MIME? (Maybe it does MIME but not within MHTML, that is not without some other headers?) >>> Regardless, f-prot should list the ZIP attachment, and the files contained >>> within the ZIP ... > > I'm not sure I understand the comment or its relevance. If F-PROT is > not listing the ZIP file nor the HTML file it contains, that may be the > result of some configuration option. By default, F-PROT only lists > "infected" files ... But ... I did use the -LIST option, and normally (for innocent ZIP archives) I get the files listed, see below (and in my earlier post). Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia --- # In the example below, mimail is a copy of that virus; caraoke is a trojan # that I trapped a week before mimail started, and has essentially the same # structure; silly is an innocent(?) message. $ f-prot silly virus/caraoke virus/mimail Do: ~/nb/m/f-prot/f-prot/f-prot silly virus/caraoke virus/mimail -ai -archive -packed -list Virus scanning report - 5 August 2003 @ 14:25 F-PROT ANTIVIRUS Program version: 4.1.1 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 2 August 2003 MACRO.DEF created 28 July 2003 Search: silly virus/caraoke virus/mimail Action: Report only Files: Attempt to identify files Switches: -ARCHIVE -PACKED -LIST -AI /usr/users/amstaff/psz/silly->qs.zip->ip.gif /usr/users/amstaff/psz/silly->qs.zip->qs.chm /usr/users/amstaff/psz/virus/caraoke->readme.zip->readme.htm is a security risk or a "backdoor" program /usr/users/amstaff/psz/virus/caraoke /usr/users/amstaff/psz/virus/mimail Results of virus scanning: Files: 3 MBRs: 0 Boot sectors: 0 Objects scanned: 6 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 $ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] f-prot not catching mimail ?
[EMAIL PROTECTED] (Paul Szabo) wrote:
> >>I cannot see anything "special" in the MIME structure of Mimail that would
> >>cause f-prot to miss the ZIP attachment (or maybe it is the structure of
> >>the ZIP that f-prot cannot unpack?).
> >
> > I was told its the encoding scheme in the .html file thats the problem.
> > Currently the scanner does not support that type of encoding.
>
> It seems to me that the HTML contains the binary EXE without any encoding:
>
> $ cat -v message.html | fold | head -5
> MIME-Version: 1.0
> Content-Location:File://foo.exe
What's that then?
Moon dust
> Content-Transfer-Encoding: binary
Hm -- moon dust that thinks it's "binary encoded" even...
> [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL
> PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@@[EMAIL
> PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL
> PROTECTED]@[EMAIL PROTECTED]@^@
Of course it is encoded. The file you are looking at is an MHTML
format file that just happens to include a copy of the viral EXE as a
MIME component that is "binary encoded". Sure there exists a "string"
within the MHTML file that is a bit for bit copy of one instantiation
of this virus, but it is not correct to say that the EXE is not
encoded.
Of course, the simple-minded view of how virus scanners work ("grep on
steroids") would suggest that even so, the scanner should find this
virus in this file because whatever "signature" or "scan string" the
scanner is looking for must, by definition, be present in this MHTML
file form. Of course, that ignores the horrendous performance penalty
-- not to mention the impossibility of reliably detecting polymorphic
and metamorphic viruses and many types of malware that exist in
complex, multi-component file formats that mean the same code can have
different representations -- of such a scanner and that no useful
product has worked like that for a decade or so. The MIME "encoding"
(the presence of the MIME headers at the top of the file) stops the
scanner from seeing this as an EXE file, and quite rightly as it is not
an EXE file. In turn, that prevents the file being processed and
scanned as if it were an EXE -- a huge performance improvement you
silently thank your AV vendors for every time you click a link in your
web browser...).
> Regardless, f-prot should list the ZIP attachment, and the files contained
> within the ZIP ...
I'm not sure I understand the comment or its relevance. If F-PROT is
not listing the ZIP file nor the HTML file it contains, that may be the
result of some configuration option. By default, F-PROT only lists
"infected" files and as it is not "seeing" the EXE inside the MHTML
(inside the ZIP attached to the Email message) I'm not sure I'd
normally expect it to report the ZIP's presence unless some non-default
logging options were enabled.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] f-prot not catching mimail ?
