The following comments and opinions are mine alone:
At 8:42 -0800 2004-03-03, Jake -F Harwood wrote:
>I wonder if it would it be possible to drop only passwd proceed zip files ...
Good question. The option of discarding (or otherwise preventing
delivery of) only *password-protected* ZIP files sent as email
attachments -- at least in the short run -- rather than all ZIP
files, is one which the CalMail team is apparently exploring.
At 9:33 -0800 2004-03-03, Tessa Michaels wrote:
>I do want to weigh in that I use zip files a fair amount to avoid
>having download individual docs, and I had asked our units to submit
>budget pieces for my review in zip file format.
The management and staff of the CalMail service is highly sensitive
to the fact that legitimate campus business is conducted via email
through sending of attachments, including ZIP archived attachments,
and is seeking to minimize the disruption to the campus of any
short-term approaches to this problem.
Jake also asked;
>I wonder if it would it be possible to drop only [...] zips with
>viruses within.
And at 0:02 -0800 2004-03-03, Ryan L. Means wrote:
>Forgive me if this has been asked already, but can't the virus scanner
>scan inside the Zip file? I think that it would be best to drop only
>those Zip files which contain an actual virus.
Yes, gateway virus scanners have long been able to look inside ZIP
archives to identified infected files within those archives.
Otherwise, they would have been unable to detect many of the viruses,
worms, and trojans that have existed well before now. CalMail's
scanner has done this, and continues to do this, even today.
As far as I'm aware, the specific problem that vendors of
anti-virus scanning software are now facing is that ZIP archive files
now being sent by certain recent worms are password-protected. The
scanners can't look inside those attachments without having some
reliable way to know the password, or otherwise decrypt the files.
There may be some attacks possible on ZIP file encryption, as
described in
<http://www.securiteam.com/securitynews/5LP0A0096O.html>, for
example, but these require a huge amount of time - measured in hours,
not seconds - and processing power, which would make these
impractical for an email gateway scanner. These attacks may also be
dependent on weak encryption algorithms used by specific ZIP file
creation software; worm authors could simply use ZIP utilities that
don't have these flaws.
In an article a couple of days ago,
<http://www.sophos.com/virusinfo/articles/bagles.html>, Graham Cluley
of Sophos was quoted as saying:
"However good your ISP, web email account or anti-virus gateway
product may be at scanning your email, they will be as useless
as a chocolate teapot at detecting the worm inside the encrypted
ZIP file," said Cluley.
At 9:58 -0800 2004-03-03, Ross Dmochowski wrote:
>Given my understanding of such things, isn't it possible to block only
>those .zip's that are a problem?
>Stateful content inspection can be computationally intensive, for sure,
>but given that the zip's in question to have some telltale
>characteristics on which to filter, the number of emails to re-direct
>can be determined.
That's an intriguing question, and I don't have a definitive
answer. Here are a few thoughts.
Cliff Frost earlier forwarded a message stating that:
>Turns out that all of these worm variants are shipped in ZIP files
>whose first (and only component) is "stored" (as opposed to
>"deflated"). They are also
>marked as Version 1.0 zip files while most tools these days label
>their ZIP files as version 2.0 (or more).
That might be a good interim way to block the most recent set of
worms. However, the next set of worms might well pack several
"deflated" files into the ZIP archive, and create the archives using
a 2.0 or higher version of the ZIP file format. That would confound
any reliance on just those characteristics to identify potentially
infected archive files.
Other than these, I'm not aware of any common characteristics in
the ZIP files that the worm is sending out. It used to be easy to
identify some infected email attachments just by looking for a single
line in a Base64-encoded MIME message part, for instance. However,
when encrypted with a random password, this type of attachment
uniformity may no longer exist.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Wed Mar 3 10:33:26 2004
This archive was generated by hypermail 2.1.8 : Wed Mar 03 2004 - 10:33:27 PST