[unisog] New virus - not caught by central servers (fwd)

Mark Kowitz mark at mail.rockefeller.edu
Thu Jul 29 12:39:43 GMT 2004

Greetings Russell,

Can you please provide me more details on how you block only encrypted 
ZIP files in the e-mail message?  Are you using Sendmail as your MTA?  
Is the scanning of the e-mail message done at the time of delivery, or 
is the message quarantine and scanned later?


Russell Fulton wrote:

>On Thu, 2004-07-29 at 02:41, Joseph Brennan wrote:
>>It's been accepted amazingly well.  The zip blockade was done as a
>>desperate temporary measure last year but there has been no pressure
>>to change it.  I was surprised.
>WE also blocked zips for a while earlier this year in response to one of
>the worms and we rapidly found a substantial group of users who were
>genuinely affected.  We have since relaxed the ban to encrypted zips and
>this has caused almost no problems. We do have mechanisms for
>circumventing the ban for outbound mail (e.g. malware submissions).
>We unpack all other zip (and any other archives, eg bz2, gz and tar.gz,
>wtc.) attachments and block any that contain executables.
>As I've mentioned before users can retrieve blocked executable if they
>really need them.
>>We allow people to rename files to end .doc and send them.
>We don't. We use 'file' to find what it really is and act accordingly.
>Given the users can be duped into saving a zip file to disk and then
>typing in a password which has been sent as a gif attachment how long is
>it before we see a worm with instructions "Save the attached file to
>disk and rename to friendly.<some obscure executable extension> and
>double click on it". This could plausibly be coupled with a variant of
>the recent mydoom spiel. E.g: From:<security at kickme.edu> "We have
>detected that your machine is infected with Nasty-rabid.worm.  Here is
>the cleaning tool, we have renamed to so it will go through the mail
>system, just save it to disk and rename it to cleaner.exe and run it". 
>I'm sure some of our users would fall for it.
>On this note we are about to have another look at methods for
>authenticating email sources to see if there is anything that we can
>reasonable deploy over the whole University.  We will be looking at all
>the old friends (PGP, GPG, SMIME, etc.) and anything else that we can
>find.   I'm not very hopeful... 

*Mark Kowitz     
System Administrator*

*The Rockefeller University
1230 York Ave.
New York, New York 10021*

phone: +1 212 327 8937
fax: +1 212 327 8712
email: mark at mail.rockefeller.edu <mailto:mark at mail.rockefeller.edu>
web: http://www.rockefeller.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20040729/a309bb37/attachment-0001.htm

More information about the unisog mailing list