Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Backdoor not recognized by Kaspersky
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 04 Mar 2004 14:08:19 +1300

"Schmehl, Paul L" <pauls () utdallas edu> wrote:

McAfee now detects the password protected zip files.  (There are other
things you can look for besides trying to decrypt the contents of the
zip filel  Also, zip passwords are weak and easily broken anyway.)

Though cracking is not, I believe, how it is done.  Knowing the limited 
character set and length of passwords used would make cracking 
relatively easy, but perhaps still in the order of an average of 
several to tens of minutes per Bagle-encrypted .ZIP.  I doubt many mail 
servers/content gateways could tolerate that level of additional CPU 

I'd be very surprised if the "detection" of Bagle encrypted .ZIPs 
implemented by NAI (and others) is not prone to false-positive (at 
least if they insist on labelling the things they find as "Bagle") but 
it is likely to remain as a useful heuristic.

BTW, there is a war going on right now between three virus groups, so
you will continue to see new variants of Bagle, Netsky and Mydoom for
the foreseeable future.  Should be a very interesting month.

Well, if everyone (especailly the media and the AV web pages) stopped 
paying these pathetic puppies' "war" the attention it has been getting, 
I suspect that they may quickly tire of the fight, as surely they gain 
little from it at the moment other than that attention...


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]