Matt, thanks for the analysis. I would very much like to know what the additional load is on your server by setting PRESCAN to OFF. Please do post your results if you test this. I have had PRESCAN OFF for a few weeks now, and have not noticed much of an increase on my servers, but I was not near capacity anyway.
Bill ----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 10, 2004 11:41 AM Subject: Re: [Declude.Virus] PRESCAN > Greg, > > Plain text E-mail will not link in Outlook unless it appears as a URL > that begins with "www", and that means that it is very unlikely that a > successful exploit could be constructed in plain text as the infected > computers won't have A records pointing at them that begin with "www". > > As far as links go of this variety, they would need to be embedded in > text/html segments, and they would almost definitely come by way of a > linked IP instead of using the FQDN of the exploited machine since many > reverse DNS entries won't resolve to A records, and many computers don't > have reverse DNS entries (primarily in other areas of the world). It is > unfortunately possible that someone might get creative and use some > reverse DNS entries, but that would be unnecessary if they are > successful at this form of exploit by using just an IP. It seems like > it would therefore be safe and prudent to simply expand PRESCAN to > include messages that are linked with IP's, regardless of also having a > port since that isn't necessary. This would only add a modicum of > overhead related to the additional messages that might be sent to the > virus scanner, and it would enable many of the phish attempts to be > scanned as well without needing to scan everything since most phishing > attempts make use of IP's in links these days (domains are generally > quickly killed when used for phishing, but the IP will live as long as > the host allows it). > > This is actually the second virus to have tried linking to the exploit > that I am aware of. The first one was a Bagel variant if I recall > correctly, but it used a known universe of about 500 hosts that were 99% > removed by the various ISP's within 12 hours of the virus being > detected, so this method was ineffective. It also was making use of an > exploit that had been patched for almost a year, so it went nowhere. > > This virus was easy for me to block, though I might cause some false > positives on discussions of the virus. If it came as an IP link, but > without the fixed ports, I would have had to spend a lot more time > coding something up to protect from this based on content, and as things > stand, this will probably have to remain on my system for more than a > year, and with other variants likely to come still. My second scanner > is McAfee though, and turning PRESCAN OFF might soon become my only > realistic choice. I'm going to guess that this might remove more than > 25% of my system's capacity however, and that gets costly. > > Matt > > > > Greg Little wrote: > > > We are on exactly the same track. > > If this kind of attack catches on, and the e-mail can look like almost > > anything. Passing everything to the more CPU consuming AV engine may > > be needed. > > This attack will work just fine in a plain text (non-HTLM) e-mail. > > (Will the link work easy?) > > > > Greg > > > > > > Matt wrote: > > > >> Maybe the new MyDoom virus suggests a change in the way that PRESCAN > >> qualifies messages? > >> > > > > > > --- > > [This E-mail scanned for viruses by Findlay Internet] > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.Virus mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.Virus". The archives can be found > > at http://www.mail-archive.com. > > > > > > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
