[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Backdoor not recognized by Kaspersky
- From: Cael Abal <lists2@xxxxxxxxxx>
- Date: Wed, 03 Mar 2004 13:11:28 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> McAfee now detects the password protected zip files. (There are other
> things you can look for besides trying to decrypt the contents of the
> zip filel Also, zip passwords are weak and easily broken anyway.)
Zip files may be /relatively/ easy to brute force, sure, but there's no
way I'm turning my mail gateway into a dedicated .zip cracking box.
That's insane.
As I mentioned, passworded .zip handling is an arms-race I hope
anti-virus folks decide not to get embroiled in.
It would be trivial to generate a file_id.diz (or readme.txt, or add zip
comments, etc.) in order to skirt checksum / file size checks. It would
be trivial to harvest plausible file names from a victim's computer to
avoid filename matching checks.
The only reasonable check would be what Bart suggests, but I'm not
comfortable blocking all passworded .zip files containing an executable.
Who knows, I might have to change my mind.
Cael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFARh/QR2vQ2HfQHfsRAuC4AJ9wMBdKvdlk6/T5aTW0xuBI2a8gKACfZLXQ
FNFpzDxA+rzoLdUQkxkaZsc=
=pEyk
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html