[Mimedefang] base64-encoded vbscript .hta file withself-extra cting embeddedvirus
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Thu Jan 22 20:09:14 EST 2004
> I don't have any real expectation that Clam would be able to
> recognize this in its JS-hta-wrapped form, now that I understand
> it -- but I am interested in the idea that anyone can repackage an
> existing Trojan in this way and slip by most scanners.
>
> -royce
I have to disagree with "most" here - MimeDefang's default filter includes
hta in its list of bad extensions.
But it is a scary thought that viruses can encode themselves. hta-encoded
viruses are not particularly scary, but what about uber-common extensions
like .doc or .zip? If a virus spreads by .doc files, extension blocking is
useless. That's where virus definitions come in handy.
But what if a virus spreads in a .zip file? No problem, you might say.
Just have Clam unzip the file and scan the contents. This works most of the
time - provided the .zip in question is not encrypted!
Ah, you say - but if the .zip is encrypted, the user cannot open it either!
Well, maybe they can and maybe they can't. The message body could include
something like "Here's the pictures you wanted - the password to open the
attachment is SJKZUDJ" which would allow the user to open it.
Ah, you say - but the encrypted zip file would still have a constant binary
pattern, which could be added to the virus list and scanned for!
Would it? What if the virus, when it ran, picked a random password? And
encrypted itself with the new random password, rather than the one it
originally was opened with?
About the only thing I can think of is to allow an option to quarantine any
encrypted contents of an attached archive.
Matthew van Eerde
Software Engineer
Hispanic Business Inc.
HireDiversity.com
805.964.4554 x902
Matthew.van.Eerde at hbinc.com
http://www.hispanicbusiness.com
http://www.hirediversity.com
More information about the MIMEDefang
mailing list