[Mimedefang] patch to add blocking of encrypted email via uvscan

[Michael Sofka]

> > 	I understand, and the points you (and others) have raised are
> > valid. The breakdown I see is at the UI -- it's no longer a
> > point-n-click activation. Now it's point-n-click, re-read message,
> > type. (possibly lather/repeat steps 2 and 3, particularly for random
> > strings.) Moreover, even braindead unpatched lookOut clients won't be
> > able to auto-launch the content; there will be a requirement for user
> > interaction that goes well beyond the reflexive index finger on the
> > mousebutton. I think that's enough of a stumbling block that this
> > paradigm won't achieve critical mass.

Maybe, maybe not.  The Mimail-M virus only used the encryption for the
initial mass-mailing.  Once decrypted and run, it would spread via
an embedded SMTP engine with an unencrypted zip file attachment.  The
idea, apparently, being to past the SMTP gateway, and spread more
rapidly once inside.

> I must note that Windows XP has a built-in un-zipper.  Drop a .zip archive
> to your hard drive on XP, and you can navigate it as you would a directory,
> in Windows Explorer.
>
> I'm not sure how this interacts with encryption though.  But it's food for
> thought - unzipping is becoming much easier for Joe User.

I do not know enough about windows to know if this is possible, but could
the attachment name include metadata (the stuff between the {}'s) which
provides the password?

If the virus provided it's own encryption engine, it could seed it with
random passwords stored in a know offset, for example.  There have been
numerous viruses that try tricks like this, but the decryption engine
then becomes the signature.  Mimail-M was new in that the decryption
engine was provided by a third-party product, not sent as part of the
virus.

Mike
-- 
Michael D. Sofka              sofkam at rpi.edu
C&CT Sr. Systems Programmer    Email, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY.  http://www.rpi.edu/~sofkam/