As previously noted, the problem here seems to be with the f-prot binary, not the actual virus signatures/definitions. Try upgrading the f-prot package, and it'll probably work fine. -Nik [EMAIL PROTECTED] quoth: > >>I cannot see anything "special" in the MIME structure of Mimail that would > >>cause f-prot to miss the ZIP attachment (or maybe it is the structure of > >>the ZIP that f-prot cannot unpack?). > > > > I was told its the encoding scheme in the .html file thats the problem. > > Currently the scanner does not support that type of encoding. > > It seems to me that the HTML contains the binary EXE without any encoding: > > $ cat -v message.html | fold | head -5 > MIME-Version: 1.0 > Content-Location:File://foo.exe > Content-Transfer-Encoding: binary > > [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL > PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@@[EMAIL > PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL > PROTECTED]@[EMAIL PROTECTED]@^@ > > Regardless, f-prot should list the ZIP attachment, and the files contained > within the ZIP ... > > Cheers, > > Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ > School of Mathematics and Statistics University of Sydney 2006 Australia > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > -- Nik Reiman // [EMAIL PROTECTED] \\ http://www.aboleo.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] f-prot not catching mimail ?
Nik, > As previously noted, the problem here seems to be with the f-prot > binary, not the actual virus signatures/definitions. Yes, that is what I was saying. > Try upgrading the f-prot package, and it'll probably work fine. Done: there was a message yesterday on full-disclosure saying this has been fixed. Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] f-prot not catching mimail ? (now fixed)
This is now fixed with an updated engine. I verified both with my Windows Desktop version as well with my FreeBSD version. This gets both versions of the virus I have found. avscan1# f-prot *.zip Virus scanning report - 5 August 2003 @ 13:50 F-PROT ANTIVIRUS Program version: 4.1.1 Engine version: 3.13.4 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 4 August 2003 MACRO.DEF created 4 August 2003 Search: message1.zip message4.zip new.zip Action: Report only Files: Attempt to identify files Switches: /tmp/tmp2/message1.zip->message.html Infection: W32/[EMAIL PROTECTED] /tmp/tmp2/message4.zip->message.html Infection: W32/[EMAIL PROTECTED] /tmp/tmp2/new.zip->message1.zip Not scanned (encrypted) /tmp/tmp2/new.zip->message4.zip Not scanned (encrypted) Results of virus scanning: Files: 3 MBRs: 0 Boot sectors: 0 Objects scanned: 4 Infected: 2 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 At 07:35 AM 05/08/2003 +1000, Paul Szabo wrote: >>I cannot see anything "special" in the MIME structure of Mimail that would >>cause f-prot to miss the ZIP attachment (or maybe it is the structure of >>the ZIP that f-prot cannot unpack?). > > I was told its the encoding scheme in the .html file thats the problem. > Currently the scanner does not support that type of encoding. It seems to me that the HTML contains the binary EXE without any encoding: $ cat -v message.html | fold | head -5 MIME-Version: 1.0 Content-Location:File://foo.exe Content-Transfer-Encoding: binary [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@^@ Regardless, f-prot should list the ZIP attachment, and the files contained within the ZIP ... Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] f-prot not catching mimail ?
hi all, fprot is catching the virus all right, but only the exe file then the virus signatures are only for the exe file and not for the zip or the htm - the only logical conclusion i could come to. if you have f-prot on your desktop then you will catch the vieus just before executing and on the mailserver just add this address to the blocked senders list - - hope that helped Aditya -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Szabo Sent: Monday, August 04, 2003 3:07 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] f-prot not catching mimail ? Mike Tancsa <[EMAIL PROTECTED]> wrote: > I have a few copies of the mimail virus from yesterday that f-prot even > with its latest updates do not catch. Both the Windows and FreeBSD version > fail to identify the two main variants I have got sent my way. I found the same lack of detection, on Linux. Normally I save the suspect email message as a "UNIX mbox" file and feed that to f-prot; it then finds the attached ZIP within, and the files contained within the ZIP. However with Mimail, it does not detect the ZIP within the message. If I unpack the ZIP from the message, then the HTM from the ZIP, and finally the EXE from the HTM, then f-prot seems to skip all those except for the EXE, which it detects correctly. I cannot see anything "special" in the MIME structure of Mimail that would cause f-prot to miss the ZIP attachment (or maybe it is the structure of the ZIP that f-prot cannot unpack?). Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia --- $ f-prot virus/mimail -ai -archive -packed -list Virus scanning report - 4 August 2003 @ 7:26 F-PROT ANTIVIRUS Program version: 4.1.1 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 2 August 2003 MACRO.DEF created 28 July 2003 Search: virus/mimail Action: Report only Files: Attempt to identify files Switches: -ARCHIVE -PACKED -LIST -AI /usr/users/amstaff/psz/virus/mimail Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Time: 0:00 No viruses or suspicious files/boot sectors were found. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] f-prot not catching mimail ?
