There is a free version of Windows based Baregrep at http://www.baremetalsoft.com/baregrep/. Runs through the logs pretty fast.
John C -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Wednesday, February 01, 2006 9:24 AM To: Markus Gufler Subject: Re: [Declude.Virus] Encoded viruses...worried Off list - what grep do you use or which is the best for a W32 box? Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler <[EMAIL PROTECTED]> wrote: MG> MG> MG> I've grep'ed trough the logfiles for the last 7 days on my servers MG> MG> MG> MG> 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" MG> (ignoring double counts for the second av scanner) MG> MG> MG> MG> After filtering out all lines containing "Kapser" and "Mywife" MG> there remains the following 4 lines MG> MG> MG> MG> 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with MG> mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG> assuming .exe MG> 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with MG> mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; MG> assuming .exe MG> 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with MG> mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG> assuming .exe MG> 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle MG> of MIME segment [] [------=_NextPart_001_0008_01C6238B.B6472520] MG> MG> MG> MG> This looks very promising that declude is already handling it in MG> order to catch malicious code inside such attachments. MG> MG> Note: the 4.th line is listed due the "MIME" MG> MG> MG> MG> Markus MG> MG> MG> MG> MG> MG> MG> MG> MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED] On Behalf Of Matt MG> Sent: Wednesday, February 01, 2006 3:19 PM MG> To: Declude.Virus@declude.com MG> Subject: Re: [Declude.Virus] Encoded viruses...worried MG> MG> You know, I was going to ask if you would do a search, but I MG> figured you might do it anyway :) You did leave out the ".uue" MG> extension, but I doubt that would have changed your results. MG> I suppose that if these extensions aren't hardly ever used MG> anymore, it might be prudent enough to just watch for the MG> possibility of the tactic to become widespread and then take action. MG> I do have a fair number of Mac users and probably more MG> overseas traffic that you do, so I think that I am going to have MG> to search a little on my own. Unfortunately I zip all of my MG> logs nightly, so it isn't practical to search through all of them. MG> Matt MG> Colbeck, Andrew wrote: MG> MG> On the plus side, there are mitigating circumstances... MG> MG> First, let me point out that although the antivirus MG> companies will lag behind the virus authors, the antivirus guys aren't sleeping. MG> MG> For many years, the bad guys have been using encoding MG> methods and 3rd party applications to obfusticate their software MG> as a cheaper alternative on their time than writing MG> polymorphic code whose very technique gave them away. MG> MG> PKLite was probably the first 3rd party tool used. I've MG> recently seen PAK, UPX and FSG... all three of which were MG> caught by F-Prot because the antivirus guys simply make signatures MG> for the binary itself, and don't bother including unpacking MG> methods for all possible compression/encryption methods. MG> This explains why we have relatively few upgrades on the engines themselves. MG> MG> The F-Prot documentation mentions (I think) only zip MG> decoding, but we know that it certainly does UPX and RAR decoding MG> based on issues that have been raised with each (for the MG> former, pathetic speed and the former, a buffer overflow). MG> MG> If you want to see what your virMMDD.log might reveal MG> about this latest malware this month and what attachments you're seeing anyway, try this: MG> MG> egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log MG> MG> (if you don't want the filename, stick a -h parameter and MG> a space before that first quotation mark) MG> MG> By doing this, against my virMMDD.log I just discovered MG> that F-Prot decodes BHX and HQX attachments too. MG> MG> By doing something similar against my nightly MG> virus-scan-the-spam-folder logs I also discovered that I have zero MG> non-viral messages using the unconventional attachment MG> formats in the last two months. You can take that as an MG> indication that it's okay to ban those formats if you wish, MG> but I'll warn that I have a pretty homogeneous Windows user base. MG> MG> .... and that's a wrap for tonight. MG> MG> Andrew 8) MG> MG> MG> MG> MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew MG> Sent: Tuesday, January 31, 2006 6:04 PM MG> To: Declude.Virus@declude.com MG> Subject: RE: [Declude.Virus] Encoded viruses...worried MG> MG> John, the other formats are common (or, were common) on MG> Macintosh and Unix based systems for binary attachments