Re: [Declude.Virus] Encoded viruses...worried topic change - to Bill Landry

[Nick Hayer]

With these, you don't need to run CygWin ports or the Microsoft Windows Services for Unix. Bill Landry put the Declude and Message Sniffer mailing list users on to these a long time ago, and I'm still grateful to him. Well I am grateful and frustrated at times- because it can do so much and I have such  hard time  getting the results I want! Bill, As I recall you were putting together a group of neat scripts to run against our logs - did that ever happen and I missed it?  It sure would be helpful...  ! Thanks -Nick I did some speed tests a long time ago, and found that the grep tool mentioned above was an order of magnitude faster than the find.exe that comes with Windows. John T: Sorry, you were probably viewing the output with NotePad. I use a different editor that accomodates CR or CR/LF as the end-of-line sequence. Good old edit and WordPad will do the trick. So will using "less.exe" instead of piping to "more". Markus: Great tip, I just might make that part of my standard commands anyway. Matt: No problem, the .UU part of the search will also find all the lines that mention the .UUE format. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Don Brown Sent: Wednesday, February 01, 2006 7:24 AM To: Markus Gufler Subject: Re: [Declude.Virus] Encoded viruses...worried Off list - what grep do you use or which is the best for a W32 box? Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler <[EMAIL PROTECTED]> wrote: MG> MG> MG> I've grep'ed trough the logfiles for the last 7 days on my servers MG> MG>   MG> MG> 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" MG> (ignoring double counts for the second av scanner) MG> MG>   MG> MG> After filtering out all lines containing "Kapser" and "Mywife" MG> there remains the following 4 lines MG> MG>   MG> MG> 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with MG> mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG> assuming .exe MG> 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with MG> mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; MG> assuming .exe MG> 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with MG> mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG> assuming .exe MG> 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle MG> of MIME segment [] [------=_NextPart_001_0008_01C6238B.B6472520] MG> MG>   MG> MG> This looks very promising that declude is already handling it in MG> order to catch malicious code inside such attachments. MG> MG> Note: the 4.th line is listed due the "MIME" MG> MG>   MG> MG> Markus MG> MG>   MG> MG>   MG> MG> MG> MG> MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED]] On Behalf Of Matt MG> Sent: Wednesday, February 01, 2006 3:19 PM MG> To: Declude.Virus@declude.com MG> Subject: Re: [Declude.Virus] Encoded viruses...worried MG> MG> You know, I was going to ask if you would do a search, but I MG> figured you might do it anyway :)  You did leave out the ".uue" MG> extension, but I doubt that would have changed your results. MG> I suppose that if these extensions aren't hardly ever used MG> anymore, it might be prudent enough to just watch for the MG> possibility of the tactic to become widespread and then take action. MG> I do have a fair number of Mac users and probably more MG> overseas traffic that you do, so I think that I am going to have MG> to search a little on my own.  Unfortunately I zip all of my MG> logs nightly, so it isn't practical to search through all of them. MG> Matt MG> Colbeck, Andrew wrote: MG> MG> On the plus side, there are mitigating circumstances... MG>   MG> First, let me point out that although the antivirus MG> companies will lag behind the virus authors, the antivirus guys aren't sleeping. MG>   MG> For many years, the bad guys have been using encoding MG> methods and 3rd party applications to obfusticate their software MG> as a cheaper alternative on their time than writing MG> polymorphic code whose very technique gave them away. MG>   MG> PKLite was probably the first 3rd party tool used.  I've MG> recently seen PAK, UPX and FSG... all three of which were MG> caught by F-Prot because the antivirus guys simply make signatures MG> for the binary itself, and don't bother including unpacking MG> methods for all possible compression/encryption methods.  MG> This explains why we have relatively few upgrades on the engines themselves. MG>   MG> The F-Prot documentation mentions (I think) only zip MG> decoding, but we know that it certainly does UPX and RAR decoding MG> based on issues that have been raised with each (for the MG> former, pathetic speed and the former, a buffer overflow). MG>   MG> If you want to see what your virMMDD.log might reveal MG> about this latest malware this month and what attachments you're seeing anyway, try this: MG>   MG> egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log MG>   MG> (if you don't want the filename, stick a -h parameter and MG> a space before that first quotation mark) MG>   MG> By doing this, against my virMMDD.log I just discovered MG> that F-Prot decodes BHX and HQX attachments too. MG>   MG> By doing something similar against my nightly MG> virus-scan-the-spam-folder logs I also discovered that I have zero MG> non-viral messages using the unconventional attachment MG> formats in the last two months.  