RE: [Declude.Virus] Encoded viruses...worried
Andrew, the output ended up being 255 characters long and then wrapping. How do I do this so each find is on a separate line for reading? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:35 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude unpacking the attachments (I've assumed MIME encoding only) and F-Prot's packed and server options to otherwise do message decoding before virus scanning. I've been watching for copies of Blackworm that might be caught on my system so that I check if Declude+F-Prot would catch these other packing formats, but no luck so far (or rather, I've had the good luck to receive so few copies in so few formats). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:44 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:37 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 31, 2006 4:50 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Encoded viruses...worried Someone just reported to me that MyWife.d (McAfee)/Kapser.A (F-Prot)/Blackmal.E (Symantec)/etc., has a 3rd of the month payload that will overwrite a bunch of files. It's really nasty. More can be found at these links: http://isc.sans.org/diary.php?storyid=1067 http://vil.nai.com/vil/content/v_138027.htm This started hitting my
RE: [Declude.Virus] Encoded viruses...worried
for grep and epreg on windows machines use the switch -U to have correct line wraps Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Wednesday, February 01, 2006 10:35 AMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried Andrew, the output ended up being 255 characters long and then wrapping. How do I do this so each find is on a separate line for reading? John T eServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, January 31, 2006 6:35 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, January 31, 2006 6:04 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude unpacking the attachments (I've assumed MIME encoding only) and F-Prot's packed and server options to otherwise do message decoding before virus scanning. I've been watching for copies of Blackworm that might be caught on my system so that I check if Declude+F-Prot would catch these other packing formats, but no luck so far (or rather, I've had the good luck to receive so few copies in so few formats). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, January 31, 2006 5:44 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You "Seek, and ye shall find!" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, January 31, 2006 5:37 PMTo:
Re: [Declude.Virus] Encoded viruses...worried
You know, I was going to ask if you would do a search, but I figured you might do it anyway :) You did leave out the ".uue" extension, but I doubt that would have changed your results. I suppose that if these extensions aren't hardly ever used anymore, it might be prudent enough to just watch for the possibility of the tactic to become widespread and then take action. I do have a fair number of Mac users and probably more overseas traffic that you do, so I think that I am going to have to search a little on my own. Unfortunately I zip all of my logs nightly, so it isn't practical to search through all of them. Matt Colbeck, Andrew wrote: On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude unpacking the attachments (I've assumed MIME encoding only) and F-Prot's packed and server options to otherwise do message decoding before virus scanning. I've been watching for copies of Blackworm that might be caught on my system so that I check if Declude+F-Prot would catch these other packing formats, but no luck so far (or rather, I've had the good luck to receive so few copies in so few formats). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:44 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Actually, I am already blocking hqz and uue so I went and added the others and will see what happens. John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Tuesday, January 31, 2006 5:37 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried Matt, are you saying the attachment as Declude would see it is B64, UU, UUE, MIM, MME, BHX and HQX? If that is so, what harm would be in blocking those for now? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL
RE: [Declude.Virus] Encoded viruses...worried
I've grep'ed trough the logfiles for the last 7 days on my servers 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" (ignoring double counts for the second av scanner) After filtering out all lines containing "Kapser" and "Mywife" there remains the following 4 lines 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; assuming .exe01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] This looks very promising that declude is already handling it in order to catch malicious code inside such attachments. Note: the 4.th line is listed due the "MIME" Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Wednesday, February 01, 2006 3:19 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Encoded viruses...worried You know, I was going to ask if you would do a search, but I figured you might do it anyway :) You did leave out the ".uue" extension, but I doubt that would have changed your results.I suppose that if these extensions aren't hardly ever used anymore, it might be prudent enough to just watch for the possibility of the tactic to become widespread and then take action.I do have a fair number of Mac users and probably more overseas traffic that you do, so I think that I am going to have to search a little on my own. Unfortunately I zip all of my logs nightly, so it isn't practical to search through all of them.MattColbeck, Andrew wrote: On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, AndrewSent: Tuesday, January 31, 2006 6:04 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like Matt, I'm somewhat worried that this technique will become as common a nuisance as encrypted zips. Until recently, I've put my faith in the combination of Declude
