Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Don’t get the point of using a AV
  FAQ FAQ  Forum Search   Register Register  Login Login

Don’t get the point of using a AV

 Post Reply Post Reply
Author
chinabee View Drop Down
Groupie
Groupie


Joined: 07 February 2005
Status: Offline
Points: 50
Post Options Post Options   Thanks (0) Thanks(0)   Quote chinabee Quote  Post ReplyReply Direct Link To This Post Topic: Don’t get the point of using a AV
    Posted: 16 March 2005 at 9:11am

I don't get the point of using any AV software. I simply tell my SpamFilter to drop anything that can potentially carry a virus - including all zip files. For years, I haven't seen a single virus coming through and entering our system.

I guess if you cannot afford to drop those emails, it would be a little different.

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 11:28am

chinabee,

Not all viruses are in the form of attachments and I guess you have been very lucky. 

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
chinabee View Drop Down
Groupie
Groupie


Joined: 07 February 2005
Status: Offline
Points: 50
Post Options Post Options   Thanks (0) Thanks(0)   Quote chinabee Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 12:19pm
Care to give some examples?
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 12:31pm

How about anything using "iframe".  The attachment is NOT in the message but on a remote server.  The iframe launches the download.

Dan

 

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 12:45pm
One of the simplest is a virus that exploits Microsoft's GDI+ vulnerability (CAN-2004-0200). ALL you need is an email with an inline infected JPG image...

Trying is believing. Download the sample jpg we have (do not open/preview jpg unless you're patched) at:
http://logsat.com/SpamFilter/pub/temp/virus-jpeg.zip. The zip password is virus

Then include it in an email and send it thru an email server that does not have antivirus running. There is no file extension filter that you can realistically use to block these.

We've decided to make this info public as the source for these types of viruses is already easily available on the net, including the one for this particular variant, so we're not causing any additional harm, and hopefully we're increasing the awareness of administrators that viruses are harmul and any means available should be installed to stop them.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
chinabee View Drop Down
Groupie
Groupie


Joined: 07 February 2005
Status: Offline
Points: 50
Post Options Post Options   Thanks (0) Thanks(0)   Quote chinabee Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 2:41pm
How would a AV help you when somebody designs a new virus with this technique?
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 3:02pm
chianabee,

That's exactly why you pay for AV software.... They have staff that finds the viruses and updates the patterns to detect them. If you had *any* decent AV software scanning on your mail server the virus you downloaded from my post would have been caught. The beta of SpamFilter's AV plugin for example catches it just fine.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 3:04pm
Norman, like other AV's, constantly updates it's definitions. Norman, unlike other AV's, has what it calls "Sand Box Technology".  What this does is if it sees something that it feels is suspicious, it places it in a protected area (the sand box) and sees if it does anything "Virus Like". 
 
From their site:
Norman Sandbox technology
Norman Sandbox technology - the hows and whys
This article aims to explain a bit more in depth how Norman Sandbox really works and why it is different from other solutions out there.
Norman Sandbox is a fully simulated computer. No code is executed on the real CPU except for the Norman Virus Control emulator engine;  even the hardware in the simulated PC is emulated.    See: http://www.norman.com/Virus/13927/en-us
 
Regards,
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
chinabee View Drop Down
Groupie
Groupie


Joined: 07 February 2005
Status: Offline
Points: 50
Post Options Post Options   Thanks (0) Thanks(0)   Quote chinabee Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 3:18pm

This won't work on my system. I have filter set up so that no executable file can be downloaded and only port 80 and 443 is available to users.

If the virus works on port 80, the filter will stop it from downloading anything executable.

Originally posted by Desperado Desperado wrote:

How about anything using "iframe".  The attachment is NOT in the message but on a remote server.  The iframe launches the download.

Dan

 



Edited by chinabee
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 3:59pm
chinabee,

That would actually work just fine bypassing all your filtering if the iframe simply causes the email client/browser to display, in the above case, the infected jpg.

Also note that in this particularly nasty case, the email itself does not contain the attachment, so it will not be blocked. The email contains an iframe, which causes the *end-user's* PC to download the virus in the jpg. The only way to stop this is toeither have an antivirus on the client PC, or to have an AV product scanning your HTTP traffic (such products do exist).

The moral is, nobody is as secure as they think they are. There is usually a compromise in how much you are willing to risk and how many resources you're going to dedicate to protect your environment.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
chinabee View Drop Down
Groupie
Groupie


Joined: 07 February 2005
Status: Offline
Points: 50
Post Options Post Options   Thanks (0) Thanks(0)   Quote chinabee Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 4:49pm
My filter is on HTTP traffic. How would the IE download anything without an agreement from my filter?
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2005 at 6:24pm
...because the file is a jpeg, not an exe. Your filter, unless it checks the http stream for viruses, will not block it. If however the filter is blocking images, then yes, it will work, but your users are likely not going to be enjoying their browsing experience.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
chinabee View Drop Down
Groupie
Groupie


Joined: 07 February 2005
Status: Offline
Points: 50
Post Options Post Options   Thanks (0) Thanks(0)   Quote chinabee Quote  Post ReplyReply Direct Link To This Post Posted: 18 March 2005 at 10:42am

the JPEG file still needs to download and run a malicious code/program to infect.

My firewall only allows HTTP/HTTPS traffic and my filter does not allow any user to download any executable files including zip file.

Even though I received such JPEG files, they would still do no harm as they couldn't run any malicious code.

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 18 March 2005 at 11:17am

Perhaps you are seeing the word "download" and thinking that this is download link or something.  When you browse to a site that has any images on it (like most sites do) your browser downloads the images without you asking.   Mail clients do the same.  So, if I email you and embed an inline image tag, you will get the image.  I can send an example if you want.

Dan

 

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
chinabee View Drop Down
Groupie
Groupie


Joined: 07 February 2005
Status: Offline
Points: 50
Post Options Post Options   Thanks (0) Thanks(0)   Quote chinabee Quote  Post ReplyReply Direct Link To This Post Posted: 18 March 2005 at 11:20am
I understand that, but the JPEG file needs other code/program to work, doesn't it?
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 18 March 2005 at 4:20pm
Not at all... there is nothing that needs to execute. The Windows DLL that decodes the JPG has a buffer overrrun bug. With the buffer overrun a hacker can execute a program embedded in the JPG without the user having to run anything. All he needs to do is *view* the JPG.

... and to be more exact, they may not even have to *view* it. In some cases all that is needed is to *hover* over the file with the mouse. Windows will launch the DLL that decodes the JPG to extract its thumbnail. This is all that's needed for you to get infected, as the buffer overun will kick in right away.

In the JPG we attached in the zip, the buffer overrun will create a backdoor by running a reverse shellcode on the victim's PC, allowing the hacker to remote into the victim's PC and effectively having a remote command prompt on it.

Summary:
****there is no program that needs to run/download for the machine to be infected****
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.