Cannot detect viruses

  • Thread starter George Del Monte
  • Start date
G

George Del Monte

Recently, my Norton Anti-Virus has begun NOT quarantining some (but not all)
virus payloads contained in a ZIPped file, leading me to wonder how this
could happen. Fortunately, I'm not the sort that indiscriminately opens
attachments from people I don't know, so the virus sender is wasting my
time. Any ideas how this could happen? Does this mean virus-creating
scumbags have found a way to avoid detection?
 
D

Dave Budd

Recently, my Norton Anti-Virus has begun NOT quarantining some (but not all)
virus payloads contained in a ZIPped file, leading me to wonder how this
could happen. Fortunately, I'm not the sort that indiscriminately opens
attachments from people I don't know, so the virus sender is wasting my
time. Any ideas how this could happen? Does this mean virus-creating
scumbags have found a way to avoid detection?
One trick they used to use was to embed the files in folders within
folders within.... and most scanners have a depth limit they'll search
to in zips.
 
B

Bill

George Del Monte said:
Recently, my Norton Anti-Virus has begun NOT quarantining some (but not all)
virus payloads contained in a ZIPped file, leading me to wonder how this
could happen. Fortunately, I'm not the sort that indiscriminately opens
attachments from people I don't know, so the virus sender is wasting my
time. Any ideas how this could happen? Does this mean virus-creating
scumbags have found a way to avoid detection?


What makes you think Norton would detect them in the first place?
 
G

Gabriele Neukam

On that special day, George Del Monte, ([email protected]) said...
Norton Anti-Virus has begun NOT quarantining some (but not all)
virus payloads contained in a ZIPped file, leading me to wonder how this
could happen.

If the zipfile is password protected, Norton cannot examine it, no
matter whether the file is actually zipped, or only "passworded".


Gabriele Neukam

(e-mail address removed)
 
B

buzz Light Beer

On that special day, George Del Monte, ([email protected]) said...


If the zipfile is password protected, Norton cannot examine it, no
matter whether the file is actually zipped, or only "passworded".


Gabriele Neukam
This is a feature that Kaspersky 5 personal has that I really like.
If it see's a password file it will prompt you for the password in
order to scan it....I have never had NAV 2003 to pop up such a
prompt....so I just assumed it scanned it.......very interesting ;)
/ bLB
 
G

George Del Monte

What makes you think Norton would detect them in the first place?

Well, I think Norton's COULD (if conditions were right) detect them because
their (the virus) definitions ARE in my Norton database. I checked other
quarantined virus-containing files and they contained the same virus
(Sober). Another responder to my post opined that the virus was not
discovered because it was several layers deep (folders within folders within
folders), deeper than the anti-virus software searches during message
downloading. However, a "Scan my computer" done later DID find the virus
that the eMail scan failed to detect. My guess is: the scan of eMail is more
superficial than a local hard drive scan.

What do you think?
 
G

George Del Monte

Gabrielle, then how would the virus be unleashed if the ZIPped file were
password protected? That step seems to be a counter-productive one for a
"virus distributor" if it requires a password to open the payload-containing
file. Please explain further.
 
F

FromTheRafters

George Del Monte said:
Gabrielle, then how would the virus be unleashed if the ZIPped file were
password protected?

It only requires that a user unzip (using the password supplied in the
e-mail body) and execute it, such users are not rare (enough) to be
a significant problem for a worm. It demonstrates exactly where the
weakest link lies in any computer security system. In addittion, the
file when unzipped will have escaped the security zone in which the
e-mail client resides, and landed in the "My Computer" zone which
usually has much less security. I think that this particular worm isn't
concerned with that however, and is only zipped so that simple filters
won't stop it from reaching users - many places don't allow some
filetypes as attachments (.scr, .exe, .bat, .pif ...etc...) but .zips are
allowed.
That step seems to be a counter-productive one for a
"virus distributor" if it requires a password to open the payload-containing
file. Please explain further.

Basically, there is no shortage of clueless users - so even such a tactic
is worthy of consideration. The earlier versions of this worm showed,
even more, just how easily people are duped into executing malware.
 
G

George Del Monte

That was a very clear explanation but it leads to another puzzle of a sort.
I still had four messages in my Inbox carrying virus payloads, so I
re-examined them. Two had their viruses quarantined by Norton's. Their virus
payloads had each been replaced by text files, one saying: This file:
"EM.cruzio.eml.zip" was infected with the: "W32.Sober.G@mm" virus; the
other: This file: "EM.enliven_9400.TXT.zip" was infected with the:
"W32.Sober.G@mm" virus. The other two messages had their ZIPped files
intact, no doubt carrying viruses. These were the two whose virus payloads
escaped detection by NortonAV. One of these, the 3rd one, had a simple
password in the Subject line; the other no password, but it glibly said
"+-+-+ X- Mail_Scanner: No Virus found" and, now get this, by a non-existent
Anti-virus service at my domain! Hoo boy! What a comfort that brings!

