Don: I don't know about "the best" but the de facto standard works great. Get a bunch of *nix tools that have been ported to W32 here:
http://unxutils.sourceforge.net/ And get the up-to-date version of wget here: http://xoomer.virgilio.it/hherold/#Files With these, you don't need to run CygWin ports or the Microsoft Windows Services for Unix. Bill Landry put the Declude and Message Sniffer mailing list users on to these a long time ago, and I'm still grateful to him. I did some speed tests a long time ago, and found that the grep tool mentioned above was an order of magnitude faster than the find.exe that comes with Windows. John T: Sorry, you were probably viewing the output with NotePad. I use a different editor that accomodates CR or CR/LF as the end-of-line sequence. Good old edit and WordPad will do the trick. So will using "less.exe" instead of piping to "more". Markus: Great tip, I just might make that part of my standard commands anyway. Matt: No problem, the .UU part of the search will also find all the lines that mention the .UUE format. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown > Sent: Wednesday, February 01, 2006 7:24 AM > To: Markus Gufler > Subject: Re: [Declude.Virus] Encoded viruses...worried > > Off list - what grep do you use or which is the best for a W32 box? > > > Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler > <[EMAIL PROTECTED]> wrote: > MG> > MG> > MG> I've grep'ed trough the logfiles for the last 7 days on > my servers > MG> > MG> > MG> > MG> 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" > MG> (ignoring double counts for the second av scanner) > MG> > MG> > MG> > MG> After filtering out all lines containing "Kapser" and "Mywife" > MG> there remains the following 4 lines > MG> > MG> > MG> > MG> 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with > MG> mismatched extensions [Attachments001.BHX-Removed > Attachment.txt]; > MG> assuming .exe > MG> 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with > MG> mismatched extensions [Attachments00.HQX-Removed > Attachment.txt]; > MG> assuming .exe > MG> 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with > MG> mismatched extensions [Attachments001.BHX-Removed > Attachment.txt]; > MG> assuming .exe > MG> 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: > EOF in middle > MG> of MIME segment [] [------=_NextPart_001_0008_01C6238B.B6472520] > MG> > MG> > MG> > MG> This looks very promising that declude is already handling it in > MG> order to catch malicious code inside such attachments. > MG> > MG> Note: the 4.th line is listed due the "MIME" > MG> > MG> > MG> > MG> Markus > MG> > MG> > MG> > MG> > MG> > > > MG> > MG> > MG> > > MG> From: [EMAIL PROTECTED] > MG> [mailto:[EMAIL PROTECTED] On Behalf Of Matt > MG> Sent: Wednesday, February 01, 2006 3:19 PM > MG> To: [email protected] > MG> Subject: Re: [Declude.Virus] Encoded viruses...worried > > MG> > MG> You know, I was going to ask if you would do a search, but I > MG> figured you might do it anyway :) You did leave out the ".uue" > MG> extension, but I doubt that would have changed your results. > > MG> I suppose that if these extensions aren't hardly ever used > MG> anymore, it might be prudent enough to just watch for the > MG> possibility of the tactic to become widespread and > then take action. > > MG> I do have a fair number of Mac users and probably more > MG> overseas traffic that you do, so I think that I am going to have > MG> to search a little on my own. Unfortunately I zip all of my > MG> logs nightly, so it isn't practical to search through > all of them. > > MG> Matt > > > > MG> Colbeck, Andrew wrote: > MG> > > > MG> On the plus side, there are mitigating circumstances... > MG> > MG> First, let me point out that although the antivirus > MG> companies will lag behind the virus authors, the > antivirus guys aren't sleeping. > MG> > MG> For many years, the bad guys have been using encoding > MG> methods and 3rd party applications to obfusticate their software > MG> as a cheaper alternative on their time than writing > MG> polymorphic code whose very technique gave them away. > MG> > MG> PKLite was probably the first 3rd party tool used. I've > MG> recently seen PAK, UPX and FSG... all three of which were > MG> caught by F-Prot because the antivirus guys simply make signatures > MG> for the binary itself, and don't bother including unpacking > MG> methods for all possible compression/encryption methods. > MG> This explains why we have relatively few upgrades on > the engines themselves. > MG> > MG> The F-Prot documentation mentions (I think) only zip > MG> decoding, but we know that it certainly does UPX and RAR decoding > MG> based on issues that have been raised with each (for the > MG> former, pathetic speed and the former, a buffer overflow). > MG> > MG> If you want to see what your virMMDD.log might reveal > MG> about this latest malware this month and what attachments > you're seeing anyway, try this: > MG> > MG> egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log > MG> > MG> (if you don't want the filename, stick a -h parameter and > MG> a space before that first quotation mark) > MG> > MG> By doing this, against my virMMDD.log I just discovered > MG> that F-Prot decodes BHX and HQX attachments too. > MG> > MG> By doing something similar against my nightly > MG> virus-scan-the-spam-folder logs I also discovered that I have zero > MG> non-viral messages using the unconventional attachment > MG> formats in the last two months. You can take that as an > MG> indication that it's okay to ban those formats if you wish, > MG> but I'll warn that I have a pretty homogeneous Windows > user base. > MG> > MG> .... and