mailing list archives
Re: Backdoor not recognized by Kaspersky
From: Cael Abal <lists2 () onryou com>
Date: Wed, 03 Mar 2004 09:56:34 -0500
Another variant against the Netsky virus. It's is packed with
UPX. It spreads with the password protected zip file, which
gets bypassed through all most all the AV scanners with
latest signature updates because No AV can decrypt it
without the password. (though password is in the message
content), we humans tend to open it after reading the message.
Kaspersky, NAI and possibly some other AV-vendors now parse the password
from the body of the email to extract the zip and then scan it.
Obviously this only helps if it can scan the complete email i.e. on the
mailserver. They might need to adapt to new varitions of how the
password is included in the body, which will take some analysis when new
Does anyone else find this new development a bad idea?
I'm of the mindset that anti-virus companies should stick with what
they're good at -- namely, detecting and handling infected files. It
seems a bad idea to start down the natural language processing road.
Are they scanning just for Bagle/Beagle style e-mail, or are their
methods more general? What about messages of the form:
'Password is a long yellow fruit enjoyed by monkeys.'
What about messages in languages other than English? I can easily see
this becoming an arms-race, and one the anti-virus folks have no chance
Leave passworded .zips alone -- take the sensible approach and catch an
infected file once it's been extracted.
Full-Disclosure - We believe in it.
RE: Backdoor not recognized by Kaspersky Full-Disclosure (Mar 03)
Re: Backdoor not recognized by Kaspersky Suresh Ponnusami (Mar 03)
RE: Backdoor not recognized by Kaspersky Aditya, ALD [Aditya Lalit Deshmukh] (Mar 03)
RE: Backdoor not recognized by Kaspersky Ron DuFresne (Mar 04)
Re: Backdoor not recognized by Kaspersky Rodrigo Barbosa (Mar 04)
Re: Backdoor not recognized by Kaspersky Michael Gale (Mar 04)
Re: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 04)
SMTP open relays and RFC (was: Backdoor not recognized by Kaspersky) Martin Mačok (Mar 04)
- RE: Backdoor not recognized by Kaspersky, (continued)