[Full-Disclosure] Backdoor not recognized by Kaspersky
lists2 at onryou.com
Wed Mar 3 14:56:34 GMT 2004
>> Another variant against the Netsky virus. It's is packed with
>> UPX. It spreads with the password protected zip file, which
>> gets bypassed through all most all the AV scanners with
>> latest signature updates because No AV can decrypt it
>> without the password. (though password is in the message
>> content), we humans tend to open it after reading the message.
> Kaspersky, NAI and possibly some other AV-vendors now parse the password
> from the body of the email to extract the zip and then scan it.
> Obviously this only helps if it can scan the complete email i.e. on the
> mailserver. They might need to adapt to new varitions of how the
> password is included in the body, which will take some analysis when new
> variants emerge.
Does anyone else find this new development a bad idea?
I'm of the mindset that anti-virus companies should stick with what
they're good at -- namely, detecting and handling infected files. It
seems a bad idea to start down the natural language processing road.
Are they scanning just for Bagle/Beagle style e-mail, or are their
methods more general? What about messages of the form:
'Password is a long yellow fruit enjoyed by monkeys.'
What about messages in languages other than English? I can easily see
this becoming an arms-race, and one the anti-virus folks have no chance
Leave passworded .zips alone -- take the sensible approach and catch an
infected file once it's been extracted.
Full-Disclosure is hosted and sponsored by Secunia.