Possibly yet another MS mail worm

This one may be a variant of the recent worms. It's spreading by way of
zipfile attachments. I don't have more info yet, but my $orkplace has just
been hit by it and it's unknown to McAfee and Symantec at this time.

It's not W32.Netsky, as best I can tell, because of the attachment filename:
this one uses things like accabaacc.zip that are new to me. I don't have
more info on it at this time, but will try to snare a sample in transit if
it hits my home system.

Just a heads-up,

Yes, I got that one too. To my peering alias by coincidence. ClamAV
identifies it as "Worm.Bagle.A2". ClamAV added it the database today,
and mentioned that it was not in most signature databases yet.

: Yes, I got that one too. To my peering alias by coincidence. ClamAV
: identifies it as "Worm.Bagle.A2". ClamAV added it the database today,
: and mentioned that it was not in most signature databases yet.

Yah, "Bagle.C" is the notation used by F-Secure. This is indeed what it
was.

It's annoying how easily these things spread even though they don't rely on
a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so
it requires opening the zipfile and then running the program inside it. Of
course everyone will run it, even though it's named dygfwefuih.exe (random
characters before .exe). <grumble>

It's annoying how easily these things spread even though they don't rely

on

a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*,

so

it requires opening the zipfile and then running the program inside it.

Of

course everyone will run it, even though it's named dygfwefuih.exe (random
characters before .exe). <grumble>

Being in a zipfile is exactly why these things work: most mail systems
nowadays drop executable attachments without mercy, but a zipfile may be a
compressed document. Not every mail system screen incoming messages with
anti-virus.

People writing this worms don't know just a bit about human behaviour, they
seem to keep up with trends in mail systems administration as well.

Rubens

I believe the point is, your mail scanner should be able to
scan something as simple as zip compressed attachments. If
it can't, you may want to rethink which program you use.
Most open source and commercial scanners can scan inside zip
files.

mike

I'm not aware of any mail scanner that does this without running an external
anti-virus or something alike, although is not that intensive to follow the
zip headers (as they already do with the MIME headers in order to drop
external attachments). Most scanners can accept an anti-virus plugin and
them scan inside zip files, but that requires more processing power, more
queue disk space, more RAM, more administration to update virus patterns,
and so on. The cost/benefit usually pays off, but more complexity means less
people will adopt the solution, thus making worm spreading easier.

Rubens

> I'm not aware of any mail scanner that does this without running an

external

> anti-virus or something alike, although is not that intensive to follow

the

> zip headers (as they already do with the MIME headers in order to drop
> external attachments). Most scanners can accept an anti-virus plugin and
> them scan inside zip files, but that requires more processing power,

more

> queue disk space, more RAM, more administration to update virus

patterns,

> and so on. The cost/benefit usually pays off, but more complexity means

less

> people will adopt the solution, thus making worm spreading easier.

your description makes it all sound quite complicated, possibly because
you are passing all the processing down to the end-user's machine.

I was talking about central anti-virus processing... although it's easier on
administration than updating hundreds or thousands of machines, it
establishes a central bottleneck. Doing decompression and extensive pattern
matching on a high volume server is not an easy task.

we have anti-virus (clamav) and anti-spam (spamassassin) running at the
server level, and thus save the end-user alot of cycles.

Even on low volume servers, this task is not something one would do without
some thinking; on high volume, this is achievable but would require a good
systems design to cope with the higher latency between mail receive and mail
delivery.

clamav will look inside zip files, and automatically updates its signature
database.

spamassassin uses both global rules and per-user rules to rate incoming

email

and reduce the impact of spam.

Been there at many installations of MailScanner
(http://www.mailscanner.info).

we even run in-line scans of MIME headers during the SMTP process and

reject

specific attachments (.exe, .pif, etc) without even bothering the

end-user.

That kind of filtering is much easier to configure, administer and goes low
on resources. Extending this to verify filenames inside zip files would not
be difficult to do, and is simple and not intensive enough to lots of people
to turn such filters on.

