Bagle and KAV

[null]

Received my first Bagle this morning and was surprised that KAVDOS32
alerted on the password protected zip as:

INFO.ZIP /refssyqv.exe suspicion: PSW-Worm

As a follow-up, here's a F-Secure note on this heuristic detection:

http://www.europe.f-secure.com/v-descs/psw-worm.shtml

Note that this capability of the KAV scan engine is in addition to,
and different from, the "new technology" announced recently which
reads the password from the email message, enabling KAV to unzip and
scan files "within" the zip archive.


Art
http://www.epix.net/~artnpeg

 

[FromTheRafters]

As a follow-up, here's a F-Secure note on this heuristic detection:

http://www.europe.f-secure.com/v-descs/psw-worm.shtml

Note that this capability of the KAV scan engine is in addition to,
and different from, the "new technology" announced recently which
reads the password from the email message, enabling KAV to unzip and
scan files "within" the zip archive.

Thanks, Art.

So it seems that they use the term "worm" arbitrarily in this case.
It still may or may not be a worm, or even malware, yet they use
the term "worm" rather than to only say that the file is suspicious
looking.

 

[null]

Thanks, Art.

So it seems that they use the term "worm" arbitrarily in this case.
It still may or may not be a worm, or even malware, yet they use
the term "worm" rather than to only say that the file is suspicious
looking.

That's correct. Some of us have done some testing on this, but I'll
not discuss the results here ... at least for now.


Art
http://www.epix.net/~artnpeg

 

[Snowsquall]

That's correct. Some of us have done some testing on this, but I'll
not discuss the results here ... at least for now.


Art
http://www.epix.net/~artnpeg

I know this is a little late for a response but I managed to come accross a
couple of Bagles with passwords. I scanned the actual files (attachments)
with Norton and detects them even though I made the password unavailable to
Norton

 

[null]

I know this is a little late for a response but I managed to come accross a
couple of Bagles with passwords. I scanned the actual files (attachments)
with Norton and detects them even though I made the password unavailable to
Norton

You do understand that KAV's "new technology" relies on reading the
password in the email message? Otherwise, it takes far too much
computer time to unencrypt the password. So which method do you think
NAV used? Did you Save the zip attackment to a test folder and scan it
on-demand so that NAV didn't have access to the message body? If so,
how long did it take for NAV to actually unencrypt the password and
find the Bagle infested file within?


Art
http://www.epix.net/~artnpeg

 

[kurt wismer]

You do understand that KAV's "new technology" relies on reading the
password in the email message? Otherwise, it takes far too much
computer time to unencrypt the password.

isn't it a 5 digit numeric password? brute forcing that doesn't take
long at all..

 

[Offbreed]

Perhaps not in that case. I was going by the reason Eugene Kaspersky
gave me for not brute forcing ... that it would take far too long.

Probably "too long to suit the customer".

 

[null]

isn't it a 5 digit numeric password?
Yes.

brute forcing that doesn't take
long at all..

Perhaps not in that case. I was going by the reason Eugene Kaspersky
gave me for not brute forcing ... that it would take far too long.

I was just dong some Google research, and so far it's unclear to me
whether or not NAV does use a brute force method. One of their Beagle
(they call it) descriptions does seem to imply that they might. Maybe
they have a limited PW length capability?? I dunno yet.


Art
http://www.epix.net/~artnpeg

 

[kurt wismer]

isn't it a 5 digit numeric password?
Yes.

brute forcing that doesn't take
long at all..

Perhaps not in that case. I was going by the reason Eugene Kaspersky
gave me for not brute forcing ... that it would take far too long.[/QUOTE]

in the general case it would take too long normal scanner operation but
in this case it might be a reasonable kludge...

I was just dong some Google research, and so far it's unclear to me
whether or not NAV does use a brute force method.

i don't see any other way for it to do so given snowsquall's description...

One of their Beagle
(they call it) descriptions does seem to imply that they might. Maybe
they have a limited PW length capability?? I dunno yet.

it'll be very hard to tell without asking someone from symantec...
their available materials generally aren't very good, i find...

