The recent viruses bundled in encrypted zip files have sufficient
external finger-prints to allow identification without having to
actually crack the encrypted zip file. These early versions of
encrypted virus technology are not very sophisticated in cloaking
methodology. They were just different enough to cause a longer delay
than usual for many anti-virus vendors to add necessary detection
technology to their products.
..Richard Peters
Central Computing Services
At 5:07 PM -0800 3/4/04, Aron Roberts wrote:
>Hi Michael,
>
>At 16:55 -0800 2004-03-04, Michael Armijo wrote:
>>(from the URL given) "An update just received from CalMail's antivirus
>>software vendor can now detect these new worm variants..."
>>
>>Since the problem files were encrypted, I assume that the software can
>>decrypt the zip files only because the key was supplied in the email. True?
>
> I don't know the specific method by which Sophos -- or for that
>matter, any other anti-virus vendor -- has chosen to detect the
>latest variants of the W32.Beagle/Bagel worms. They may or may not
>be using the password provided in the body text of the email
>message. They may instead be using other markers specific to these
>variants. Several such markers have been discussed on this list;
>others may include attachment length and specific text used in
>subject lines and/or body text.
>
> Any or all of these markers may not be present in future variants
>of this worm, or in future worms. They could try adding random
>files to their archives to vary their length, for instance. And the
>methods by which they attempt to transmit the accompanying passwords
>may vary, as well.
>
>>If not, we will need to advise people that encypted zip files are not
>>secure.
>
> I'm not sure what you're stating or asking here; perhaps you might
>clarify. If you're asking whether Sophos, or any other anti-virus
>vendor, has just come up with a technique by which they can quickly
>decrypt encrypted ZIP archives, for which they lack the decryption
>password, my off-the-cuff answer is "no, they have not."
>
>Aron Roberts
>Workstation Software Support Group
>-------------------------------------
>Sent via the ucb-security mailing list.
-- ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.Received on Thu Mar 4 21:41:03 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 04 2004 - 21:41:04 PST