eftychia: Me in kilt and poofy shirt, facing away, playing acoustic guitar behind head (Default)
Add MemoryShare This Entry

There's a worm behind that zip... wait, let me rephrase that

posted by [personal profile] eftychia at 11:00pm on 2004-02-29

Gee, maybe enough people have learned not to open .com, .exe, .pif, or .scr attachments they get in email, or maybe it's just that enough gateways are automagically stripping those now. I've started getting them with .zip payloads instead (three today, I think). Out of curiosity I went ahead and saved one of the attachments and ran "unzip -l" on a UNIX machine to see what was inside (that translates to "list the contents of the zip file but don't actually unpack any of them). Sure enough, it was an executable (with a double extension, just in case a Windows user bothered to look but didn't have whatever the name of the option is that means "show the whole filename, not just what you think end-users need to see" turned on).

If any of you have friends or family members who might double-click a .zip attachment because "it's not one of the extensions I was warned about", you might want to mention it. (Of course two weeks from now we'll be hearing that all .zip files are poison, because somebody didn't quite understand the warning...) But the main reason I'm mentioning is simply my having my attention caught by the latest round of the worms-vs.-filters arms race and finding it interesting.

(If this is old news, please excuse me. It's the first time I've noticed it showing up in my own mailbox.)

I guess the next step is filters that know how to check the contents of zipped attachments ... so the step after that would likely be encrypted zips, which makes me wonder: could a script embedded in an HTML email supply the encryption key to WinZip, or would the worm have to include instructions and a Trojan horse to convince the user to follow the instructions?

Sometimes I'm really glad I don't use a Windows application to read my mail. (That's not the reason I use Berkeley mail, just a side effect. The reason is that I find the user interfaces annoying on the more modern clients I've tried so far, and that I like being able to read my mail anywhere I can get a telnet connection or a dumb-terminal dialup.)

There are 6 comments on this entry. (Reply.)
 

(no subject)

posted by [identity profile] alyxyn.livejournal.com at 09:44pm on 2004-02-29
The last two weeks or so, the folks holding my contract have been complaining that they haven't been getting the soft copies I send them via e-mail. Yep, I zipped those files. And yep, their IT department was stripping them because of some virus or other. Said IT department hadn't bothered TELLING anyone they were doing this, though.
[link] [reply]
 

I wouldn't know...

posted by [identity profile] realinterrobang.livejournal.com at 10:24pm on 2004-02-29
Sounds like a horrible problem. I've gotten a sum total of two worms/viruses/whatever on my personal e-mail addresses since I got onto this Internet thingy, somewhere around late 1997 (touch wood). /me knocks self on head

Granted, these days I seem to get a lot of spam (well, "a lot" for me is three or four messages a week -- you can see how well I've done so far in keeping a low profile!) saying (more or less identically) "Use this and the next girl you bang will think your[sic] John Holmes!" My response to that one might have struck you as amusing, Glenn, as it consisted of a raised eyebrow followed by the thought, "Oh, really?! Well, not without permission from David and a substantial investment in strap-ons she won't." Can't say as I've ever actually "banged" a girl, though, online avatar notwithstanding. ;) I generally, as you know, prefer to be the recipient, although referring to such a wonderful thing in such crude terminology bugs me a bit... :D

I've got new LJ entries up, BTW. Go forth and add commentary! (Or dare I say, "The rest is studious, now go and comment." :P )
[link] [reply]
 

(no subject)

posted by [identity profile] vvalkyri.livejournal.com at 07:44am on 2004-03-01
Urk. Unzip -l is a Unix thing?
If I ever get another job I'm going to be *so* confused by what is and isn't NT commands. I'm used to tlist and kill and unzip -l and unzip -t and suchlike all on NT!
[link] [reply]
 

Unix things, DOS things

posted by [identity profile] syntonic-comma.livejournal.com at 07:40pm on 2004-03-01
Many tools are just so useful that they find their way from one OS to the next.
[link] [parent] [reply]
 

(no subject)

posted by [identity profile] bill-in-germany.livejournal.com at 08:18am on 2004-03-01
Our virus checker at work scans .zip files and removes ALL .exe files it finds. Of course, if you rename the zip to a .txt it doesn't see it.
[link] [reply]
 

(no subject)

posted by [identity profile] syntonic-comma.livejournal.com at 07:55pm on 2004-03-01
Some commercial anti-virus products do multiple levels of uncompressing attachments trying to find out what's inside to inspect it. And anything that's still compressed after a dozen rounds is probably not something that should be delivered. We've also gotten encrypted files packed in multiple layers of compression, but so far the recipients haven't had a key to decode the probable viruses.

I can't imagine the level of paranoia I'd have if I did my work on Windows machines. It's nice to know that most of this crap simply won't run in my environment(s), even if I did open/unpack/decrypt them.
[link] [reply]

Links

January

SunMonTueWedThuFriSat
1
1
 2
1
 3
1
 4
1
 5
1
 6
1
 7
1
8
1
 9
1
 10
1
 11
1
 12
1
 13
1
 14
1
15
1
 16
1
 17
1
 18
1
 19
1
 20
1
 21
1
22
1
 23
1
 24
 
 25
 
 26
 
 27
 
 28
 
29
 
 30
 
 31