The 4th message is the puzzle: it did not include a password. I figure it
had a virus several layers deep, beyond Norton's scan limitation (if this is
a technical problem, I'm not savvy enough to discuss it), or it simply was a
ruse to send an innocuous file to disarm me and hope I'd open the next
ZIPped file carrying a knockout punch. This message also said "+-+-+
Mail-Attachment: No Virus found" presumably added by my domain. Yeah, right!
 
S

Snowsquall

I have Norton.
I have got a few Bagles (Beagles) and Norton use to put them in the
quarantine "backup" folder and identified them as Beagle@mm!zip
But the last Beagle was not detected.
Please NOTE: *Do not try this at home* Do not do as I did *unless* you know
what you are doing.
I carefully saved the attachment of that last zip file to a floppy and then
_extracted_ (*not opened*) the zip and I had to use the password provided to
get it extracted. Norton then detected it as Beagle F. Then I fished a
Beagle@mm!zip out of quarantine backup and tried to extract it but
auto-protect sent it back to quarantine so I turned auto-protect off and
then carefully extracted it. There appeared to be a folder and was about to
*open* it (normally its OK to open folders) when I noticed the *.exe!! I
then remembered something about that trick. I then scanned it and it was
also Beagle F. Then I went back to the zipped file that had not been
detected and extracted it (with auto-protect off) and a "folder" appeared
again. I scanned the "folder" and it was detected as Beagle F. So it is a
mystery to me as well as to why earlier such attachments are stopped by
Norton and this latest one was not. That can be dangerous to those who leave
their auto-protect off and just rely on their email scanners.
 
D

Dave Budd

Gabrielle, then how would the virus be unleashed if the ZIPped file were
password protected? That step seems to be a counter-productive one for a
"virus distributor" if it requires a password to open the payload-containing
file. Please explain further.
They put the pw in the mail body. "Social engineering" - some people
think it "must be real" if somebody went to the trouble of zipping and
passwording... so they open it.
 
J

Jason Wade

They put the pw in the mail body. "Social engineering" - some people
think it "must be real" if somebody went to the trouble of zipping and
passwording... so they open it.

It makes for an interesting problem for av software.
How is it going to check inside something like that?
(a password protected zip file)
 
D

Dave Budd

It makes for an interesting problem for av software.
How is it going to check inside something like that?
(a password protected zip file)
Well... you might hook the file when the zip unzips.
Or you might say, "There's only so much we can do. If people are going
to be terminally stupid, tough shit"
 
N

null

It makes for an interesting problem for av software.
How is it going to check inside something like that?
(a password protected zip file)

KAV literally reads the password in the message portion of the email
and uses it to unzip and scan the files "within". There are also
various methods used by av to alert on "known" password protected zips
without unzipping them ... which are quite prone to potential false
alarms. For example, known pw protected zips carrying malware may use
a particular and unusual kind of zip method ... and also it can be
seen "from the outside", as it were, that the zip "contains" a .exe.
So the av can do some "guessing" or crude heuristics to say that the
zip _may_ be dangerous. The alert, if done correctly, would include
the word "suspicious", but not all av are that honest :)


Art
http://www.epix.net/~artnpeg
 
F

FromTheRafters

George Del Monte said:
That was a very clear explanation but it leads to another puzzle of a sort.
I still had four messages in my Inbox carrying virus payloads, so I
re-examined them. Two had their viruses quarantined by Norton's. Their virus
payloads had each been replaced by text files, one saying: This file:
"EM.cruzio.eml.zip" was infected with the: "W32.Sober.G@mm" virus; the
other: This file: "EM.enliven_9400.TXT.zip" was infected with the:
"W32.Sober.G@mm" virus. The other two messages had their ZIPped files
intact, no doubt carrying viruses.

I don't know much about how the AVs are tackling this 'passworded zip'
or 'zip' problem. I never thought that it was necessary to scan within zipped
files automatically anyway, I always thought that some things should be left
up to the users to do themselves. AVs insist on enabling users to be very lazy
about the way they apply "safe practices", and this is, in part, what led to this
problem.

It may be that the ones that they know about are captured and iterated
a large number of times so that the AV has a good idea of what the many
iterations look like to the scanner. Sometimes the "large number" is some
degree smaller than the number of possible iterations - and some aren't
getting detected as a result.
These were the two whose virus payloads
escaped detection by NortonAV. One of these, the 3rd one, had a simple
password in the Subject line; the other no password, but it glibly said
"+-+-+ X- Mail_Scanner: No Virus found" and, now get this, by a non-existent
Anti-virus service at my domain! Hoo boy! What a comfort that brings!

