Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: [SECURITY] Filtering Password Protected .ZIPs [Bagle.J]
- From: Howell, Paul
- Date: Wed Mar 03 13:37:03 2004
-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Steve Worona
Sent: Wednesday, March 03, 2004 11:49 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Filtering Password Protected .ZIPs [Bagle.J]
Here's MIT's solution, from another list. It's a slight variation on Cam's.
Steve
At 12:39 AM -0500 3/3/04, Jeffrey I. Schiller wrote:
>Actually, you don't have to go that far. Turns out that all of these
>worm variants are shipped in ZIP files whose first (and only
>component) is "stored" (as opposed to "deflated"). They are also marked
>as Version 1.0 zip files while most tools these days label their ZIP
>files as version 2.0 (or more).
>
>All you need to block are ZIP files which begin with:
>
>UEsDBAoAAAAAA or UEsDBAoAAQAAA.
>
>The first variant blocks all ZIP files of version 1.0 with the first
>component stored. The second variant is different in only one bit
>(under the base 64 encoding). Specifically this variant has the
>"encrypted" bit set to catch the latest Bagle variant that arrives
>password protected.
>
>We are currently using these two strings quite successfully.
>
> -Jeff
-----
At 9:52 AM -0600 3/3/04, Cam Beasley, ISO wrote:
>A more accurate procmail rule for the password
>protected .ZIP files generated by the Bagle.J
>worm might be:
>
>:0B
>* ^UEsDBAoAAQAAA
>* > 17000
>* < 36000
>* password
>some/folder
>
>Dramatically reduces false positives.
>
>Hope this helps,
>
>~cam.
>
>Cam Beasley
>ITS/Information Security Office
>The University of Texas at Austin
>cam@austin.utexas.edu
>---------------------------
>Report Abuse To:
>- abuse@utexas.edu
>- 512.475.9242
>---------------------------
>
>> -----Original Message-----
>> From: The EDUCAUSE Security Discussion Group Listserv
>> [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cam Beasley, ISO
>> Sent: Tuesday, March 02, 2004 23:57
>> To: SECURITY@LISTSERV.EDUCAUSE.EDU
>> Subject: [SECURITY] Filtering Password Protected .ZIPs [Bagle.J]
>>
>>
>> It is possible to filter ONLY
>> password protected .zip files
>> (including the Bagle.I-J variants)
>> by using the following base64 string
>> in a procmail rule (or IDS, IPS)
>> so that further analysis can be
>> conducted:
>>
>> UEsDBAoAAQAAA
>>
>> Note that this primitive method
>> of filtering could result in
>> unanticipated collateral damage
>> (e.g. undelivered e-mail).
>>
>> ~cam.
>>
>> Cam Beasley
>> ITS/Information Security Office
>> The University of Texas at Austin
>> cam@mail.utexas.edu
>> ---------------------------
>> Report Abuse To:
>> - abuse@utexas.edu
>> - 512.475.9242
>> ---------------------------
>>
>> > -----Original Message-----
>> > From: The EDUCAUSE Security Discussion Group Listserv
>> > [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Lane
>> > Sent: Tuesday, March 02, 2004 22:48
>> > To: SECURITY@LISTSERV.EDUCAUSE.EDU
>> > Subject: Re: [SECURITY] Bagle.j out
>> >
>> >
>> > We have just re enabled zips and exe's due to 'popular demand'
>> > despite elaborating on the potential risk of doing so. It would
>> > appear that the ease of email based file distribution overrides any
>> > virus damage that might occur.
>> >
>> > Tim
>> >
>> >
>> >
>> > At 11:31 PM 2/03/2004 -0500, you wrote:
>> > >Jason Richardson wrote:
>> > >>Question: has anyone resorted to dropping ZIPs and/or other
>> > >>attachments at your gateways until/unless this storm passes? I
>> > >>mentioned in a meeting that I would be proposing it to my
>> > management
>> > >>and received the predictable reaction, i.e., "you can't
>> > block ZIPs, we
>> > >>won't be able to do business." Of course I was not deterred but
>> > >>I also haven't been given clearance to block the attachments.
>> > >
>> > >We've been stripping zips on and off for the past several weeks as
>> > >activity dictates. When the server strips the attachment, it
>> > forwards
>> > >the message intact with information about what was blocked
>> > and how to
>> > >get it if they really want it (notify sender to rename).
>> > >
>> > >--
>> > >Gary Flynn
>> > >Security Engineer - Technical Services
>> > >James Madison University
>> > >
>> > >**********
>> > >Participation and subscription information for this EDUCAUSE
>> > Discussion
> > > >Group discussion list can be found at
> > > >http://www.educause.edu/cg/.
>> >
>> > Tim Lane
>> > Information Security Program Manager
>> >
>> > Information Technology and Telecommunication Services
>> Southern Cross
>> > University PO Box 157 Lismore NSW 2480
>> >
>> > Ph: 61 2 6620 3290
>> > Fax: 61 2 6620 3033
>> > Email: tlane@scu.edu.au
>> > http://www.scu.edu.au
>> >
>> > **********
>> > Participation and subscription information for this EDUCAUSE
>> > Discussion Group discussion list can be found at
>> http://www.educause.edu/cg/.
>>
>> **********
>> Participation and subscription information for this EDUCAUSE
>> Discussion Group discussion list can be found at
>http://www.educause.edu/cg/.
>
>**********
>Participation and subscription information for this EDUCAUSE Discussion
>Group discussion list can be found at http://www.educause.edu/cg/.
**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
