Re: [Full-Disclosure] Backdoor not recognized by Kaspersky

[Cael Abal <lists2@xxxxxxxxxx>]

> > Another variant against the Netsky virus. It's is packed with
> > UPX. It spreads with the password protected zip file, which
> > gets bypassed through all most all the AV scanners with
> > latest signature updates because No AV can decrypt it
> > without the password. (though password is in the message
> > content), we humans tend to open it after reading the message.
>
> Kaspersky, NAI and possibly some other AV-vendors now parse the password 
> from the body of the email to extract the zip and then scan it. 
> Obviously this only helps if it can scan the complete email i.e. on the 
> mailserver. They might need to adapt to new varitions of how the 
> password is included in the body, which will take some analysis when new 
> variants emerge.

Does anyone else find this new development a bad idea?

I'm of the mindset that anti-virus companies should stick with what 
they're good at -- namely, detecting and handling infected files.  It 
seems a bad idea to start down the natural language processing road. 
Are they scanning just for Bagle/Beagle style e-mail, or are their 
methods more general?  What about messages of the form:

'Password is a long yellow fruit enjoyed by monkeys.'

What about messages in languages other than English?  I can easily see 
this becoming an arms-race, and one the anti-virus folks have no chance 
of winning.

Leave passworded .zips alone -- take the sensible approach and catch an 
infected file once it's been extracted.

Cael

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html