Rubens

so would a milter for sendmail that strips off attachments, queues
them for decompression and scanning at a later time be more useful?
Say such a milter could strip off attachments, replacing them with
a URL in the email that will allow the recipient to download them
if they prove clean. It's not an instant gratification, but it'll
let you distribute the scanning among several machines. if an
attachment gets denied, the url would inform the user why they can't
access the file. i had an idea to write this a while ago, but never
felt like writing the mime code to handle strange attachments.

mike

Say such a milter could strip off attachments, replacing them
with a URL in the email that will allow the recipient to
download them if they prove clean. It's not an instant
gratification, but it'll let you distribute the scanning

About 5-6 yrs ago I wrote a system for a customer that would look at
attachments, and for any attachment not of a whitelisted type (I might have
checked against /etc/magic to prevent bogus extensions), it would do just
that. The file got removed from the email and replaced with a note. The
attachment got dumped into a DB and the admins would validate it by hand via
a web-based interface (this was the customer spec). All zip files got
popped open and the contents checked. If the admins approved the
attachment, I think it got re-mailed to the end-user.

The system worked well. It had the high manual overhead, but that's what
they wanted. There's no reason to not do the same and just queue for virus
scanning if the mail server needs the load lightened.

  Steve

I just received 2 copies of Bagle.F, embedded inside a password-protected
zip file. Comes right through a full virus scan undetected.

Yup, got this one too .. according to nai.com theres a whole bunch of these
variants up to bagle.g .. there is also a netsky.d out today as well

pity nai.com arent updating their dat files as fast as their website :frowning:

Steve

Yah, "Bagle.C" is the notation used by F-Secure. This is indeed what it
was.

It's annoying how easily these things spread even though they don't rely on
a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so
it requires opening the zipfile and then running the program inside it. Of
course everyone will run it, even though it's named dygfwefuih.exe (random
characters before .exe). <grumble>

Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they
want to call it this week. Its on every windows system.

: > It's annoying how easily these things spread even though they don't rely on
: > a specific OS vulnerabililty -- hell, it's an executable *in a zipfile*, so
: > it requires opening the zipfile and then running the program inside it. Of
: > course everyone will run it, even though it's named dygfwefuih.exe (random
: > characters before .exe). <grumble>
:
: Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they
: want to call it this week. Its on every windows system.

No, my point was that the majority of newer trojan mail viruses don't depend
on ActiveX exploits -- they simply wait, dormant, for a n00b to click on
this mysterious-looking Zip Folder, and the mysterious-looking EXE inside.

It's as if the modern e-mail viruses are closer to human infections. Only
the clueful are immune. :sunglasses:

Todd Vierling wrote:

It's as if the modern e-mail viruses are closer to human infections. Only
the clueful are immune. :sunglasses:

I would agree if you had written "... At most the clueful are
immune. %^)

: Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they
: want to call it this week. Its on every windows system.

No, my point was that the majority of newer trojan mail viruses don't depend
on ActiveX exploits -- they simply wait, dormant, for a n00b to click on
this mysterious-looking Zip Folder, and the mysterious-looking EXE inside.

It's as if the modern e-mail viruses are closer to human infections. Only
the clueful are immune. :sunglasses:

The latter is very true.

My point is that the COM/DCOM/OLE/ActiveX is what allows for a script in
an email message that gets executed to have access to the rest of the
system, rather than executing within a protected sandbox. Of course
scripts within email messages shouldn't execute at all. Once they do
execute, they have access to the OLE objects on the machine. Its a
security hole big enough to drive a tank through.

Curtis Maurand wrote:

Sure they do....its called COM/DCOM/OLE/ActiveX or whatever they
want to call it this week. Its on every windows system.

No, my point was that the majority of newer trojan mail viruses
don't depend on ActiveX exploits -- they simply wait, dormant, for a
n00b to click on this mysterious-looking Zip Folder, and the
mysterious-looking EXE inside.

It's as if the modern e-mail viruses are closer to human infections.
Only the clueful are immune. :sunglasses:

The latter is very true.

My point is that the COM/DCOM/OLE/ActiveX is what allows for a script
in an email message that gets executed to have access to the rest of
the system, rather than executing within a protected sandbox. Of
course scripts within email messages shouldn't execute at all. Once
they do execute, they have access to the OLE objects on the machine.
Its a security hole big enough to drive a tank through.

