Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: New Virus?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 10 Mar 2004 23:54:45 +1300

Brian Eckman <eckman () umn edu> to me:

First off, Nick, thanks a bunch for sharing that info with the list.

You're welcome...

FYI, I sent in a sample to NAI using the above address. I got an 
autoreply that it was received, then another autoreply that it was not a 
known threat and that it was being forwarded to an AVERT researcher. So, 
I deleted the backdoor trojan, as I had already submitted it to the 
company we have a site license with. (I sent it into NAI as the computer 
that was infected with it had McAfee on it.)

Later, I got an E-mail that they had a virus gateway strip the sample 
out of my message as "potentially unsafe", and gave me further 
instructions. They suggested using http://www.webimmune.net and/or 
zipping it and password protecting it, using the password "infected".

Yes -- that is a tad more clue than seems reasonable to assume on the 
part of a "typical infected uswer"...

I imagine I'm not the only one amused by the fact that they want you to 
send malware to them in a password protected Zip file, (in light of 
recent Bagle variants :).  ...

Actually, that has historically been a defensive measure to get samples 
_out_ from the sender's machine.  AV researchers started to receive too 
many messages that should have had suspicious attachments sent by 
helpful customers and the like but that had obviously had the 
attachments removed (or otherwise munged) by intermediary virus-
scanning gateways...

...  I also find it oddly amusing (being that I am 
not a paying customer of theirs, and that only a few hundred or so 
people on my campus likely are) that they would filter potentially 
harmful attachments that were sent to a virus submission E-mail address.

Yes -- that is prize gormlessness...

I'll have to tell the user to use our site licensed AV software instead 
if they want to detect this threat in the future. (Actually, it is 
probably still in my sent items, so I probably can comply with their 
request. I'm just a bit perturbed that they acknowledged receipt of it, 
then they deleted it. (Paying customers might want to take note that 
they had their hands on something that a competitor identified as a 
backdoor trojan, but NAI still cannot detect it because they filtered 
E-mail sent via a virus submission address.)

Just thought I'd share my experience. Perhaps it will save someone else 
the frustration that I had.

Indeed -- this is one of those near-comical things that you hope only 
happens to "the other guy".

I can imagine several "normal" administrative decision-making processes 
inside NAI (paralleling those of many other companies!) that make 
complete sense in light of recent developments regarding straight and 
password-protected .ZIP files, but which are quite ludicrous if you 
step back and realize that part of the business model underlying this 
company's moment-to-moment operation _requires_ that it be able to 
easily and efficiently receive (possibly) "undesirable" files from 
anyone, anywhere on the planet...

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]