By Munir Kotadia, 5 March 2004 10:00
NEWS Security firms have started updating their products with more sophisticated techniques aimed at getting inside the encrypted attachments in which the Bagle worm has spread.
Recent versions of the Bagle worm have bypassed corporate gateway security because they are distributed in password-protected Zip files, which are next to impossible for antivirus programs to scan. Emails infected with the Bagle worm, however, contain the password required for opening the Zip file.
On Wednesday, antivirus vendors BitDefender and Kaspersky Labs both launched updates enabling their software to open any encrypted attachments using the password contained in the email text. Once the file is decrypted, it is treated as an executable file and scanned normally.
Eugene Kaspersky, head of antivirus research at Kaspersky Labs, said: "This new technology protects users from a new generation of worms, specifically worms that hide in password-protected Zip files. Five worms using this technique appeared within only four days - a new trend has been set in the computer underground," he said.
Viorel Canja, head of BitDefender Labs, said in a statement: "We have developed an engine tasked with finding the Zip password in the email text. Most AV products could only offer protection after the archive is extracted; that could be a little too late for inexperienced users," he said.
Network Box, a security appliance vendor that licenses Kaspersky's antivirus software, has updated its gateway product to include complete protection against Bagle, which the company said is a first.
Simon Heron, director of Network Box, told ZDNet UK the product combines Kaspersky's software with Network Box's own technology to deal with the latest Bagle mutations at the network perimeter.
According to Heron, this does mean the gateway is fractionally slower. "The worst case scenario is we will take 50 milliseconds extra to parse an email that has a password-encrypted attachment. We don't think this is a problem," he said.
Munir Kotadia writes for ZDNet UK
Comments
There are 5 comments. Join the discussion
1. anonymous
Uh... I'm no legal expert, but doesn't cuurent intellectual property law (in US at least - the DMCA?) make it illegal to break or attempt to break encryption on software?
Does this mean that virus authors may have a case of action against AV companies for Intellectual Property infringement?
Boy, would THAT be silly!
2. anonymous
We have been using Panda Antivirus which has already been finding and disinfecting the password-protected bagle worm.
Why isn't Panda ever mentioned?
3. anonymous
They're not breaking the encryption, they're just grabbing the password which is sent in cleartext:
"both launched updates enabling their software to open any encrypted attachments using the password contained in the email text."
4. anonymous
How can it be a problem to open a zip file when the email text contains the password. Its like locking your safe and writing the code next to the lock.
If you want secret then send an encrypted file and tell the recipient the password via a different channel.
As for intellectual property, the AV scanner is already "reading" your emails as it it, without anyone complaining, what does it matter if the zips you send/receive are cleaned as well.
5. anonymous
Actually, it might be against the law, so any email virus creator should contact the local authorities immediately, explaining that their rights have been violated when their virus has been illegal cracked...