Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Backdoor not recognized by Kaspersky
From: Cael Abal <lists2 () onryou com>
Date: Wed, 03 Mar 2004 13:11:28 -0500

Hash: SHA1

McAfee now detects the password protected zip files.  (There are other
things you can look for besides trying to decrypt the contents of the
zip filel  Also, zip passwords are weak and easily broken anyway.)

Zip files may be /relatively/ easy to brute force, sure, but there's no
way I'm turning my mail gateway into a dedicated .zip cracking box.
That's insane.

As I mentioned, passworded .zip handling is an arms-race I hope
anti-virus folks decide not to get embroiled in.

It would be trivial to generate a file_id.diz (or readme.txt, or add zip
comments, etc.) in order to skirt checksum / file size checks.  It would
be trivial to harvest plausible file names from a victim's computer to
avoid filename matching checks.

The only reasonable check would be what Bart suggests, but I'm not
comfortable blocking all passworded .zip files containing an executable.
   Who knows, I might have to change my mind.


Version: GnuPG v1.2.3 (MingW32)


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]