Re: [Declude.Virus] Encoded viruses...worried
Off list - what grep do you use or which is the best for a W32 box? Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler [EMAIL PROTECTED] wrote: MG MG MG I've grep'ed trough the logfiles for the last 7 days on my servers MG MG MG MG 2981 lines has sources of \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME MG (ignoring double counts for the second av scanner) MG MG MG MG After filtering out all lines containing Kapser and Mywife MG there remains the following 4 lines MG MG MG MG 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe MG 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with MG mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; assuming .exe MG 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe MG 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in MG middle of MIME segment [] MG [--=_NextPart_001_0008_01C6238B.B6472520] MG MG MG MG This looks very promising that declude is already handling it in MG order to catch malicious code inside such attachments. MG MG Note: the 4.th line is listed due the MIME MG MG MG MG Markus MG MG MG MG MG MG MG MG MG From: [EMAIL PROTECTED] MG [mailto:[EMAIL PROTECTED] On Behalf Of Matt MG Sent: Wednesday, February 01, 2006 3:19 PM MG To: Declude.Virus@declude.com MG Subject: Re: [Declude.Virus] Encodedviruses...worried MG MG You know, I was going to ask if you would do a search, but I MG figured you might do it anyway :) You did leave out the .uue MG extension, but I doubt that would have changed your results. MG I supposethat if these extensions aren't hardly ever used MG anymore, it might be prudentenough to just watch for the MG possibility of the tactic to become widespreadand then take action. MG I do have a fair number of Mac users and probablymore MG overseas traffic that you do, so I think that I am going to have MG tosearch a little on my own. Unfortunately I zip all of my MG logs nightly,so it isn't practical to search through all ofthem. MG Matt MG Colbeck, Andrew wrote: MG MG On the plus side, there are mitigating circumstances... MG MG First, let me point out that although the antivirus MG companies will lag behind the virus authors, the antivirus guys aren't sleeping. MG MG For many years, the bad guys have been using encoding MG methods and 3rd party applications to obfusticate their software MG as a cheaper alternative on their time than writing MG polymorphic code whose very technique gave them away. MG MG PKLite was probably the first 3rd party tool used. I've MG recently seen PAK, UPX and FSG... all three of which were MG caught by F-Prot because the antivirus guys simply make signatures MG for the binary itself, and don't bother including unpacking MG methods for all possible compression/encryption methods. MG This explains why we have relatively few upgrades on the engines themselves. MG MG The F-Prot documentation mentions (I think) only zip MG decoding, but we know that it certainly does UPX and RAR decoding MG based on issues that have been raised with each (for the MG former, pathetic speed and the former, a buffer overflow). MG MG If you want to see what your virMMDD.log might reveal MG about this latest malware this month and what attachments you're seeing anyway, try this: MG MG egrep \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME vir01??.log MG MG (if you don't want the filename, stick a -h parameter and MG a space before that first quotation mark) MG MG By doing this, against my virMMDD.log I just discovered MG that F-Prot decodes BHX and HQX attachments too. MG MG By doing something similar against my nightly MG virus-scan-the-spam-folder logs I also discovered that I have zero MG non-viral messages using the unconventional attachment MG formats in the last two months. You can take that as an MG indication that it's okay to ban those formats if you wish, MG but I'll warn that I have a pretty homogeneous Windows user base. MG MG and that's a wrap for tonight. MG MG Andrew 8) MG MG MG MG MG From: [EMAIL PROTECTED] MG [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew MG Sent: Tuesday, January 31,2006 6:04 PM MG To: Declude.Virus@declude.com MG Subject: RE: [Declude.Virus] Encoded viruses...worried MG MG John, the other formats are common (or, were common)on MG Macintosh and Unix based systems for binary attachments and for MG attached messages. Eudora for Windows used to expose several of MG these formats for message construction. MG MG MG
RE: [Declude.Virus] Encoded viruses...worried
There is a free version of Windows based Baregrep at http://www.baremetalsoft.com/baregrep/. Runs through the logs pretty fast. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Wednesday, February 01, 2006 9:24 AM To: Markus Gufler Subject: Re: [Declude.Virus] Encoded viruses...worried Off list - what grep do you use or which is the best for a W32 box? Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler [EMAIL PROTECTED] wrote: MG MG MG I've grep'ed trough the logfiles for the last 7 days on my servers MG MG MG MG 2981 lines has sources of \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME MG (ignoring double counts for the second av scanner) MG MG MG MG After filtering out all lines containing Kapser and Mywife MG there remains the following 4 lines MG MG MG MG 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with MG mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle MG of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] MG MG MG MG This looks very promising that declude is already handling it in MG order to catch malicious code inside such attachments. MG MG Note: the 4.th line is listed due the MIME MG MG MG MG Markus MG MG MG MG MG MG MG MG MG From: [EMAIL PROTECTED] MG [mailto:[EMAIL PROTECTED] On Behalf Of Matt MG Sent: Wednesday, February 01, 2006 3:19 PM MG To: Declude.Virus@declude.com MG Subject: Re: [Declude.Virus] Encodedviruses...worried MG MG You know, I was going to ask if you would do a search, but I MG figured you might do it anyway :) You did leave out the .uue MG extension, but I doubt that would have changed your results. MG I supposethat if these extensions aren't hardly ever used MG anymore, it might be prudentenough to just watch for the MG possibility of the tactic to become widespreadand then take action. MG I do have a fair number of Mac users and probablymore MG overseas traffic that you do, so I think that I am going to have MG tosearch a little on my own. Unfortunately I zip all of my MG logs nightly,so it isn't practical to search through all ofthem. MG Matt MG Colbeck, Andrew wrote: MG MG On the plus side, there are mitigating circumstances... MG MG First, let me point out that although the antivirus MG companies will lag behind the virus authors, the antivirus guys aren't sleeping. MG MG For many years, the bad guys have been using encoding MG methods and 3rd party applications to obfusticate their software MG as a cheaper alternative on their time than writing MG polymorphic code whose very technique gave them away. MG MG PKLite was probably the first 3rd party tool used. I've MG recently seen PAK, UPX and FSG... all three of which were MG caught by F-Prot because the antivirus guys simply make signatures MG for the binary itself, and don't bother including unpacking MG methods for all possible compression/encryption methods. MG This explains why we have relatively few upgrades on the engines themselves. MG MG The F-Prot documentation mentions (I think) only zip MG decoding, but we know that it certainly does UPX and RAR decoding MG based on issues that have been raised with each (for the MG former, pathetic speed and the former, a buffer overflow). MG MG If you want to see what your virMMDD.log might reveal MG about this latest malware this month and what attachments you're seeing anyway, try this: MG MG egrep \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME vir01??.log MG MG (if you don't want the filename, stick a -h parameter and MG a space before that first quotation mark) MG MG By doing this, against my virMMDD.log I just discovered MG that F-Prot decodes BHX and HQX attachments too. MG MG By doing something similar against my nightly MG virus-scan-the-spam-folder logs I also discovered that I have zero MG non-viral messages using the unconventional attachment MG formats in the last two months. You can take that as an MG indication that it's okay to ban those formats if you wish, MG but I'll warn that I have a pretty homogeneous Windows user base. MG MG and that's a wrap for tonight. MG MG Andrew 8) MG MG MG MG MG From: [EMAIL PROTECTED] MG [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew MG Sent: Tuesday, January 31,2006 6:04 PM MG To:
RE: [Declude.Virus] Encoded viruses...worried
Don: I don't know about the best but the de facto standard works great. Get a bunch of *nix tools that have been ported to W32 here: http://unxutils.sourceforge.net/ And get the up-to-date version of wget here: http://xoomer.virgilio.it/hherold/#Files With these, you don't need to run CygWin ports or the Microsoft Windows Services for Unix. Bill Landry put the Declude and Message Sniffer mailing list users on to these a long time ago, and I'm still grateful to him. I did some speed tests a long time ago, and found that the grep tool mentioned above was an order of magnitude faster than the find.exe that comes with Windows. John T: Sorry, you were probably viewing the output with NotePad. I use a different editor that accomodates CR or CR/LF as the end-of-line sequence. Good old edit and WordPad will do the trick. So will using less.exe instead of piping to more. Markus: Great tip, I just might make that part of my standard commands anyway. Matt: No problem, the .UU part of the search will also find all the lines that mention the .UUE format. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Wednesday, February 01, 2006 7:24 AM To: Markus Gufler Subject: Re: [Declude.Virus] Encoded viruses...worried Off list - what grep do you use or which is the best for a W32 box? Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler [EMAIL PROTECTED] wrote: MG MG MG I've grep'ed trough the logfiles for the last 7 days on my servers MG MG MG MG 2981 lines has sources of \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME MG (ignoring double counts for the second av scanner) MG MG MG MG After filtering out all lines containing Kapser and Mywife MG there remains the following 4 lines MG MG MG MG 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with MG mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle MG of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] MG MG MG MG This looks very promising that declude is already handling it in MG order to catch malicious code inside such attachments. MG MG Note: the 4.th line is listed due the MIME MG MG MG MG Markus MG MG MG MG MG MG MG MG MG From: [EMAIL PROTECTED] MG [mailto:[EMAIL PROTECTED] On Behalf Of Matt MG Sent: Wednesday, February 01, 2006 3:19 PM MG To: Declude.Virus@declude.com MG Subject: Re: [Declude.Virus] Encodedviruses...worried MG MG You know, I was going to ask if you would do a search, but I MG figured you might do it anyway :) You did leave out the .uue MG