 

[Snowsquall]

(e-mail address removed) wrote
....but I managed to come accross a

You do understand that KAV's "new technology" relies on reading the
password in the email message? Otherwise, it takes far too much
computer time to unencrypt the password. So which method do you think
NAV used? Did you Save the zip attackment to a test folder and scan it
on-demand so that NAV didn't have access to the message body?

Yes. The attachment was scanned separately from the email body.

If so,
how long did it take for NAV to actually unencrypt the password and
find the Bagle infested file within?

No time at all. I don't think Norton unencrypted the file. I think it has
its signature based on the data that is still in its encrypted form. -- just
my guess.

 

[kurt wismer]

(e-mail address removed) wrote [snip]

If so,
how long did it take for NAV to actually unencrypt the password and
find the Bagle infested file within?

No time at all. I don't think Norton unencrypted the file. I think it has
its signature based on the data that is still in its encrypted form. -- just
my guess.

neat trick considering the password is randomly generated and therefore
the cipher text is pretty much unpredictable (another way of saying
there can't be a signature for it)...

 

[Norman L. DeForest]

(e-mail address removed) wrote [snip]

If so,
how long did it take for NAV to actually unencrypt the password and
find the Bagle infested file within?

No time at all. I don't think Norton unencrypted the file. I think it has
its signature based on the data that is still in its encrypted form. -- just
my guess.

neat trick considering the password is randomly generated and therefore
the cipher text is pretty much unpredictable (another way of saying
there can't be a signature for it)...

A possible test for Norton AV:

1. Find a harmless Windows executable[1] that's about the same size as
Bagle/Beagle and copy it to a file with the same name as one of the
Bagle worm executables.
2. Zip it with password encryption.
3. Scan it with Norton AC and see what it reports.

If you get the same report for the harmless file as you did for the
real worm, let us know. (If you *don't* get the same report, let us
know anyway.)

[1] or even a text file.

 

[Axel Pettinger]

(e-mail address removed) wrote [snip]
If so,
how long did it take for NAV to actually unencrypt the password
and find the Bagle infested file within?

No time at all. I don't think Norton unencrypted the file. I
think it has its signature based on the data that is still in its
encrypted form. -- just my guess.

A possible test for Norton AV:

1. Find a harmless Windows executable[1] that's about the same size as
Bagle/Beagle and copy it to a file with the same name as one of the
Bagle worm executables.
2. Zip it with password encryption.
3. Scan it with Norton AC and see what it reports.

Another test ...
I've used an original password protected zip archive with Bagle in it.
NAV detects the extracted worm sample as W32.Beagle.I@mm and the ZIP
archive is identified as W32.Beagle@mm!zip. Then I've used a hex editor
to change the extension of the worm in the zip archive from EXE to TXT.
The "text file" can be extracted fine and NAV still detects the worm,
but it doesn't identify the zip archive anymore. ...

Regards,
Axel Pettinger

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Sun, 14 Mar 2004

Snowsquall wrote:
(e-mail address removed) wrote
[snip]
If so,
how long did it take for NAV to actually unencrypt the password
and find the Bagle infested file within?

No time at all. I don't think Norton unencrypted the file. I
think it has its signature based on the data that is still in its
encrypted form. -- just my guess.

A possible test for Norton AV:

1. Find a harmless Windows executable[1] that's about the same size as
Bagle/Beagle and copy it to a file with the same name as one of the
Bagle worm executables.
2. Zip it with password encryption.
3. Scan it with Norton AC and see what it reports.

Another test ...
I've used an original password protected zip archive with Bagle in it.
NAV detects the extracted worm sample as W32.Beagle.I@mm and the ZIP
archive is identified as W32.Beagle@mm!zip. Then I've used a hex editor
to change the extension of the worm in the zip archive from EXE to TXT.
The "text file" can be extracted fine and NAV still detects the worm,
but it doesn't identify the zip archive anymore. ...

Regards,
Axel Pettinger

Try WinRar, it encrypts the filenames as well as the files, in case NAV
is just hitting on the name alone and not the actual file content.

 

[Axel Pettinger]

In Message-ID:<[email protected]> posted on Sun, 14 Mar 2004


Try WinRar, it encrypts the filenames as well as the files, in case
NAV is just hitting on the name alone and not the actual file content.