that's a wrap for tonight. > MG> > MG> Andrew 8) > MG> > MG> > > MG> > MG> > > MG> From: [EMAIL PROTECTED] > MG> [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > MG> Sent: Tuesday, January 31, 2006 6:04 PM > MG> To: [email protected] > MG> Subject: RE: [Declude.Virus] Encoded viruses...worried > > MG> > MG> John, the other formats are common (or, were common) on > MG> Macintosh and Unix based systems for binary attachments and for > MG> attached messages. Eudora for Windows used to expose several of > MG> these formats for message construction. > MG> > MG> > MG> > MG> They've fallen into disuse in favour of MIME > attachments, but they are still extant. > MG> > MG> > MG> > MG> Blocking messages containing those attachment formats may > MG> be reasonable for you if you're doing postmaster alerts and > MG> can check whether you've found false positives. > MG> > MG> > MG> > MG> Like Matt, I'm somewhat worried that this technique will > MG> become as common a nuisance as encrypted zips. Until recently, > MG> I've put my faith in the combination of Declude unpacking the > MG> attachments (I've assumed MIME encoding only) and F-Prot's > MG> packed and server options to otherwise do message > decoding before virus scanning. > MG> > MG> > MG> > MG> I've been watching for copies of Blackworm that might be > MG> caught on my system so that I check if Declude+F-Prot would catch > MG> these other packing formats, but no luck so far (or rather, > MG> I've had the good luck to receive so few copies in > so few formats). > MG> > MG> > MG> > MG> Andrew 8) > MG> > MG> > > MG> > MG> > MG> > > MG> From: [EMAIL PROTECTED] > MG> [mailto:[EMAIL PROTECTED] On Behalf Of > John T (Lists) > MG> Sent: Tuesday, January 31, 2006 5:44 PM > MG> To: [email protected] > MG> Subject: RE: [Declude.Virus] Encoded viruses...worried > > MG> > MG> > MG> Actually, I am already blocking hqz and uue so I went > MG> and added the others and will see what happens. > MG> > MG> > MG> > MG> > MG> John T > MG> > MG> eServices For You > MG> > MG> > MG> > MG> "Seek, and ye shall find!" > MG> > MG> > MG> > MG> > MG> -----Original Message----- > MG> From: [EMAIL PROTECTED] > MG> [mailto:[EMAIL PROTECTED] On Behalf Of > John T (Lists) > MG> Sent: Tuesday, January 31, 2006 5:37 PM > MG> To: [email protected] > MG> Subject: RE: [Declude.Virus] Encoded viruses...worried > MG> > MG> > MG> > MG> Matt, are you saying the attachment as Declude would see > MG> it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, > MG> what harm would be in blocking those for now? > MG> > MG> > MG> > MG> > MG> John T > MG> > MG> eServices For You > MG> > MG> > MG> > MG> "Seek, and ye shall find!" > MG> > MG> > MG> > MG> > MG> -----Original Message----- > MG> From: [EMAIL PROTECTED] > MG> [mailto:[EMAIL PROTECTED] On Behalf Of Matt > MG> Sent: Tuesday, January 31, 2006 4:50 PM > MG> To: [email protected] > MG> Subject: [Declude.Virus] Encoded viruses...worried > MG> > MG> > MG> > MG> Someone just reported to me that MyWife.d > MG> (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd > MG> of the month payload that will overwrite a bunch of > MG> files. It's really nasty. More can be found at > these links: > > MG> http://isc.sans.org/diary.php?storyid=1067 > MG> http://vil.nai.com/vil/content/v_138027.htm > > MG> This started hitting my system on the 17th, possibly > MG> seeded through Yahoo! Groups. The problem is that it > MG> often sent encoded attachments in BinHex (BHX, HQX), > MG> Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), > MG> and I'm not sure that Declude is decoding all of these to > see what > MG> is inside. For instance, I found that some BHX files that clearly > MG> contained an executable payload, showed up in my Virus > logs like so: > MG> > MG> 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: > MG> [text/html][7bit; Length=1953 Checksum=154023] > MG> 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: > MG> Attachments001.BHX [base64; Length=134042 Checksum=8624521] > MG> > MG> There was no mention about the payload inside of it, and > MG> there almost definitely was. The same attachment name with > MG> the same length was repeatedly detected as a virus later on that > MG> day. This likely was a PIF file inside, though it could > also have > MG> been a JPG according the notes on this virus. I, like most of us > MG> here, don't allow PIF's to be sent through our system, but when > MG> the PIF is encoded in at least BinHex format, it gets > MG> past this type of protection. > > MG> Here's the conundrum. This mechanism could be exploited > MG> just like the Zip files were by the Sober writers and > MG> continually seeded, but instead of requiring some of us to at > MG> least temporarily block Zips with executables inside, an > MG> outbreak of continually seeded variants with executables > MG> within one of these standard encoding mechanisms would > MG> cause us to have to block all such encodings. I > MG> therefore think it would be prudent for Declude to > MG> support banned extensions within any of these encoding mechanisms > MG> if it doesn't already. I readily admit that this could > MG> be a lot of work, but it could be very bad if this > MG> mechanism becomes more common. This particular virus is > MG> so destructive that a single copy could cause severe > MG> damage to one's enterprise. I cross my fingers hoping that > MG> none of this would be necessary, but that's not enough to > be safe. > > MG> Matt > > > MG> > > > ---- > Don Brown - Dallas, Texas USA Internet Concepts, Inc. > [EMAIL PROTECTED] http://www.inetconcepts.net > (972) 788-2364 Fax: (972) 788-5049 > ---- > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