>>I cannot see anything "special" in the MIME structure of Mimail that would >>cause f-prot to miss the ZIP attachment (or maybe it is the structure of >>the ZIP that f-prot cannot unpack?). > > I was told its the encoding scheme in the .html file thats the problem. > Currently the scanner does not support that type of encoding. It seems to me that the HTML contains the binary EXE without any encoding: $ cat -v message.html | fold | head -5 MIME-Version: 1.0 Content-Location:File://foo.exe Content-Transfer-Encoding: binary [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@^@ Regardless, f-prot should list the ZIP attachment, and the files contained within the ZIP ... Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] f-prot not catching mimail ?
At 07:37 AM 8/4/2003 +1000, Paul Szabo wrote: I cannot see anything "special" in the MIME structure of Mimail that would cause f-prot to miss the ZIP attachment (or maybe it is the structure of the ZIP that f-prot cannot unpack?). I was told its the encoding scheme in the .html file thats the problem. Currently the scanner does not support that type of encoding. ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications,[EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] f-prot not catching mimail ?
Mike Tancsa <[EMAIL PROTECTED]> wrote: > I have a few copies of the mimail virus from yesterday that f-prot even > with its latest updates do not catch. Both the Windows and FreeBSD version > fail to identify the two main variants I have got sent my way. I found the same lack of detection, on Linux. Normally I save the suspect email message as a "UNIX mbox" file and feed that to f-prot; it then finds the attached ZIP within, and the files contained within the ZIP. However with Mimail, it does not detect the ZIP within the message. If I unpack the ZIP from the message, then the HTM from the ZIP, and finally the EXE from the HTM, then f-prot seems to skip all those except for the EXE, which it detects correctly. I cannot see anything "special" in the MIME structure of Mimail that would cause f-prot to miss the ZIP attachment (or maybe it is the structure of the ZIP that f-prot cannot unpack?). Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia --- $ f-prot virus/mimail -ai -archive -packed -list Virus scanning report - 4 August 2003 @ 7:26 F-PROT ANTIVIRUS Program version: 4.1.1 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 2 August 2003 MACRO.DEF created 28 July 2003 Search: virus/mimail Action: Report only Files: Attempt to identify files Switches: -ARCHIVE -PACKED -LIST -AI /usr/users/amstaff/psz/virus/mimail Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Time: 0:00 No viruses or suspicious files/boot sectors were found. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] f-prot not catching mimail ?
As soon as I saw this email I terminaled into our SMTP server and saw F-Secure grabbed the first mimail on July 27, a week ago. The reason I was so shocked by this email, is that in the 14 years I have been fighting viruses, and have used everything, I saw multiple instances of Norton and McAfee either not finding or not removing a virus. But in all that time I have never found one that got by F-Prot, then later F-Secure, which is why it is the only AV we use from firewall to mail server to desktop. If it sounds like I'm prejudiced, it's because I am. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Tancsa Sent: Saturday, August 02, 2003 1:34 PM To: [EMAIL PROTECTED] Subject: [inbox] [Full-Disclosure] f-prot not catching mimail ? I have a few copies of the mimail virus from yesterday that f-prot even with its latest updates do not catch. Both the Windows and FreeBSD version fail to identify the two main variants I have got sent my way. e.g. avscan1% md5 *.DEF MD5 (MACRO.DEF) = fc09bc864e62639bc3424e3425083421 MD5 (SIGN.DEF) = a5d8c14285b2c866e3261421f7f3a0d2 MD5 (SIGN2.DEF) = 12c403a108c398aeaca01a2a4da68de4 avscan1% f-prot -verno F-PROT ANTIVIRUS Program version: 4.1.0 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 1 August 2003 MACRO.DEF created 28 July 2003 avscan1% avscan1% f-prot message*.html Virus scanning report - 2 August 2003 @ 14:29 F-PROT ANTIVIRUS Program version: 4.1.0 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 1 August 2003 MACRO.DEF created 28 July 2003 Search: message.html message2.html Action: Report only Files: Attempt to identify files Switches: Results of virus scanning: Files: 2 MBRs: 0 Boot sectors: 0 Objects scanned: 0 Time: 0:00 No viruses or suspicious files/boot sectors were found. avscan1% md5 message*.html MD5 (message.html) = d1f0f5dd1f4ebbeebbd61e884ed1669c MD5 (message2.html) = d7b72f9b8370aa3b132069a878b5b5c8 avscan1% These are both caught by other scanners but passed by f-prot. Anyone with f-prot successfully identify this virus ? avscan1% f-prot -virlist | grep -i mimail [EMAIL PROTECTED] JS/Mimail.dropper avscan1% I sent email yesterday about this to frisk, but just got a "we will submit to the lab." That was before their update so I wonder if they figure they are covered. ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications,[EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
