Possibly yet another MS mail worm
Rubens Kuhl Jr.
rubens at email.com
Mon Mar 1 02:32:17 UTC 2004
I'm not aware of any mail scanner that does this without running an external
anti-virus or something alike, although is not that intensive to follow the
zip headers (as they already do with the MIME headers in order to drop
external attachments). Most scanners can accept an anti-virus plugin and
them scan inside zip files, but that requires more processing power, more
queue disk space, more RAM, more administration to update virus patterns,
and so on. The cost/benefit usually pays off, but more complexity means less
people will adopt the solution, thus making worm spreading easier.
Rubens
----- Original Message -----
From: "Michael Wiacek" <lists at iroot.net>
To: "Rubens Kuhl Jr." <rubens at email.com>
Cc: "Todd Vierling" <tv at duh.org>; <nanog at merit.edu>
Sent: Sunday, February 29, 2004 11:16 PM
Subject: Re: Possibly yet another MS mail worm
> I believe the point is, your mail scanner should be able to
> scan something as simple as zip compressed attachments. If
> it can't, you may want to rethink which program you use.
> Most open source and commercial scanners can scan inside zip
> files.
>
> mike
>
> On Sat, 28 Feb 2004, Rubens Kuhl Jr. wrote:
>
> >
> > > It's annoying how easily these things spread even though they don't
rely
> > on
> > > a specific OS vulnerabililty -- hell, it's an executable *in a
zipfile*,
> > so
> > > it requires opening the zipfile and then running the program inside
it.
> > Of
> > > course everyone will run it, even though it's named dygfwefuih.exe
(random
> > > characters before .exe). <grumble>
> >
> > Being in a zipfile is exactly why these things work: most mail systems
> > nowadays drop executable attachments without mercy, but a zipfile may be
a
> > compressed document. Not every mail system screen incoming messages with
> > anti-virus.
> >
> > People writing this worms don't know just a bit about human behaviour,
they
> > seem to keep up with trends in mail systems administration as well.
> >
> >
> > Rubens
> >
> >
> >
> >
> >
> > !DSPAM:404137ae74191246918873!
> >
> >
More information about the NANOG
mailing list