extension, but I doubt that would have changed your results. MG I supposethat if these extensions aren't hardly ever used MG anymore, it might be prudentenough to just watch for the MG possibility of the tactic to become widespreadand then take action. MG I do have a fair number of Mac users and probablymore MG overseas traffic that you do, so I think that I am going to have MG tosearch a little on my own. Unfortunately I zip all of my MG logs nightly,so it isn't practical to search through all ofthem. MG Matt MG Colbeck, Andrew wrote: MG MG On the plus side, there are mitigating circumstances... MG MG First, let me point out that although the antivirus MG companies will lag behind the virus authors, the antivirus guys aren't sleeping. MG MG For many years, the bad guys have been using encoding MG methods and 3rd party applications to obfusticate their software MG as a cheaper alternative on their time than writing MG polymorphic code whose very technique gave them away. MG MG PKLite was probably the first 3rd party tool used. I've MG recently seen PAK, UPX and FSG... all three of which were MG caught by F-Prot because the antivirus guys simply make signatures MG for the binary itself, and don't bother including unpacking MG methods for all possible compression/encryption methods. MG This explains why we have relatively few upgrades on the engines themselves. MG MG The F-Prot documentation mentions (I think) only zip MG decoding, but we know that it certainly does UPX and RAR decoding MG based on issues that have been raised with each (for the MG former, pathetic speed and the former, a buffer overflow). MG MG If you want to see what
Re: [Declude.Virus] Encoded viruses...worried topic change - to Bill Landry
With these, you don't need to run CygWin ports or the Microsoft Windows Services for Unix. Bill Landry put the Declude and Message Sniffer mailing list users on to these a long time ago, and I'm still grateful to him. Well I am grateful and frustrated at times- because it can do so much and I have such hard time getting the results I want! Bill, As I recall you were putting together a group of neat scripts to run against our logs - did that ever happen and I missed it? It sure would be helpful... ! Thanks -Nick I did some speed tests a long time ago, and found that the grep tool mentioned above was an order of magnitude faster than the find.exe that comes with Windows. John T: Sorry, you were probably viewing the output with NotePad. I use a different editor that accomodates CR or CR/LF as the end-of-line sequence. Good old edit and WordPad will do the trick. So will using "less.exe" instead of piping to "more". Markus: Great tip, I just might make that part of my standard commands anyway. Matt: No problem, the .UU part of the search will also find all the lines that mention the .UUE format. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Don Brown Sent: Wednesday, February 01, 2006 7:24 AM To: Markus Gufler Subject: Re: [Declude.Virus] Encoded viruses...worried Off list - what grep do you use or which is the best for a W32 box? Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler [EMAIL PROTECTED] wrote: MG MG MG I've grep'ed trough the logfiles for the last 7 days on my servers MG MG MG MG 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME" MG (ignoring double counts for the second av scanner) MG MG MG MG After filtering out all lines containing "Kapser" and "Mywife" MG there remains the following 4 lines MG MG MG MG 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with MG mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; MG assuming .exe MG 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with MG mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; MG assuming .exe MG 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle MG of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] MG MG MG MG This looks very promising that declude is already handling it in MG order to catch malicious code inside such attachments. MG MG Note: the 4.th line is listed due the "MIME" MG MG MG MG Markus MG MG MG MG MG MG MG MG MG From: [EMAIL PROTECTED] MG [mailto:[EMAIL PROTECTED]] On Behalf Of Matt MG Sent: Wednesday, February 01, 2006 3:19 PM MG To: Declude.Virus@declude.com MG Subject: Re: [Declude.Virus] Encodedviruses...worried MG MG You know, I was going to ask if you would do a search, but I MG figured you might do it anyway :) You did leave out the ".uue" MG extension, but I doubt that would have changed your results. MG I supposethat if these extensions aren't hardly ever used MG anymore, it might be prudentenough to just watch for the MG possibility of the tactic to become widespreadand then take action. MG I do have a fair number of Mac users and probablymore MG overseas traffic that you do, so I think that I am going to have MG tosearch a little on my own. Unfortunately I zip all of my MG logs nightly,so it isn't practical to search through all ofthem. MG Matt MG Colbeck, Andrew wrote: MG MG On the plus side, there are mitigating circumstances... MG MG First, let me point out that although the antivirus MG companies will lag behind the virus authors, the antivirus guys aren't sleeping. MG MG For many years, the bad guys have been using encoding MG methods and 3rd party applications to obfusticate their software MG as a cheaper alternative on their time than writing MG polymorphic code whose very technique gave them away. MG MG PKLite was probably the first 3rd party tool used. I've MG recently seen PAK, UPX and FSG... all three of which were MG caught by F-Prot because the antivirus guys simply make signatures MG for the binary itself, and don't bother including unpacking MG methods for all possible compression/encryption methods. MG This explains why we have relatively few upgrades on the engines themselves. MG MG The F-Prot documentation mentions (I think) only zip MG decoding, but we know that it certainly does UPX and RAR decoding MG based on issues that have been raised with each (for the MG former, pathetic speed and the former, a buffer overflow). MG MG If you want to see what your virMMDD.log might reveal MG about this latest
