Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Symantec decomposer rar bypass allowed malicious content.

Published: 2008-04-22
Last Updated: 2008-04-24 16:33:34 UTC
by donald smith (Version: 3)
0 comment(s)

ScottT of Blue Cross Blue Shield submitted the following information and a
rar file that bypassed his Symantec decomposer on his SMTP gateway.

“We received over 30 of these emails containing infected rar files.
Symantec detected them, but somehow these emails evaded our email
gateway and spam filter. The body text contained blocked words so it should
have been dumped by the spam filter. Our email gateway strips rar and scr
attachments, so the attachments should have been stripped.

We sent test emails with the offensive body text and the spam filter dumped
them. We also sent test emails with rar files attached, and the emails
arrived with the attachment stripped.

This has us stumped. It seems our systems are functioning properly, but
these emails are beating them.”


This was in the message headers of the email he forwarded to us.
“This message has been processed by Symantec AntiVirus.
screen.scr is still infected with the malicious virus Downloader because the
Symantec decomposer cannot modify its container.“

The subject line of this email was "Hot news".

The text of the message implies you will see Paris Hilton undress if you open the attachment.


VirusTotal recognized screen.rar as a trojan downloader.
http://www.virustotal.com/analisis/67258db1006d464e1d5ff4248db306dd

Sending screen.scr to cwsandbox.org produced a good analysis.
Short version is it is a version of SDBOT.
Nitty-Gritty details available here:
https://cwsandbox.org/?page=details&id=215016&password=ftkxv

Symantec has suggested some changes to Scott's SMTP gateway configuration that may prevent further bypasses. The version of zip I have under cygwin also reported this rar as "damaged or invalid".

UPDATE:

The change recommended by Symantec was to change the rule on the detection of an infected attachment from attempting to clean the attachment to just deleting the entire email. If your currently running Symantec's SMTP AV gateway and have this rule set to clean you may want to change it to delete.

0 comment(s)
Diary Archives