Almost as comforting as the sig lines some AVs put on scanned e-mails.
Many here have predicted that malware would do this eventually. I'm
more likely to believe the statement "No Virus Found" to be legitimate
than I would a statement such as "Certified Virus Free".
The 4th message is the puzzle: it did not include a password. I figure it
had a virus several layers deep, beyond Norton's scan limitation (if this is
a technical problem, I'm not savvy enough to discuss it), or it simply was a
ruse to send an innocuous file to disarm me and hope I'd open the next
ZIPped file carrying a knockout punch. This message also said "+-+-+
Mail-Attachment: No Virus found" presumably added by my domain. Yeah, right!

Still, if it *really is* a zipped executable, it should be scanable once
extracted, and if known to the scanner should be identifiable. Anyway,
there's no reason for anyone doing anything other than deleting such an
e-mail - it is obviously not something that they were expecting to recieve.
 
F

FromTheRafters

Snowsquall said:
I have Norton.
I have got a few Bagles (Beagles) and Norton use to put them in the
quarantine "backup" folder and identified them as Beagle@mm!zip
But the last Beagle was not detected.

As long as they detect it after I have unzipped it and scanned it, I will
be happy. I don't expect much from e-mail scanning or scanning within
archive files.
Please NOTE: *Do not try this at home* Do not do as I did *unless* you know
what you are doing.
I carefully saved the attachment of that last zip file to a floppy and then
_extracted_ (*not opened*) the zip and I had to use the password provided to
get it extracted. Norton then detected it as Beagle F. Then I fished a
Beagle@mm!zip out of quarantine backup and tried to extract it but
auto-protect sent it back to quarantine so I turned auto-protect off and
then carefully extracted it. There appeared to be a folder and was about to
*open* it (normally its OK to open folders) when I noticed the *.exe!!

Opening *some* folders can be dangerous, and judging something to be
a folder (or anything) based solely on its icon is dangerous - as you see,
an .exe can have any icon the programmer designs.
I then remembered something about that trick. I then scanned it and it was
also Beagle F. Then I went back to the zipped file that had not been
detected and extracted it (with auto-protect off) and a "folder" appeared
again. I scanned the "folder" and it was detected as Beagle F. So it is a
mystery to me as well as to why earlier such attachments are stopped by
Norton and this latest one was not. That can be dangerous to those who leave
their auto-protect off and just rely on their email scanners.

....or to those who leave their brain off and let their clickyfingers do their
thing.

Does anybody actually leave their protection solely up to their e-mail
scanning - yikes! You know, I believe that you are correct that some
do actually do this - soon these people will be moving to Linux and
doing away with AV altogether.
 
B

Bart Bailey

In Message-ID:<[email protected]> posted on Tue, 8 Jun
I never thought that it was necessary to scan within zipped
files automatically anyway, I always thought that some things should be left
up to the users to do themselves. AVs insist on enabling users to be very lazy
about the way they apply "safe practices", and this is, in part, what led to this
problem.

Such unachievable, or poorly achievable, ambitions as decompressing
archives was responsible for F-Prot losing much esteem IMO.
Then their attitude of saying "****it" to the DOS scan engine, and
refusing to fix its inability to either ignore, or accommodate the
latest and best WinRar compression algorithm, displays a contemptuous
arrogance toward their present and any future customers.

WinRar rules
f-prot drools
 
B

Bart Bailey

In Message-ID:<[email protected]> posted on Tue, 8 Jun
Does anybody actually leave their protection solely up to their e-mail
scanning - yikes! You know, I believe that you are correct that some
do actually do this

Judging by the frequency of posts discussing issues with mail scanning
and subsequent disposition of suspect mail and/or its attackments, I'd
guess that more than a few rely on some windows based application to
perform concierge service in lieu of their own common sense.
- soon these people will be moving to Linux and
doing away with AV altogether.

then come back here bitching about how;
"they told me *nix was imune to virii" ;-)
 
F

FromTheRafters

Bart Bailey said:
In Message-ID:<[email protected]> posted on Tue, 8 Jun


Such unachievable, or poorly achievable, ambitions as decompressing
archives was responsible for F-Prot losing much esteem IMO.
Then their attitude of saying "****it" to the DOS scan engine, and
refusing to fix its inability to either ignore, or accommodate the
latest and best WinRar compression algorithm, displays a contemptuous
arrogance toward their present and any future customers.

They should concentrate on compression algorithms as they relate
to runtime decompression executables so that such executables
can be scanned. A regular compressed or otherwise archived
program file does not present a threat until it is decompressed or
un-archived. Granted, there may be some need to prevent the
clueless from even getting the chance to execute the contained
malware, and automating the process would require some kind
of scanning within archives, but there is a way to attain this through
policy as well.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top