You can take that as an MG> indication that it's okay to ban those formats if you wish, MG> but I'll warn that I have a pretty homogeneous Windows user base. MG>   MG> .... and that's a wrap for tonight. MG>   MG> Andrew 8) MG>   MG>   MG> MG> MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew MG> Sent: Tuesday, January 31, 2006 6:04 PM MG> To: Declude.Virus@declude.com MG> Subject: RE: [Declude.Virus] Encoded viruses...worried MG> MG> John, the other formats are common (or, were common) on MG> Macintosh and Unix based systems for binary attachments and for MG> attached messages.  Eudora for Windows used to expose several of MG> these formats for message construction. MG> MG>   MG> MG> They've fallen into disuse in favour of MIME attachments, but they are still extant. MG> MG>   MG> MG> Blocking messages containing those attachment formats may MG> be reasonable for you if you're doing postmaster alerts and MG> can check whether you've found false positives. MG> MG>   MG> MG> Like Matt, I'm somewhat worried that this technique will MG> become as common a nuisance as encrypted zips.  Until recently, MG> I've put my faith in the combination of Declude unpacking the MG> attachments (I've assumed MIME encoding only) and F-Prot's MG> packed and server options to otherwise do message decoding before virus scanning. MG> MG>   MG> MG> I've been watching for copies of Blackworm that might be MG> caught on my system so that I check if Declude+F-Prot would catch MG> these other packing formats, but no luck so far (or rather, MG> I've had the good luck to receive so few copies in so few formats). MG> MG>   MG> MG> Andrew 8) MG> MG>   MG> MG> MG> MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) MG> Sent: Tuesday, January 31, 2006 5:44 PM MG> To: Declude.Virus@declude.com MG> Subject: RE: [Declude.Virus] Encoded viruses...worried MG> MG> MG> Actually, I am already blocking hqz and uue so I went MG> and added the others and will see what happens. MG> MG>   MG> MG> MG> John T MG> MG> eServices For You MG> MG>   MG> MG> "Seek, and ye shall find!" MG> MG>   MG> MG> MG> -----Original Message----- MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) MG> Sent: Tuesday, January 31, 2006 5:37 PM MG> To: Declude.Virus@declude.com MG> Subject: RE: [Declude.Virus] Encoded viruses...worried MG> MG>   MG> MG> Matt, are you saying the attachment as Declude would see MG> it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, MG> what harm would be in blocking those for now? MG> MG>   MG> MG> MG> John T MG> MG> eServices For You MG> MG>   MG> MG> "Seek, and ye shall find!" MG> MG>   MG> MG> MG> -----Original Message----- MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED]] On Behalf Of Matt MG> Sent: Tuesday, January 31, 2006 4:50 PM MG> To: Declude.Virus@declude.com MG> Subject: [Declude.Virus] Encoded viruses...worried MG> MG>   MG> MG> Someone just reported to me that MyWife.d MG> (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd MG> of the month payload that will overwrite a bunch of MG> files.  It's really nasty.  More can be found at these links: MG>     http://isc.sans.org/diary.php?storyid=1067 MG>     http://vil.nai.com/vil/content/v_138027.htm MG> This started hitting my system on the 17th, possibly MG> seeded through Yahoo! Groups.  The problem is that it MG> often sent encoded attachments in BinHex (BHX, HQX), MG> Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), MG> and I'm not sure that Declude is decoding all of these to see what MG> is inside.  For instance, I found that some BHX files that clearly MG> contained an executable payload, showed up in my Virus logs like so: MG> MG> 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: MG> [text/html][7bit; Length=1953 Checksum=154023] MG> 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: MG> Attachments001.BHX [base64; Length=134042 Checksum=8624521] MG> MG> There was no mention about the payload inside of it, and MG> there almost definitely was.  The same attachment name with MG> the same length was repeatedly detected as a virus later on that MG> day.  This likely was a PIF file inside, though it could also have MG> been a JPG according the notes on this virus.  I, like most of us MG> here, don't allow PIF's to be sent through our system, but when MG> the PIF is encoded in at least BinHex format, it gets MG> past this type of protection. MG> Here's the conundrum.  This mechanism could be exploited MG> just like the Zip files were by the Sober writers and MG> continually seeded, but instead of requiring some of us to at MG> least temporarily block Zips with executables inside, an MG> outbreak of continually seeded variants with executables MG> within one of these standard encoding mechanisms would MG> cause us to have to block all such encodings.  I MG> therefore think it would be prudent for Declude to MG> support banned extensions within any of these encoding mechanisms MG> if it doesn't already.  I readily admit that this could MG> be a lot of work, but it could be very bad if this MG> mechanism becomes more common.  This particular virus is MG> so destructive that a single copy could cause severe MG> damage to one's enterprise.  I cross my fingers hoping that MG> none of this would be necessary, but that's not enough to be safe. MG> Matt MG> ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364 Fax: (972) 788-5049 ---- --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.