Not really necessary. I think my test shows that NAV doesn't try to find
the correct password and therefore cannot extract and identify the worm.
According to Symantec's description [1] of that variant the "email
attachment is a randomly named .exe file inside a .zip file". So the
file name shouldn't matter ...

Regards,
Axel Pettinger

[1]
http://www.sarc.com/avcenter/venc/data/[email protected]

 

[null]

Snowsquall wrote:
(e-mail address removed) wrote
[snip]
If so,
how long did it take for NAV to actually unencrypt the password
and find the Bagle infested file within?

No time at all. I don't think Norton unencrypted the file. I
think it has its signature based on the data that is still in its
encrypted form. -- just my guess.

A possible test for Norton AV:

1. Find a harmless Windows executable[1] that's about the same size as
Bagle/Beagle and copy it to a file with the same name as one of the
Bagle worm executables.
2. Zip it with password encryption.
3. Scan it with Norton AC and see what it reports.

Another test ...
I've used an original password protected zip archive with Bagle in it.
NAV detects the extracted worm sample as W32.Beagle.I@mm and the ZIP
archive is identified as W32.Beagle@mm!zip.

Not surprising

Then I've used a hex editor
to change the extension of the worm in the zip archive from EXE to TXT.
The "text file" can be extracted fine and NAV still detects the worm,
but it doesn't identify the zip archive anymore. ...

And a harmless EXE file suitably zipped and PW protected also results
in the same (e-mail address removed) (false) alert, I suppose.


Art
http://www.epix.net/~artnpeg

 

[Axel Pettinger]

Not surprising

See below ...

And a harmless EXE file suitably zipped and PW protected also results
in the same (e-mail address removed) (false) alert, I suppose.

No. The same files which KAV reports as possible "PSW-Worm(s)" do not
trigger an alert when I scan them with NAV.

In another test I've zipped the mentioned Bagle sample using the (zip
and program) file names and the password from the original file.
Nevertheless NAV didn't alert on it ...

Regards,
Axel Pettinger

 

[cquirke (MVP Win9x)]

You do understand that KAV's "new technology" relies on reading the
password in the email message? Otherwise, it takes far too much
computer time to unencrypt the password. So which method do you think
NAV used? Did you Save the zip attackment to a test folder and scan it
on-demand so that NAV didn't have access to the message body? If so,
how long did it take for NAV to actually unencrypt the password and
find the Bagle infested file within?

I'd guess it would use one of the following methods:

1) Scan the .zip itself for sig match (i.e. no extraction)
2) Scan the .zip content for Win32PE header (heuristic)
3) Extract the .zip using pwd from msg, as you suggest
4) Extract the .zip using guessed pwds (i.e. known-to-be-used)

F-Prot now uses method (2) to heuristically detect risky files inside
pwd-protected .zip; requires .zip with no compression. Method (1)
works if the archive is "boilerplate" or always created the same way
using the same engine and parameters of the same content.

New malware variants now defeat (3) by using inline graphic files to
show the password in a way that's less easy to be machine-read, much
as many web sites seek to defeat automated access.

Education on the (new) significance of password-encrypted archives is
the only way to address this, really. It's just one of those cynical
counter-intuitive things, like "never ask a spammer to 'unsubscribe' "

Jeez, greedy humans are making the 'net a kak place :-(

--------------- ----- ---- --- -- - - -

If you're happy and you know it, clunk your chains.

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Sun, 14 Mar 2004

Not really necessary. I think my test shows that NAV doesn't try to find
the correct password and therefore cannot extract and identify the worm.
According to Symantec's description [1] of that variant the "email
attachment is a randomly named .exe file inside a .zip file". So the
file name shouldn't matter ...

When WinRar encrypts a file, it also encrypts the extension, therefore
there's no way to know that it's an exe inside, or anything else for
that matter. Other than the internal header [Rar!], everything else is
garble.

 

[Bart Bailey]

And a harmless EXE file suitably zipped and PW protected also results
in the same (e-mail address removed) (false) alert, I suppose.

Maybe because WinZip maintains a list of included contents along with
their respective extensions?