and for MG> attached messages. Eudora for Windows used to expose several of MG> these formats for message construction. MG> MG> MG> MG> They've fallen into disuse in favour of MIME attachments, but they are still extant. MG> MG> MG> MG> Blocking messages containing those attachment formats may MG> be reasonable for you if you're doing postmaster alerts and MG> can check whether you've found false positives. MG> MG> MG> MG> Like Matt, I'm somewhat worried that this technique will MG> become as common a nuisance as encrypted zips. Until recently, MG> I've put my faith in the combination of Declude unpacking the MG> attachments (I've assumed MIME encoding only) and F-Prot's MG> packed and server options to otherwise do message decoding before virus scanning. MG> MG> MG> MG> I've been watching for copies of Blackworm that might be MG> caught on my system so that I check if Declude+F-Prot would catch MG> these other packing formats, but no luck so far (or rather, MG> I've had the good luck to receive so few copies in so few formats). MG> MG> MG> MG> Andrew 8) MG> MG> MG> MG> MG> MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) MG> Sent: Tuesday, January 31, 2006 5:44 PM MG> To: Declude.Virus@declude.com MG> Subject: RE: [Declude.Virus] Encoded viruses...worried MG> MG> MG> Actually, I am already blocking hqz and uue so I went MG> and added the others and will see what happens. MG> MG> MG> MG> MG> John T MG> MG> eServices For You MG> MG> MG> MG> "Seek, and ye shall find!" MG> MG> MG> MG> MG> -----Original Message----- MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) MG> Sent: Tuesday, January 31, 2006 5:37 PM MG> To: Declude.Virus@declude.com MG> Subject: RE: [Declude.Virus] Encoded viruses...worried MG> MG> MG> MG> Matt, are you saying the attachment as Declude would see MG> it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, MG> what harm would be in blocking those for now? MG> MG> MG> MG> MG> John T MG> MG> eServices For You MG> MG> MG> MG> "Seek, and ye shall find!" MG> MG> MG> MG> MG> -----Original Message----- MG> From: [EMAIL PROTECTED] MG> [mailto:[EMAIL PROTECTED] On Behalf Of Matt MG> Sent: Tuesday, January 31, 2006 4:50 PM MG> To: Declude.Virus@declude.com MG> Subject: [Declude.Virus] Encoded viruses...worried MG> MG> MG> MG> Someone just reported to me that MyWife.d MG> (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd MG> of the month payload that will overwrite a bunch of MG> files. It's really nasty. More can be found at these links: MG> http://isc.sans.org/diary.php?storyid=1067 MG> http://vil.nai.com/vil/content/v_138027.htm MG> This started hitting my system on the 17th, possibly MG> seeded through Yahoo! Groups. The problem is that it MG> often sent encoded attachments in BinHex (BHX, HQX), MG> Base64 (B64), Uuencode (UU, UUE), and MIME (MIM, MME), MG> and I'm not sure that Declude is decoding all of these to see what MG> is inside. For instance, I found that some BHX files that clearly MG> contained an executable payload, showed up in my Virus logs like so: MG> MG> 01/16/2006 05:36:49 Q7741EFB6011C4F95 MIME file: MG> [text/html][7bit; Length=1953 Checksum=154023] MG> 01/16/2006 05:36:50 Q7741EFB6011C4F95 MIME file: MG> Attachments001.BHX [base64; Length=134042 Checksum=8624521] MG> MG> There was no mention about the payload inside of it, and MG> there almost definitely was. The same attachment name with MG> the same length was repeatedly detected as a virus later on that MG> day. This likely was a PIF file inside, though it could also have MG> been a JPG according the notes on this virus. I, like most of us MG> here, don't allow PIF's to be sent through our system, but when MG> the PIF is encoded in at least BinHex format, it gets MG> past this type of protection. MG> Here's the conundrum. This mechanism could be exploited MG> just like the Zip files were by the Sober writers and MG> continually seeded, but instead of requiring some of us to at MG> least temporarily block Zips with executables inside, an MG> outbreak of continually seeded variants with executables MG> within one of these standard encoding mechanisms would MG> cause us to have to block all such encodings. I MG> therefore think it would be prudent for Declude to MG> support banned extensions within any of these encoding mechanisms MG> if it doesn't already. I readily admit that this could MG> be a lot of work, but it could be very bad if this MG> mechanism becomes more common. This particular virus is MG> so destructive that a single copy could cause severe MG> damage to one's enterprise. I cross my fingers hoping that MG> none of this would be necessary, but that's not enough to be safe. MG> Matt MG> ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364 Fax: (972) 788-5049 ---- --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
