W32Bagle and password protected zip files?

"Peter Sutter" <sutter_peter.RemoveThis@hotmail.com> wrote in message news:40585569$0$22528$5a62ac22@freenews.iinet.net.au...

> And the anti virus program does not know the
> password, so how can it be uncompress the zip file and inspect its content?

If the AVs want to continue down this road, they will need
to add (bloat) some OCR (Optical Character Recognition)
capabilities to their software and feed the graphic file to it
to get a password to gain access to the malware itself. As
it stands now the passwords are easily brute forceable, but
who knows what is coming next.

....all this for e-mail scanning of malware several steps away
from even becoming a threat.
 >> Stay informed about: W32Bagle and password protected zip files? 

Peter Sutter wrote:

> I just got an e-mail containing the W32Bagle virus. What appears to be new,
> is that the actual virus is in an password protected zip file, the password
> is attached as a separate .bmp file.

saw that one coming... an email worm that uses captcha to prevent
automated extraction...

> It was not detected by any of the antivirus software running here.

wouldn't expect it to...

> Question: Is it possible to actually detect the virus in a password
> protected zip file?

without the password the anti-virus product can't extract the file in
order to scan it...

> What if the password is changed? Two password protected
> zip files have no resemblance to each other when one changes only a single
> character of the password. And the anti virus program does not know the
> password, so how can it be uncompress the zip file and inspect its content?

generally speaking it can't... if the password is simple enough the
scanner might be able to brute force it, but that's about as good as it
gets...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"
 >> Stay informed about: W32Bagle and password protected zip files? 

Hi Peter,

Did your AV prog detect when you unzipped the file. If not or if you
are not keen on unzipping the file why not send the attachments to
your AV Vendor's virus labs and ask them to check the file?

Cheers

James
 >> Stay informed about: W32Bagle and password protected zip files? 

The voice of "Peter Sutter" drifted in on the cyber-winds,
from the sea of virtual chaos...

> I just got an e-mail containing the W32Bagle virus. What appears
> to be new, is that the actual virus is in an password protected
> zip file, the password is attached as a separate .bmp file.

That's sort-of nasty...

> Question: Is it possible to actually detect the virus in a
> password protected zip file?
>
> What if the password is changed? Two password protected zip
> files have no resemblance to each other when one changes only
> a single character of the password. And the anti virus program
> does not know the password, so how can it be uncompress the zip
> file and inspect its content?


Some AV software already has a ways of dealing with this...
They simple matter to scan the email for the presence of a password to
use. In a worse case scenario, it could try every word in the email
within a few seconds on most PCs.

Ironically though, hiding the password in a graphic makes it easier to
detect the viral, not the reverse...

Detecting that variant would no longer mean unzipping the attachment,
but factoring in the high probability of a virus (i.e. having both ZIP
& BMP attachments) and then examining the graphic. There's a good
chance this variant uses a few canned graphics, so decompiling the
viral (maybe a simple res-edit) will reveal the limit # of graphics
used. Once that's found you can then find the viral by the fingerprint
of the attached graphic.

Send your find in... There's a good chance your vdata files will be
updated with a day to detection the trivial variant.

--
The Tech Zero, Maxwell C.G. Pollare
 >> Stay informed about: W32Bagle and password protected zip files? 

Thanks a lot,

null.DeleteThis@zilch.com wrote:


> So what av did alert, and which variant was identified? There are
> variants now being detected up in the n and p range at least. This
> sounds like one of these later variants.

No alerts at all.
>
> Check out the thread I started on 3-4 with subject Bagle and KAV.
> KAV reads the password in the email message body. It also makes a

The password is in a .bmp file stored as a bitmap. I can't see how this can
be 'decoded' easily unless one uses OCR software.

> As I said, there are different methods being used to alert on the zips
> themselves without unzipping. And there are methods of reading the
> passwords.

That would be some way to solve the problem, as no public/foreign keys are
exchanged, the password must somehow be in in the zip file.
>
Thanks

Peter
 >> Stay informed about: W32Bagle and password protected zip files? 

null.TakeThisOut@zilch.com wrote:
>
> It's encrypted, but I don't know of any av using brute force
> decryption to find the password.

About a week ago - at least the the DOS version of - BitDefender
obviously tried brute force when it found a password protected zip
archive. I just checked it again, the scan of one password protected zip
archive ate memory, cpu and of course time. In the end - after 87
seconds - memory was too low, the scanner flooded my DOS box with
numbers and then terminated itself.

It seems they've dropped that "feature" now, because with the latest
update the same scan is finished after 1 second ...

Regards,
Axel Pettinger
 >> Stay informed about: W32Bagle and password protected zip files? 

Thanks for your reply, Will

Will Dormann wrote:

> Using password protection is one way viruses such as Bagle can get by
> virus protection at the MTA level. But once you attempt to open the
> zip file and extract the contents, the AV software on your own machine
> will pick it up. If you leave the zip file untouched, your AV
> software pick it up. (and the virus won't do any harm if it's left
> alone in its zip "prison")
>
Yes, I manually unzipped the file and then the antivirus software detected
it easily.

I run in a homogenous linux environment here, so I am not really much
concerned about this.

