On Wed, 2004-03-03 at 14:21, Courchesne, Andre wrote: > Hi, > > Just discussed a bit here and usually this virus will send the zip > password in clear text inside the e-mail. Woudn't be a way to try every word > in the e-mail to try to crack the zip, then unzip it and virus-scan the > content ?
Another solution mentioned is that each of these viruses is in a ZIP 1.0 file, whereas all normal zip files are almost always 2.0. The problem with using text in the message body to decrypt is that this is an arms race. As soon as AV programs do that, then spammers will find other ways of obscuring the password from mechanical scanners, or even using an image file. They could use social engineering to claim to the user that having an image that they read is a security precaution in and of itself. Therefore, while this technique is worth exploring, ultimately spammers will work around it. Also, stopping zip 1.0 files is also worthwhile, but spammers will soon ship 2.0 zip files. Thus I've come to the conclusion that ultimately nothing short of quarantining all password zip files will work for very long. This brings up another interesting point. That is that spammers and virus gangs have now successfully destroyed e-mail as we know it as a useful tool. The good that may come of it is that we'll have to redefine mail to be resistent to this kind of abuse much sooner than anyone really wanted to. Michael > > Just my 2 cents... > > Andre Courchesne - Consultant > http://www.net-forces.com > > -----Original Message----- > From: Michael L Torrie [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 03, 2004 3:38 PM > To: [EMAIL PROTECTED] > Subject: [Clamav-users] Simple patch for dealing with password zip files > > > Like many clamav users, I have found clamav to not be effective against > the latest crop of password zip viruses. > > I have made a rudimentary patch (clean patch) against clamav 0.67 to > mark all zip files containing password-protected (and hence unscannable) > files as a virus type "SuspectEncrypted.Zip." This way I can simply > quarantine all such passworded zip files, along with normal viruses. I > know of no other way for clamav to catch this virus currently. (In fact > it didn't even catch one of them using fingerprinters.) > > I see this patch as a stop-gap measure until ClamAV has a workable > mechanism for dealing with viruses passing themselves around as > passworded zip files. Anyone who is interested can apply this patch. > Hopefully clamav will have an official method of dealing with this new > pest. > > The patch is very short and simple. It merely patches zzlib to pass the > header flags field out, and then scanners.c then looks at bits 0 and 6 > to check the encrypted file status (per file) and if they are set, then > the zip file is marked as "SuspectedEncrypted.Zip" and you can deal with > it accordingly. I hope it is useful to some people. Apply it to the > base of the clamav source code tree: > > cat /path/to/clamav-pwdzip-0.67.patch | patch -p1 > > > Michael -- Michael L Torrie <[EMAIL PROTECTED]> ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
