Gateway AV Scanners Caught By Surprise

Although by now most vendors have implemented some kind of patch to combat the most recent variant of the Bagle worm, fact remains this malware managed to defeat a large number of vendors’ gateway AV scanners. The culprit? A password protected zip file that carries the Bagle worm.

According to antivirus vendors, this particular strain (Bagle.J, or .H or .K, depending on vendor) appeared in the wild on March 2nd. Besides the password protected zip “feature”, it is in no way special as it uses well known techniques to spread via SMTP. However, only hours after it’s been found in the wild, customers at many large enterprise sites began to notice Bagle carrying zip files slipping through their gateway defenses. Of course, the AV vendors had probably a hard time explaining why this was happening to an increasingly nervous IT personnel.

To an antivirus scan engine password protection is in essence, encryption. The purpose of encrypting is to avoid prying eyes, including those of technology. And AV technology must have the key, that is password, to decompress the zip archive and scan it. No password, no scanning – simple as that.

The idea is so simple and straightforward that it’s really surprising it hasn’t been exploited more often up until now.

In fact, the same principle is used for example when submitting a suspicious file to a virus analysis center. You compress the file, protect it with a password and thus ensure no content/AV filter will change it during the transit to destination. And there, the folks can analyze it by unzipping it with the password you provided.

Of course, a password protected zip dramatically decreases the distribution potential of an e-mail worm. But two factors can probably compensate for this (at least in part). Firstly, the worm can count on bypassing the gateway AV defenses – as it did in this case. And secondly, it plays the card of social engineering: apparently, if you send a well crafted e-mail to unsuspecting users, and in addition provide a password, it can trigger a reasoning mechanism that goes something like: “Oh, they’ve sent me a confidential mail, and it’s even got a password – so it must really be for my eyes only. It must be something important and therefore I must open it”.

This reasoning may seem far-fetched but something similar is evidently happening since Bagle.J is currently quite active in the wild.

The antivirus vendors have been unusually slow and lethargic to react – which probably indicates they had a hard time in finding a solution that was flexible enough to incorporate into existing pattern files and scan engines. Several hours elapsed before patches were provided to help detect the latest Bagle variant. In the meantime, the only sure bet was blocking all zip files coming in, a draconian policy many were reluctant to implement.

Eventually, the solution included scan engine updates and/or somewhat late pattern files. A vendor has even gone so far as to scan the email which has Bagle like characteristics, find the password, and use it to extract the contents of the zip archive – so that the archive actually really gets scanned.

Lessons learned

It is important to stress that the problem with infected password protected zip files is only manifest with gateway scanners. On client computers with up-to-date AV protection, the worm is detected once the user provides the password and decompresses/decrypts the zip file. This fact provides a graphic example why it is important to implement defense in-depth on all layers of your IT infrastructure.

In addition, a gateway antivirus solution should have the possibility of handling scanning exceptions, such as is the case when a password protected file is unable to be scanned.

Lastly, this incident has once again demonstrated at what lengths users will go to open an infected e-mail attachment. If anyone thought a password protected zip would thwart the distribution potential of malware, the latest Bagle variant has proven the contrary.

Don't miss