Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Backdoor not recognised
From: "Richard Hatch" <r.hatch () eris qinetiq com>
Date: Wed, 3 Mar 2004 17:08:31 -0000

Further to the emails about parsing archive passwords from email messages...

Regardless of how such parsing may take place, the stream of overflows in
archive tools means that an attacker could craft malicious archive files
that infect/backdoor the mail scanning system.  Multiple emails could be
sent, with each attached malicious archive targetting different archive
technologies (e.g. rar, zip, gzip, ...).

You might as well just execute any attached .exe file and see if it opens
any ports.

Kaspersky, NAI and possibly some other AV-vendors now parse the password 
from the body of the email to extract the zip and then scan it. 
Obviously this only helps if it can scan the complete email i.e. on the 
mailserver. They might need to adapt to new varitions of how the 
password is included in the body, which will take some analysis when new 
variants emerge.

'The mirrors have grown vast and beautiful and very very *hungry*' 

The views and comments expressed in this email are the personal views and
opinions of the author and should in no way be considered an official
statement/release of QinetiQ.

Neither the author or QinetiQ can be held liable for actions taken based on
the information contained within this email.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Re: Backdoor not recognised Richard Hatch (Mar 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]