I'm trying to figure out what exploit W32.Sobig.E@mm uses to
establish its infection. Since it's in a ZIP file, i don't
understand how the payload gets executed. Do some MS mail
readers automatically open ZIP attachments and run whatever's
in them? Is there a ZIP-related vulnerability that allows
code execution from an infected archive? Or does the worm
rely on people manually opening the ZIP file, and running
the enclosed PIF files explicitly?

Sorry if this is a dumb question, but all the reports i've
read about this worm skirt around the issue. Thanks...

-Matt

In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> I'm trying to figure out what exploit W32.Sobig.E@mm uses to
> establish its infection. Since it's in a ZIP file, i don't
> understand how the payload gets executed. Do some MS mail
> readers automatically open ZIP attachments and run whatever's
> in them? Is there a ZIP-related vulnerability that allows
> code execution from an infected archive? Or does the worm
> rely on people manually opening the ZIP file, and running
> the enclosed PIF files explicitly?
>
> Sorry if this is a dumb question, but all the reports i've
> read about this worm skirt around the issue. Thanks...
>

I think you'll the only "exploit" W32/Sobig.E@mm relies is stupid users
who blindly double-click anything and everything put in front them.

--
Cheers-

Jeff Setaro
(E-Mail Removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

Matt Garretson wrote:
> I'm trying to figure out what exploit W32.Sobig.E@mm uses to
> establish its infection. Since it's in a ZIP file, i don't
> understand how the payload gets executed. Do some MS mail
> readers automatically open ZIP attachments and run whatever's
> in them?

maybe, but i don't think that's involved here...

> Is there a ZIP-related vulnerability that allows
> code execution from an infected archive?

maybe, but i don't think that's involved here...

> Or does the worm
> rely on people manually opening the ZIP file, and running
> the enclosed PIF files explicitly?

bingo!...

> Sorry if this is a dumb question, but all the reports i've
> read about this worm skirt around the issue. Thanks...

yeah, well, there are only so many ways to say "this worm relies on
people doing very stupid things in order to spread itself"...

--
"when surveys of all the world's countries are done,
canada frequently rates number one.
are we the best country? well we'll never know...
there's nowhere else we can afford to go."

"Bart Bailey" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> On Fri, 27 Jun 2003 22:05:19 -0400, "FromTheRafters" <!(E-Mail Removed)>
> wrote:
>
> >I think that most do make mention of the ability for the worm
> >to write its executable into a startup folder on a networked
> >machine, this is an exploited vulnerability of the type that one
> >would normally consider to be a *real* vulnerability.
>
> WinZip has a self extracting version that will extract to various
> targets, *and* run an application when extracted, but it's an [exe], and
> has to be opened with a double click, instead of through the context
> menu to do that, although getting that click might not be so hard to do.

Yeah, true enough, it's just another click to a clickhappy fool.

Yet, what I referred to above was the "network awareness" of
the worm once running on the local machine. If remote machines
write share the startup folder(s), the worm spreads by exploiting
that vulnerability rather than by user clickhappiness alone.

> Remember the zipworm that wasn't even a WinZip product,
> but just spoofed the icon?

I remember hearing about it, but don't remember reading
any write-up about it. I guess you should never trust a files
icon.

> >But those in charge of networks probably do consider human
> >nature to be the vulnerability most easily exploited, and the
> >hardest by far to control.
>
> Easier to control what they do,

By controlling what opportunities they are presented with.

> if your network won't pass anything to them that can be mishandled.

Absolutely, a risk management approach because you never
know what people will do next. Some have adopted this in
the form of filtering out files with extensions known to be used
on executable filetypes. But .zip files (that are even actually ZIP
files), were not blocked, and thus only move the possible threat
away by a click or two.

On Sat, 28 Jun 2003 18:19:17 -0400, "FromTheRafters" <!(E-Mail Removed)>
wrote:

>Absolutely, a risk management approach because you never
>know what people will do next. Some have adopted this in
>the form of filtering out files with extensions known to be used
>on executable filetypes. But .zip files (that are even actually ZIP
>files), were not blocked, and thus only move the possible threat
>away by a click or two.

When you weigh the cleanup/restore time versus gateway extraction and
analysis of any file at its ultimate running form, it might make sense
to not allow any zipped file to pass either.

Bart