mailing list archives
Re: [inbox] Re: Re: E-Mail viruses
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 06 Mar 2004 17:54:55 +1300
Valdis.Kletnieks () vt edu to Curt Purdy:
Ah, I wish... An alternative is to allow only a proprietary extension
through, like .inc Legitimate senders would rename the file, be it .exe
.doc .jpg, indicate in the body of the message what the true extension is,
and the receiver merely renames it. A little trouble yes, but it virtually
eliminates email propagated viruses from the corporation.
So let's see.. the same bozos who read the text part of the virus, get
the password, and use that to unzip the rest of the virus won't read
the text part, get the rename to do, and.....
Yes, but to get through to Kurt's users, the malware (or its sender)
has to guess (or know if it is a directed or insider attack, in which
case "protection" is fundamentally harder anyway) the "right"
extension. Limiting ourselves to three-character-only, non-case
sensitive ASCII alphanumerics, that is a one in 3^36 chance. Anything
else will be stopped as "unwanted", so a virus trying to "fake out"
this approach still won't get to the users behind a perimeter
filtering mechanism enforcing this kind of policy...
I think the kind of approach Kurt has suggested can only realistically
work in corporate and institutional environments (and with the
occasional well-disciplned individual), where it would also be
realtively easy to further restrict the odds of sustaining damage via
this entry route by only allowing designated users to receive such
content. Further restrictions, such as "it must have the '.ABC'
extension and internally be a RAR archive" could easily be added for
the even more paranoid, but with today's content scanner options such
an approach will seriously limit the range of choice as very few such
products have really been desgned from an intelligently outward looking
policy enforcement perspective... (they tend to be far too heavily
focussed on the "we _don't want_ files matching this profile" approach,
rather than having genuinely inventive "let this kind of content in and
block the rest" options).
Color me dubious....
Or a poor reader?? 8-)
Full-Disclosure - We believe in it.
Re: Re: E-Mail viruses Jorge Daza (Mar 08)
Re: E-Mail viruses Incident List Account (Mar 05)
Re: Re: E-Mail viruses Paul Szabo (Mar 06)