Tonight, we had our first B.O.F. session (Birds of a Feather – From “birds of a feather flock together”, much like “together, we are stronger”). Besides eating chips, Toblerone, home-made brownies and drinking beer, we still had the time to dig into a subject that is geeky interesting enough for us to even forget about ordering pizzas.

Do you still wonder if blocking executables in emails is a good idea or not ? Here is something that happened to us on december, 30th 2006 that should help you take a decision.

Around 0:30, we received tens of emails containing an executable called postcard.exe.

No viruses were found.

Banned name: multipart/report | message/rfc822 | multipart/related |
application/x-msdownload,.exe,.exe-ms,postcard.exe
Content type: Banned (8,0)

The message WAS NOT relayed to:
554 5.7.0 Reject, id=21276-03 – BANNED: multipart/report | message/rfc822 | multipart/related | application/x-msdownload,.exe,.exe-m…

As you can see, these were only blocked due to the fact that an .exe attachment was present in the mail. But no virus was detected.

Half an hour later, here is a trace generated by the same piece of email :

A virus was found: Trojan.Downloader-390

Banned name: multipart/report | message/rfc822 | multipart/related |
application/x-msdownload,.exe,.exe-ms,postcard.exe
Scanner detecting a virus: ClamAV-clamscan

Content type: Virus (9,0)
Subject: Returned mail: see transcript for details The message has been quarantined as: virus-ZnU+-UZHehk1

The message WAS NOT relayed to:
254 2.7.0 Ok, discarded, id=21156-09 – VIRUS: Trojan.Downloader-390

Virus scanner output:
p001: OK
p002: OK
p004: Trojan.Downloader-390 FOUND

Now, you may think that the original problem is due to the fact that we use an open-source antivirus engine. Then, look at the analysis of the code by the most know engines :

Complete scanning result of “postcard.exe”:
AntiVir 7.3.0.21 12.30.2006 TR/Dldr.Tibs.JZ
Authentium 4.93.8 12.30.2006 W32/Tibs.gen4
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 12.30.2006 Downloader.Tibs
BitDefender 7.2 12.30.2006 GenPack:Trojan.Downloader.Tibs.I
CAT-QuickHeal 8.00 12.29.2006 no virus found
ClamAV devel-20060426 12.30.2006 Trojan.Downloader-390
DrWeb 4.33 12.30.2006 Win32.Dref
eSafe 7.0.14.0 12.30.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.102 12.30.2006 no virus found
eTrust-Vet 30.3.3289 12.29.2006 Win32/Tibs!generic
Ewido 4.0 12.29.2006 no virus found
Fortinet 2.82.0.0 12.30.2006 suspicious
F-Prot 3.16f 12.30.2006 security risk named W32/Tibs.gen4
F-Prot4 4.2.1.29 12.30.2006 W32/Tibs.gen4
Ikarus T3.1.0.27 12.30.2006 Trojan-Downloader.Win32.Tibs.jy
Kaspersky 4.0.2.24 12.30.2006 Trojan-Downloader.Win32.Tibs.jy
McAfee 4929 12.29.2006 no virus found
Microsoft 1.1904 12.27.2006 no virus found
NOD32v2 1949 12.30.2006 Win32/Nuwar.M
Norman 5.80.02 12.29.2006 no virus found
Panda 9.0.0.4 12.30.2006 no virus found
Prevx1 V2 12.30.2006 Malicious
Sophos 4.13.0 12.30.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.139 12.29.2006 Trojan/Downloader.Generic
UNA 1.83 12.29.2006 no virus found
VBA32 3.11.1 12.29.2006 no virus found
VirusBuster 4.3.19:9 12.30.2006 Trojan.DL.Tibs.Gen!Pac10

Now that you’ve taken the good decision, be aware that Microsoft has published a list of attachment file types that are blocked by Outlook 2003 out-of-the-box. It’s a good starting point to define the attachment blocking policy of your mail relay.

SANS Internet Storm Center has raised its Infocon indicator to yellow, due to the apparition of an exploit of an IE vulnerability disclosed yesterday. The vulnerability, rated as extremely critical by Secunia, has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.

Multiple vulnerabilities have been reported in Firefox and Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user’s system.

• http://secunia.com/advisories/18700/
• http://secunia.com/advisories/18704/

Solutions:

1. Firefox: Update to version 1.5.0.1
2. Thunderbird: Disable JavaScript and do not open mails from untrusted sources.

When will it stop?

This hotfix corrects the Symantec Antivirus library .rar decompression heap overflow vulnerability (Symantec security bulletin SYM05-027 on December 21, 2005).
You can download the patch directly from Symantec:

• SGS 2.0.1
• SGS 3.0