mailing list archives
RE: Backdoor not recognized by Kaspersky
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 04 Mar 2004 14:08:19 +1300
"Schmehl, Paul L" <pauls () utdallas edu> wrote:
McAfee now detects the password protected zip files. (There are other
things you can look for besides trying to decrypt the contents of the
zip filel Also, zip passwords are weak and easily broken anyway.)
Though cracking is not, I believe, how it is done. Knowing the limited
character set and length of passwords used would make cracking
relatively easy, but perhaps still in the order of an average of
several to tens of minutes per Bagle-encrypted .ZIP. I doubt many mail
servers/content gateways could tolerate that level of additional CPU
I'd be very surprised if the "detection" of Bagle encrypted .ZIPs
implemented by NAI (and others) is not prone to false-positive (at
least if they insist on labelling the things they find as "Bagle") but
it is likely to remain as a useful heuristic.
BTW, there is a war going on right now between three virus groups, so
you will continue to see new variants of Bagle, Netsky and Mydoom for
the foreseeable future. Should be a very interesting month.
Well, if everyone (especailly the media and the AV web pages) stopped
paying these pathetic puppies' "war" the attention it has been getting,
I suspect that they may quickly tire of the fight, as surely they gain
little from it at the moment other than that attention...
Full-Disclosure - We believe in it.
- Re: Backdoor not recognized by Kaspersky, (continued)