[unisog] New virus - not caught by central servers (fwd)

Russell Fulton r.fulton at auckland.ac.nz
Wed Jul 28 18:43:13 GMT 2004


On Thu, 2004-07-29 at 02:41, Joseph Brennan wrote:

> It's been accepted amazingly well.  The zip blockade was done as a
> desperate temporary measure last year but there has been no pressure
> to change it.  I was surprised.

WE also blocked zips for a while earlier this year in response to one of
the worms and we rapidly found a substantial group of users who were
genuinely affected.  We have since relaxed the ban to encrypted zips and
this has caused almost no problems. We do have mechanisms for
circumventing the ban for outbound mail (e.g. malware submissions).

We unpack all other zip (and any other archives, eg bz2, gz and tar.gz,
wtc.) attachments and block any that contain executables.

As I've mentioned before users can retrieve blocked executable if they
really need them.
> 
> We allow people to rename files to end .doc and send them.

We don't. We use 'file' to find what it really is and act accordingly.

Given the users can be duped into saving a zip file to disk and then
typing in a password which has been sent as a gif attachment how long is
it before we see a worm with instructions "Save the attached file to
disk and rename to friendly.<some obscure executable extension> and
double click on it". This could plausibly be coupled with a variant of
the recent mydoom spiel. E.g: From:<security at kickme.edu> "We have
detected that your machine is infected with Nasty-rabid.worm.  Here is
the cleaning tool, we have renamed to so it will go through the mail
system, just save it to disk and rename it to cleaner.exe and run it". 
I'm sure some of our users would fall for it.

On this note we are about to have another look at methods for
authenticating email sources to see if there is anything that we can
reasonable deploy over the whole University.  We will be looking at all
the old friends (PGP, GPG, SMIME, etc.) and anything else that we can
find.   I'm not very hopeful... 

-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand




More information about the unisog mailing list