[Dshield] Password protected Bagle-G

Luke Dudney ldlist at westnet.com.au
Thu Mar 4 04:36:32 GMT 2004


I've investigated this virus a bit further, and have identified
differences in its appearance in comparison to normal zip and
encrypted zip files.

The Bagle-G sometimes sends itself as a password encrypted zip file,
base64 encoded for the email message. I did base64 encodings of some zip
files of random data of random sizes between 0-32768 bytes, both
encrypted and unencrypted, and looked at the first 30 bytes.

Unencrypted zip files look like this:
UEsDBAoAAAAAAFNRZDCO4YB8slcAAL
UEsDBAoAAAAAAFJRZDCFBCq8gFIAAI
UEsDBAoAAAAAAFNRZDD85xEuPwkAAD
UEsDBAoAAAAAAFNRZDDdbP8C+iYAAP
UEsDBAoAAAAAAFNRZDAbtBmwsRYAAL
UEsDBAoAAAAAAFNRZDBGp4tb0GAAAN
UEsDBAoAAAAAAFJRZDBEHekNSlAAAE
UEsDBAoAAAAAAFJRZDCfgCc8eAoAAH
UEsDBAoAAAAAAFJRZDCbTAxvBgIAAA
UEsDBAoAAAAAAFNRZDAJ70lo1CEAAN

The first fourteen bytes are constant (probably the header).

Encrypted zips look like this
UEsDBAoACQAAAItRZDBVbQo/RxwAAD
UEsDBAoACQAAAIlRZDDhQ5GxLzQAAC
UEsDBAoACQAAAI1RZDDqB0LcdVcAAG
UEsDBAoACQAAAIhRZDBWhVr6ChoAAP
UEsDBAoACQAAAINRZDCbp0MqwUwAAL
UEsDBAoACQAAAIVRZDCdpeijNw0AAC
UEsDBAoACQAAAIRRZDAKRwaVwxUAAL
UEsDBAoACQAAAIJRZDChxEAqN2EAAC
UEsDBAoACQAAAIFRZDC3ePYt3n4AAN
UEsDBAoACQAAAIhRZDCfVh8bIXcAAB

Again, the first fourteen bytes are constant but different to
unencrypted zips.

The encrypted zip of the Bagle-G looks like this:
UEsDBAoAAQAAAGBCZDBwGlCmyVMAAL
UEsDBAoAAQAAAOCGYzCf4kJRDDAAAA
UEsDBAoAAQAAAGBCZDBwGlCmyVMAAL

The first thirteen bytes look constant, but the ninth byte is different
from a normal encrypted zip. The virus is obviously doing its encryption
in a non-standard manner, which means we can differentiate it from
regular encrypted zip files. If we take the first thirteen bytes of the
Bagle, we come up with UEsDBAoAAQAAA as a unique signature.

If your MTA can block based on patterns in the message body, it should
be possible to block this one at the email gateway. I'm using postfix,
and it's done like this

main.cf:
body_checks = regexp:/etc/postfix/body_checks

body_checks:
/UEsDBAoAAQAAA/         HOLD

This will put the email in the holding queue for manual inspection.

We've caught about 60 with this pattern in the past hour, and they all
appear to be Bagle-G but YMMV - there might be legitimate messages that
match this pattern, but I'm yet to see any.

Of course this doesn't solve the problem of any future viruses
encrypting themselves in a passworded zip, and we can't rely on them
behaving in this non-standard way, but it might be sufficient while a
better solution is developed.

Cheers
Luke






More information about the list mailing list