[Dshield] new Netsky.b virus - quick analysis (incl. hexdump)

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Wed Feb 18 18:58:44 GMT 2004


John, list,

> On Wed, 2004-02-18 at 09:02, Erik van Straten wrote:
> > IMPORTANT: Current NAV LiveUpdate AV-defs do NOT detect it yet!

Good, I just downloaded/updated Symantec NAVCE defs 02/18/04 rev. 7;
it does detect Netsky.B - thanks Symantec!

On Wed, 18 Feb 2004 09:30:12 -0800 John Hardin wrote:
> Which is one reason why proactive security should be a part of the mix.
> If you drop all messages with executable file attachments as your
> security policy, you don't have the AV vulnerability window.

I agree that more can be done regarding .pif, .com etc. attachments.

However, there were zip files too (I expect a lot of resistance if
we're going to drop zip files, perhaps depending on the fact if they
contain one or more executable files, or files that just *seem*
executable, e.g. batchfiles or other scripts, including perl, python
etc).

Also, we will probably see viruses in password protected zip files
soon. Furthermore, once admins massively start blocking attachments
with certain file extensions, people will get used to renaming files
they receive. It is just a matter of time until viruses are sent as
.txt and people are asked to rename them into whatever. Some people
are curious and clueless - we do have to live and work with them.

Some people advocate to have cars in Dutch cities drive max. 30 km/hr
because it will decrease the number of traffic casualties (I'm sure
it will). Decreasing to 5 km/hr (walking speed) will save even more
lives...

We may as well prohibit all email attachments.

We desparately need *smart* and *fast* solutions for SMTP problems.
I've not seen a single useful solution that cannot be bypassed, and
at the same time will not render legitimate use of SMTP problematic,
if not totally impossible (the ultimate solution may not exist).

Regards,
Erik




More information about the list mailing list