Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - EXE/ZIP e-mail viruses (editorial) InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

EXE/ZIP e-mail viruses (editorial)

Published: 2007-04-12
Last Updated: 2007-04-13 03:29:38 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)
A quick (technical) update to this otherwise more "philosophical" diary: Its not that hard to figure out if the content of an encrypted ZIP file is a .exe file. The file names are not encrypted! So just run:
$unzip -l patch-58214.zip 
Archive: patch-58214.zip
Length Date Time Name
-------- ---- ---- ----
40649 04-12-07 18:21 patch-58214.exe
-------- -------
40649 1 file

Or, a quick one lines shell script using 'zipinfo' to figure out if the zip file
contains an encrypted .exe:

if zipinfo patch-58214.zip | grep -q 'BX.*\.exe' ; then echo 'encryped executable'; fi


anyway back to the editorial ;-)...
--------------------------------------------------------------------------------------


I label this diary "Editorial", as I would like to go beyond the plain facts of the resent set of "Storm"/"nuwar"/"zhelatin" viruses.

Remember Bagel? It was just a couple years ago when a very similar set of viruses was making the round. Bagel arrived as a plain .exe, waiting for a gullible user to double click and execute it. It later, very much like the new "Storm" virus, used an encrypted ZIP file.

Back with Bagel, we managed to get a hold of some of the web logs from sites Bagel used to "call home". In analyzing these logs we found a large overlap in users infected by various Bagel variants. In short: The same users are getting infected over and over again by the "malware of the day".

I think these viruses offer a sad glimpse into the current state of Internet security. Not only have users still not learned to "never click on an executable". Neither have network administrators learned to filter executables. When was the last time you received a legitimate executable as an attachment? (NO! IE7.exe was not one of them!).

Lastly, "Storm" is yet another hint that current AV software is no longer an adequate means to protect yourself from current and relevant threats. Subscription based business models direct mainstream consumer anti-virus systems into a dead end of signature updates, which haven't work at least since Zotob showed up.

As a reader of this post, you are unlikely to be able to do anything about the current sad state of anti-virus. But you may be able to block .exe files on your mail server. Don't ask me for subject or file names. Block executables!
Keywords:
0 comment(s)
Diary Archives