Don’t get the point of using a AV |
Post Reply 
|
| Author | |
chinabee 
Groupie 
Joined: 07 February 2005 Status: Offline Points: 50 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Don’t get the point of using a AVPosted: 16 March 2005 at 9:11am |
|
I don't get the point of using any AV software. I simply tell my SpamFilter to drop anything that can potentially carry a virus - including all zip files. For years, I haven't seen a single virus coming through and entering our system. I guess if you cannot afford to drop those emails, it would be a little different. |
|
 |
|
|
Desperado
Senior Member 
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 11:28am |
|
chinabee, Not all viruses are in the form of attachments and I guess you have been very lucky. |
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
chinabee
Groupie
Joined: 07 February 2005 Status: Offline Points: 50 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 12:19pm |
|
Care to give some examples?
|
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 12:31pm |
|
How about anything using "iframe". The attachment is NOT in the message but on a remote server. The iframe launches the download. Dan
|
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 12:45pm |
|
One of the simplest is a virus that exploits Microsoft's GDI+
vulnerability (CAN-2004-0200). ALL you need is an email with an inline
infected JPG image...
Trying is believing. Download the sample jpg we have (do not open/preview jpg unless you're patched) at: http://logsat.com/SpamFilter/pub/temp/virus-jpeg.zip. The zip password is virus Then include it in an email and send it thru an email server that does not have antivirus running. There is no file extension filter that you can realistically use to block these. We've decided to make this info public as the source for these types of viruses is already easily available on the net, including the one for this particular variant, so we're not causing any additional harm, and hopefully we're increasing the awareness of administrators that viruses are harmul and any means available should be installed to stop them. |
|
|
|
|
chinabee
Groupie
Joined: 07 February 2005 Status: Offline Points: 50 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 2:41pm |
|
How would a AV help you when somebody designs a new virus with this technique?
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 3:02pm |
|
chianabee,
That's exactly why you pay for AV software.... They have staff that finds the viruses and updates the patterns to detect them. If you had *any* decent AV software scanning on your mail server the virus you downloaded from my post would have been caught. The beta of SpamFilter's AV plugin for example catches it just fine. |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 3:04pm |
|
Norman, like other AV's, constantly updates it's definitions. Norman, unlike other AV's, has what it calls "Sand Box Technology". What this does is if it sees something that it feels is suspicious, it places it in a protected area (the sand box) and sees if it does anything "Virus Like".
From their site:
Norman Sandbox technology
Norman Sandbox technology - the hows and whys This article aims to explain a bit more in depth how Norman Sandbox really works and why it is different from other solutions out there. Norman Sandbox is a fully simulated computer. No code is executed on the real CPU except for the Norman Virus Control emulator engine; even the hardware in the simulated PC is emulated. See: http://www.norman.com/Virus/13927/en-us Regards, |
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
chinabee
Groupie
Joined: 07 February 2005 Status: Offline Points: 50 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 3:18pm |
|
This won't work on my system. I have filter set up so that no executable file can be downloaded and only port 80 and 443 is available to users. If the virus works on port 80, the filter will stop it from downloading anything executable.
Edited by chinabee |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 3:59pm |
|
chinabee,
That would actually work just fine bypassing all your filtering if the iframe simply causes the email client/browser to display, in the above case, the infected jpg. Also note that in this particularly nasty case, the email itself does not contain the attachment, so it will not be blocked. The email contains an iframe, which causes the *end-user's* PC to download the virus in the jpg. The only way to stop this is toeither have an antivirus on the client PC, or to have an AV product scanning your HTTP traffic (such products do exist). The moral is, nobody is as secure as they think they are. There is usually a compromise in how much you are willing to risk and how many resources you're going to dedicate to protect your environment. |
|
|
|
|
chinabee
Groupie
Joined: 07 February 2005 Status: Offline Points: 50 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 4:49pm |
|
My filter is on HTTP traffic. How would the IE download anything without an agreement from my filter?
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2005 at 6:24pm |
|
...because the file is a jpeg, not an exe. Your filter, unless it
checks the http stream for viruses, will not block it. If however the
filter is blocking images, then yes, it will work, but your users are
likely not going to be enjoying their browsing experience.
|
|
|
|
|
chinabee
Groupie
Joined: 07 February 2005 Status: Offline Points: 50 |
Post Options
Thanks(0)
Quote Reply
Posted: 18 March 2005 at 10:42am |
|
the JPEG file still needs to download and run a malicious code/program to infect. My firewall only allows HTTP/HTTPS traffic and my filter does not allow any user to download any executable files including zip file. Even though I received such JPEG files, they would still do no harm as they couldn't run any malicious code. |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 18 March 2005 at 11:17am |
|
Perhaps you are seeing the word "download" and thinking that this is download link or something. When you browse to a site that has any images on it (like most sites do) your browser downloads the images without you asking. Mail clients do the same. So, if I email you and embed an inline image tag, you will get the image. I can send an example if you want. Dan
|
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
chinabee
Groupie
Joined: 07 February 2005 Status: Offline Points: 50 |
Post Options
Thanks(0)
Quote Reply
Posted: 18 March 2005 at 11:20am |
|
I understand that, but the JPEG file needs other code/program to work, doesn't it?
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 18 March 2005 at 4:20pm |
|
Not at all... there is nothing that needs to execute. The Windows DLL
that decodes the JPG has a buffer overrrun bug. With the buffer overrun
a hacker can execute a program embedded in the JPG without the user
having to run anything. All he needs to do is *view* the JPG.
... and to be more exact, they may not even have to *view* it. In some cases all that is needed is to *hover* over the file with the mouse. Windows will launch the DLL that decodes the JPG to extract its thumbnail. This is all that's needed for you to get infected, as the buffer overun will kick in right away. In the JPG we attached in the zip, the buffer overrun will create a backdoor by running a reverse shellcode on the victim's PC, allowing the hacker to remote into the victim's PC and effectively having a remote command prompt on it. Summary: ****there is no program that needs to run/download for the machine to be infected**** |
|
|
|
Topic Options
Desperado wrote:|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.324 seconds.