How does Sobig.E infect?

[Matt Garretson]

I'm trying to figure out what exploit W32.Sobig.E@mm uses to
establish its infection. Since it's in a ZIP file, i don't
understand how the payload gets executed. Do some MS mail
readers automatically open ZIP attachments and run whatever's
in them? Is there a ZIP-related vulnerability that allows
code execution from an infected archive? Or does the worm
rely on people manually opening the ZIP file, and running
the enclosed PIF files explicitly?

Sorry if this is a dumb question, but all the reports i've
read about this worm skirt around the issue. Thanks...

-Matt

 

[Jeffrey A. Setaro]

I'm trying to figure out what exploit W32.Sobig.E@mm uses to
establish its infection. Since it's in a ZIP file, i don't
understand how the payload gets executed. Do some MS mail
readers automatically open ZIP attachments and run whatever's
in them? Is there a ZIP-related vulnerability that allows
code execution from an infected archive? Or does the worm
rely on people manually opening the ZIP file, and running
the enclosed PIF files explicitly?

Sorry if this is a dumb question, but all the reports i've
read about this worm skirt around the issue. Thanks...

I think you'll the only "exploit" W32/Sobig.E@mm relies is stupid users
who blindly double-click anything and everything put in front them.

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[kurt wismer]

I'm trying to figure out what exploit W32.Sobig.E@mm uses to
establish its infection. Since it's in a ZIP file, i don't
understand how the payload gets executed. Do some MS mail
readers automatically open ZIP attachments and run whatever's
in them?

maybe, but i don't think that's involved here...

Is there a ZIP-related vulnerability that allows
code execution from an infected archive?

maybe, but i don't think that's involved here...

Or does the worm
rely on people manually opening the ZIP file, and running
the enclosed PIF files explicitly?
bingo!...

Sorry if this is a dumb question, but all the reports i've
read about this worm skirt around the issue. Thanks...

yeah, well, there are only so many ways to say "this worm relies on
people doing very stupid things in order to spread itself"...

 

[FromTheRafters]

I think that most do make mention of the ability for the worm
to write its executable into a startup folder on a networked
machine, this is an exploited vulnerability of the type that one
would normally consider to be a *real* vulnerability.

WinZip has a self extracting version that will extract to various
targets, *and* run an application when extracted, but it's an [exe], and
has to be opened with a double click, instead of through the context
menu to do that, although getting that click might not be so hard to do.

Yeah, true enough, it's just another click to a clickhappy fool.

Yet, what I referred to above was the "network awareness" of
the worm once running on the local machine. If remote machines
write share the startup folder(s), the worm spreads by exploiting
that vulnerability rather than by user clickhappiness alone.

Remember the zipworm that wasn't even a WinZip product,
but just spoofed the icon?

I remember hearing about it, but don't remember reading
any write-up about it. I guess you should never trust a files
icon.

Easier to control what they do,

By controlling what opportunities they are presented with.

if your network won't pass anything to them that can be mishandled.

Absolutely, a risk management approach because you never
know what people will do next. Some have adopted this in
the form of filtering out files with extensions known to be used
on executable filetypes. But .zip files (that are even actually ZIP
files), were not blocked, and thus only move the possible threat
away by a click or two.

 

[Bart Bailey]

Absolutely, a risk management approach because you never
know what people will do next. Some have adopted this in
the form of filtering out files with extensions known to be used
on executable filetypes. But .zip files (that are even actually ZIP
files), were not blocked, and thus only move the possible threat
away by a click or two.

When you weigh the cleanup/restore time versus gateway extraction and
analysis of any file at its ultimate running form, it might make sense
to not allow any zipped file to pass either.

Bart