Re: [Declude.Virus] Encoded viruses...worried topic change - to Bill Landry
Excellent. Thanks Bill - -Nick Bill Landry wrote: Nick, I put this together quite some time ago and have sent it to people upon request. Hopefully posting it here will make it more widely accessible. At least it can point you to some tutorials and give you a sampling of how the tools can be used and maybe will inspire others to create some cool scripts that they would be willing to share with others on the list. Bill - Original Message - From: Nick Hayer Well I am grateful and frustrated at times- because it can do so much and I have such hard time getting the results I want! Bill, As I recall you were putting together a group of neat scripts to run against our logs - did that ever happen and I missed it? It sure would be helpful... ! Thanks -Nick
RE: [Declude.Virus] Encoded viruses...worried
Did a search on all logs for January. Found 337 hits, all HQX files. All but 2 were viruses, and those 2 had suspicious looking from addresses and I am assuming were unviable corrupt versions of viruses. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, February 01, 2006 6:40 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried I've grep'ed trough the logfiles for the last 7 days on my servers 2981 lines has sources of \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME (ignoring double counts for the second av scanner) After filtering out all lines containing Kapser and Mywife there remains the following 4 lines 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with mismatched extensions [Attachments00.HQX-Removed Attachment.txt]; assuming .exe 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with mismatched extensions [Attachments001.BHX-Removed Attachment.txt]; assuming .exe 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning: EOF in middle of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520] This looks very promising that declude is already handling it in order to catch malicious code inside such attachments. Note: the 4.th line is listed due the MIME Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, February 01, 2006 3:19 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Encoded viruses...worried You know, I was going to ask if you would do a search, but I figured you might do it anyway :) You did leave out the .uue extension, but I doubt that would have changed your results. I suppose that if these extensions aren't hardly ever used anymore, it might be prudent enough to just watch for the possibility of the tactic to become widespread and then take action. I do have a fair number of Mac users and probably more overseas traffic that you do, so I think that I am going to have to search a little on my own. Unfortunately I zip all of my logs nightly, so it isn't practical to search through all of them. Matt Colbeck, Andrew wrote: On the plus side, there are mitigating circumstances... First, let me point out that although the antivirus companies will lag behind the virus authors, the antivirus guys aren't sleeping. For many years, the bad guys have been using encoding methods and 3rd party applications to obfusticate their software as a cheaper alternative on their time than writing polymorphic code whose very technique gave them away. PKLite was probably the first 3rd party tool used. I've recently seen PAK, UPX and FSG... all three of which were caught by F-Prot because the antivirus guys simply make signatures for the binary itself, and don't bother including unpacking methods for all possible compression/encryption methods. This explains why we have relatively few upgrades on the engines themselves. The F-Prot documentation mentions (I think) only zip decoding, but we know that it certainly does UPX and RAR decoding based on issues that have been raised with each (for the former, pathetic speed and the former, a buffer overflow). If you want to see what your virMMDD.log might reveal about this latest malware this month and what attachments you're seeing anyway, try this: egrep \.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME vir01??.log (if you don't want the filename, stick a -h parameter and a space before that first quotation mark) By doing this, against my virMMDD.log I just discovered that F-Prot decodes BHX and HQX attachments too. By doing something similar against my nightly virus-scan-the-spam-folder logs I also discovered that I have zero non-viral messages using the unconventional attachment formats in the last two months. You can take that as an indication that it's okay to ban those formats if you wish, but I'll warn that I have a pretty homogeneous Windows user base. and that'sa wrapfor tonight. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, January 31, 2006 6:04 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Encoded viruses...worried John, the other formats are common (or, were common) on Macintosh and Unix based systems for binary attachments and for attached messages. Eudora for Windows used to expose several of these formats for message construction. They've fallen into disuse in favour of MIME attachments, but they are still extant. Blockingmessages containing those attachment formats may be reasonable for you if you're doing postmaster alerts and can check whether you've found false positives. Like
