Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Symantec decomposer rar bypass allowed malicious content. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Symantec decomposer rar bypass allowed malicious content.

ScottT of Blue Cross Blue Shield submitted the following information and a
rar file that bypassed his Symantec decomposer on his SMTP gateway.

“We received over 30 of these emails containing infected rar files.
Symantec detected them, but somehow these emails evaded our email
gateway and spam filter. The body text contained blocked words so it should
have been dumped by the spam filter. Our email gateway strips rar and scr
attachments, so the attachments should have been stripped.

We sent test emails with the offensive body text and the spam filter dumped
them. We also sent test emails with rar files attached, and the emails
arrived with the attachment stripped.

This has us stumped. It seems our systems are functioning properly, but
these emails are beating them.”


This was in the message headers of the email he forwarded to us.
“This message has been processed by Symantec AntiVirus.
screen.scr is still infected with the malicious virus Downloader because the
Symantec decomposer cannot modify its container.“

The text of the message implies you will see Paris Hilton undress if you open the attachment.


VirusTotal recognized screen.rar as a trojan downloader.
http://www.virustotal.com/analisis/67258db1006d464e1d5ff4248db306dd

Sending screen.scr to cwsandbox.org produced a good analysis.
Short version is it is a version of SDBOT.
Nitty-Gritty details available here:
https://cwsandbox.org/?page=details&id=215016&password=ftkxv

Symantec has suggested some changes to Scott's SMTP gateway configuration that may prevent further bypasses. The version of zip I have under cygwin also reported this rar as "damaged or invalid".

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!