I don't think that defines the problem very well. The current Bagle.C virus
does the following:

"W32/Bagle-C opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and execute a
file. W32/Bagle-C also makes a web connection to a remote URL, thus
reporting the location and open port of infected computers.

Adds the value:

gouday.exe = <SYSTEM>\readme.exe

to the registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This means that W32/Bagle-C runs every time you logon to your computer"

It also uses it's own SMTP engine to replicate itself. So effectively it's
opening a connection to port 80 (from an unprivileged port), listening on
port 2745 (an unprivileged port), and opening connections to port 25 (from
an unprivileged port).

Maybe I'm missing something here, but where does access to OLE objects come
into play? Also this virus would appear to function just as well even if a
non-adminstrator user opened it.

Sam

** Reply to message from "Mike Nice" <niceman@att.net> on Mon, 1 Mar
2004 07:23:07 -0500

I just received 2 copies of Bagle.F, embedded inside a password-protected
zip file. Comes right through a full virus scan undetected.

-------------------------------------------
Sent: Sunday, February 29, 2004 7:04 PM
Subject: Bad girl

I am from Taiwan but I study in Camden, New Jersey now. I like to know
people from different places .
password for archive: 87326

Okay, from an operational standpoint, who really wants a customer who
would open this as a customer in the first place? It seems like it
takes some seriously stubborn stupidity to do so.

<slightly sarcastic suggstion follows>

I'm beginning to think that we should start charging like insurance
companies do... the more dumb things you do on the network, like
opening stuff like this and spreading viruses, the more we get to
charge you.

Of course we'd have to have someone maintain a central database of
customers that have suffered "accidents" like this so they couldn't
benefit from switching ISPs... too many offenses and you pay -a lot-
for your internet access on a tightly firewalled ISP where you can only
access stuff by proxy servers - I'm sure you all get the idea.

There are of course a million different reasons this won't work, but it
is a nice dream, eh?

In this case, it is the IDIOIT users. You tell them time and time again DONT CLICK ON ATTACHMENTS
UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE
SENDING IT.

The problem is dumb users who DONT LISTEN. This is mostly the office crowd.

The real imbeciles are people operating a broadband connection without a license. Letting a
computer illeterate, typical beer guzzling, porno hunting hick have a computer with a
DSL/cable connection should be a capital offense. Those are where most of the
zombies are located. When you use words like "attachment" and '.exe' with them, their
eyes just sort of glaze over. "Hey, all I do is point and click and it just works". We need
to cleanse the gene pool of these kinds, or at least take away their dsl connections.

<quote who="John Palmer">

In this case, it is the IDIOIT users. You tell them time and time again
DONT CLICK ON ATTACHMENTS
UNLESS SOMEONE YOU KNOW IS SENDING IT AND TELLS YOU IN ADVANCE THEY ARE
SENDING IT.

Just telling people "Don't do that, it's bad." is sure to fail for the
same reason you can't tell people who wash their clothes in a disease
filled river to just "not wash there."

The problem is dumb users who DONT LISTEN. This is mostly the office
crowd.

What makes you think they didn't listen? Not doing what you say and not
listening are not the same thing.

The real imbeciles are people operating a broadband connection without a
license. Letting a computer illeterate, typical beer guzzling, porno
hunting hick have a computer with a DSL/cable connection should be a
capital offense.

I'd hate to think about what you would do to network operators and
companies who fail to filter their egress traffic. Surely they share no
blame?

Those are where most of the zombies are located. When you use words like
"attachment" and '.exe' with them, their eyes just sort of glaze over.
"Hey, all I do is point and click and it just works".

And it does "just work" -- do the "mom test" and see. Why have
attachments if they shouldn't be opened? *That* would make no sense.

We need to cleanse the gene pool of these kinds, or at least take away
their dsl connections.

Some problems are social and some are technical. These are social
problems that can be mitigated on a large scale by technical means. The
users need to be educated at some level but the network and system
operators and companies need to be responsible for what is coming and
going from their network.

Back to the mom test, if an email with an attached virus gets to my mom's
Outlook Express client, I place the blame squarely on her mail
administrator (me).

-davidu

CM Kornbluth wrote "The Marching Morons" in 1951. Horrifyingly prophetic, even only
2 generations or so later....