However, I have some fears for some of my customers who run in a
heterogenous Linux Server/Windows Clients environment. Under Linux, I had
to manually extract the zip file, but am uncertain of how windows clients
will behave. I have no Windows box here to actually try it out but am
curious to know if clicking on either of the attachments will actually
activate the virus or if the same manual steps of unzipping and providing
the password is required in windows. If this is so, it requires quite a
bit of stupidity of the user to do this, but in this world everything is
possible.

Thanks

Peter
 >> Stay informed about: W32Bagle and password protected zip files? 

"Peter Sutter" <sutter_peter RemoveThis @hotmail.com> wrote in message
news:40586b02$0$22511$5a62ac22@freenews.iinet.net.au...

[snip]

> However, I have some fears for some of my customers who run in a
> heterogenous Linux Server/Windows Clients environment. Under Linux,
> I had to manually extract the zip file, but am uncertain of how windows
> clients will behave.....

[snip]

Yes......

> the password is required in windows. If this is so, it requires quite a
> bit of stupidity of the user to do this,

..... and that's exactly why these spread so well.


- Jack the Bear.
 >> Stay informed about: W32Bagle and password protected zip files? 

Peter Sutter wrote:

> I have no Windows box here to actually try it out but am
> curious to know if clicking on either of the attachments will actually
> activate the virus or if the same manual steps of unzipping and providing
> the password is required in windows. If this is so, it requires quite a
> bit of stupidity of the user to do this, but in this world everything is
> possible.


And that is why realtime AV protection is necessary. So what if they
open the zip, enter the password, and attempt to run the contents? The
AV software won't let the code execute.

-WD
 >> Stay informed about: W32Bagle and password protected zip files? 

"Peter Sutter" <sutter_peter.RemoveThis@hotmail.com> wrote in message news:40586b02$0$22511$5a62ac22@freenews.iinet.net.au...

> Under Linux, I had
> to manually extract the zip file, but am uncertain of how windows clients
> will behave. I have no Windows box here to actually try it out but am
> curious to know if clicking on either of the attachments will actually
> activate the virus or if the same manual steps of unzipping and providing
> the password is required in windows. If this is so, it requires quite a
> bit of stupidity of the user to do this, but in this world everything is
> possible.

If the social engineering aspect is sufficiently persuasive, then
there is no limit to what the user is willing to do to access the
file. To me, the more persuasive the SE seems to be, the more
suspect the attachment is. From what I've heard, XP makes it
easier to unzip archives - but they haven't subverted the archive
password protection - - yet.
 >> Stay informed about: W32Bagle and password protected zip files? 

null.DeleteThis@zilch.com wrote:

> On Wed, 17 Mar 2004 15:36:57 GMT, Will Dormann
> <wdormann.DeleteThis@yahoo.com.invalid> wrote:
>
>
>>Peter Sutter wrote:
>>
>>
>>>I have no Windows box here to actually try it out but am
>>>curious to know if clicking on either of the attachments will actually
>>>activate the virus or if the same manual steps of unzipping and providing
>>>the password is required in windows. If this is so, it requires quite a
>>>bit of stupidity of the user to do this, but in this world everything is
>>>possible.
>>
>>
>>And that is why realtime AV protection is necessary. So what if they
>>open the zip, enter the password, and attempt to run the contents? The
>>AV software won't let the code execute.
>
>
> Realtime av is unnecessary. Just unzip and scan on-demand.


And you think this is an appropriate policy for the end-user, who as
previously mentioned may be of questionable skill level?


-WD
 >> Stay informed about: W32Bagle and password protected zip files? 

This message is not archived
 >> Stay informed about: W32Bagle and password protected zip files? 

null DeleteThis @zilch.com wrote:

> On Wed, 17 Mar 2004 16:25:17 GMT, Will Dormann
> <wdormann DeleteThis @yahoo.com.invalid> wrote:
>
>
>>null@zilch.com wrote:
>>
>>
>>>On Wed, 17 Mar 2004 15:36:57 GMT, Will Dormann
>>><wdormann DeleteThis @yahoo.com.invalid> wrote:
>>>
>>>
>>>
>>>>Peter Sutter wrote:
>>>>
>>>>
>>>>
>>>>>I have no Windows box here to actually try it out but am
>>>>>curious to know if clicking on either of the attachments will actually
>>>>>activate the virus or if the same manual steps of unzipping and providing
>>>>>the password is required in windows. If this is so, it requires quite a
>>>>>bit of stupidity of the user to do this, but in this world everything is
>>>>>possible.
>>>>
>>>>
>>>>And that is why realtime AV protection is necessary. So what if they
>>>>open the zip, enter the password, and attempt to run the contents? The
>>>>AV software won't let the code execute.
>>>
>>>
>>>Realtime av is unnecessary. Just unzip and scan on-demand.
>>
>>
>>And you think this is an appropriate policy for the end-user, who as
>>previously mentioned may be of questionable skill level?
>
>
> I took exception to your absolute statement that realtime av is
> necessary. In fact, users should be encouraged to delete all
> unsolicited attackments.


Not an absolute statement, but a recommendation for the OP's particular
situation, where he is talking about "customers" with "heterogeneous
Linux Server / Windows Clients environment". (I made the assumption
that he is a consultant for a company, or some similar situation)

Yes, user education is important. But let's be pragmatic here. There
will always be users that click whatever attachments come their way.
And thus the need for realtime AV protection.


-WD
 >> Stay informed about: W32Bagle and password protected zip files?