[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner

To: fd <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 04 Aug 2004 01:30:28 +1200

Denis McMahon wrote:

> I've had a couple of suspicious emails this week with headers, blank 
> line, a line of text, mime headers.

And that is _all_ ???

If so, what are you worrying about?

If not, why didn't you describe all the sections in the message 
structure?

> Thunderbird doesn't see the mime attachment due to the broken headers, 

_Which_ headers are broken?

Do you mean there is something "bad" (c.f. the relevant RFCs) in the 
Email headers, or in the MIME headers???

> which is good, but nor does the grisoft email proxy scanner, which is 
> bad, especially as I guess that certain broken applications (no I don't 
> have outlook [express] on my system) might try and be snart and find the
> attachment.

But your description of the structure of these messages above says 
nothing about any "attachments"...

> This might be broken malware sending unusable stuff out, but my worry is
> that somene may have found a technique that will sneak an attachment 
> past some a-v scanners in a "broken" format that certain popular email 
> apps will try and fix, possibly putting active malware on the hard disk.

Are these "attachments" in the ~1.5KB - 2KB size range?

If so, I'd say there is a reasonable chance they are the "IPs I've 
already hit" log-only (aka "corrupted") Mydoom.O messages.  These 
_should_ appear in any of the forms of message Mydoom.O can produce 
which includes attachment-only (blank message part) through various 
"clever" SE message forms to "binary gibberish" messages.  Further, the 
base64 encoded attachment can also be "normal" or "corrupted" (spaces, 
odd line-breaks inserted where they are not allowed by the spec -- 
Outlook and OE (and several other MUAs) happily ignore these "encoding 
errors" and "correctly" decode the intended attachment.

> I tried to talk to grisoft about this, but all I get back is "you have 
> to pay to talk to us cheapskate" ... whilst I can agree that they might 
> not want to provide tech support to users of their free scanner, does 
> anyone have an email address at grisoft for submitting suspicious items 
> that have got past their proxy scanner?

Yes but you'll have to contact me off-list as I won't publish the 
details here.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner
  - From: Denis McMahon

Prev by Date: RE: [Full-Disclosure] Re:
Next by Date: RE: [Full-Disclosure] Virus Problem
Previous by thread: [Full-Disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner
Next by thread: RE: [Full-Disclosure] broken virus / worm email has attachment not found by grisoft proxy scanner
Index(es):
- Date
- Thread