Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: EXE/ZIP e-mail viruses (editorial) - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
EXE/ZIP e-mail viruses (editorial)
A quick (technical) update to this otherwise more "philosophical" diary: Its not that hard to figure out if the content of an encrypted ZIP file is a .exe file. The file names are not encrypted! So just run:
$unzip -l 
Length Date Time Name
-------- ---- ---- ----
40649 04-12-07 18:21 patch-58214.exe
-------- -------
40649 1 file

anyway back to the editorial ;-)...

I label this diary "Editorial", as I would like to go beyond the plain facts of the resent set of "Storm"/"nuwar"/"zhelatin" viruses.

Remember Bagel? It was just a couple years ago when a very similar set of viruses was making the round. Bagel arrived as a plain .exe, waiting for a gullible user to double click and execute it. It later, very much like the new "Storm" virus, used an encrypted ZIP file.

Back with Bagel, we managed to get a hold of some of the web logs from sites Bagel used to "call home". In analyzing these logs we found a large overlap in users infected by various Bagel variants. In short: The same users are getting infected over and over again by the "malware of the day".

I think these viruses offer a sad glimpse into the current state of Internet security. Not only have users still not learned to "never click on an executable". Neither have network administrators learned to filter executables. When was the last time you received a legitimate executable as an attachment? (NO! IE7.exe was not one of them!).

Lastly, "Storm" is yet another hint that current AV software is no longer an adequate means to protect yourself from current and relevant threats. Subscription based business models direct mainstream consumer anti-virus systems into a dead end of signature updates, which haven't work at least since Zotob showed up.

As a reader of this post, you are unlikely to be able to do anything about the current sad state of anti-virus. But you may be able to block .exe files on your mail server. Don't ask me for subject or file names. Block executables!I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4478 Posts
ISC Handler
Apr 13th 2007

Sign Up for Free or Log In to start participating in the conversation!