Re: recent sadmin worm

["Nick FitzGerald" <nick () virus-l demon co uk>]

Ryan Russell <ryan () securityfocus com> wrote:

> Yup.  Most mail antivirus setups will react to all kinds of stuff,
> including keywords and file types.

Yep, but note that often it is the "content management" wrapper, not 
the virus scanner per se that does the really silly stuff.  For 
example, several gateways will bounce this message because of this 
line:

   CreateObject

and will most likely tell me the message is being rejected because it 
contains "potentially dangerous VBS" or "VBS code commonly found in 
viruses".  The slightly less braindead virus/content scanning 
gateways will, however, not be upset by that line, and might 
ordinarily be quite happy to let this message through.  But we can 
easily pick a few more of them out with this line:

   CreateObject("Scripting.FileSystemObject")

and a few may just need to see something like this:

   Set FSO = CreateObject("Scripting.FileSystemObject")

before being upset enough with me to block the message.

I'm sure the people that wrote and/or configured these systems think
they are doing a really good job of securing their networks, but
because of their stupidity they will be missing out on messages they
should see, such as ones that mention these idiocies and point out
how easily such filters are bypassed (as I did in a recent post to
another Security Focus mailing list).

> If you want to avoid finding out who is running what virus gateway, put
> the file in a password-protected .zip file.  You'll only get replies from
> a handful of gateways that block .zips.  Include the password in the note.
>
> The only downside here is that I believe this limits the people who can
> open the file to Windows users, maybe Mac.

InfoZip's unzip should handle password protected zip files on every 
platform it has been ported to...


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854