Gateway AV Scanners Caught By Surprise
by Robert Buljevic - Thursday, 4 March 2004.
Although by now most vendors have implemented some kind of patch to combat the most recent variant of the Bagle worm, fact remains this malware managed to defeat a large number of vendors' gateway AV scanners. The culprit? A password protected zip file that carries the Bagle worm.

According to antivirus vendors, this particular strain (Bagle.J, or .H or .K, depending on vendor) appeared in the wild on March 2nd. Besides the password protected zip "feature", it is in no way special as it uses well known techniques to spread via SMTP. However, only hours after it's been found in the wild, customers at many large enterprise sites began to notice Bagle carrying zip files slipping through their gateway defenses. Of course, the AV vendors had probably a hard time explaining why this was happening to an increasingly nervous IT personnel.

To an antivirus scan engine password protection is in essence, encryption. The purpose of encrypting is to avoid prying eyes, including those of technology. And AV technology must have the key, that is password, to decompress the zip archive and scan it. No password, no scanning - simple as that.

The idea is so simple and straightforward that it's really surprising it hasn't been exploited more often up until now.

In fact, the same principle is used for example when submitting a suspicious file to a virus analysis center. You compress the file, protect it with a password and thus ensure no content/AV filter will change it during the transit to destination. And there, the folks can analyze it by unzipping it with the password you provided.

Of course, a password protected zip dramatically decreases the distribution potential of an e-mail worm. But two factors can probably compensate for this (at least in part). Firstly, the worm can count on bypassing the gateway AV defenses - as it did in this case. And secondly, it plays the card of social engineering: apparently, if you send a well crafted e-mail to unsuspecting users, and in addition provide a password, it can trigger a reasoning mechanism that goes something like: "Oh, they've sent me a confidential mail, and it's even got a password - so it must really be for my eyes only. It must be something important and therefore I must open it".

This reasoning may seem far-fetched but something similar is evidently happening since Bagle.J is currently quite active in the wild.

The antivirus vendors have been unusually slow and lethargic to react - which probably indicates they had a hard time in finding a solution that was flexible enough to incorporate into existing pattern files and scan engines. Several hours elapsed before patches were provided to help detect the latest Bagle variant. In the meantime, the only sure bet was blocking all zip files coming in, a draconian policy many were reluctant to implement.

Eventually, the solution included scan engine updates and/or somewhat late pattern files. A vendor has even gone so far as to scan the email which has Bagle like characteristics, find the password, and use it to extract the contents of the zip archive - so that the archive actually really gets scanned.

Lessons learned

It is important to stress that the problem with infected password protected zip files is only manifest with gateway scanners. On client computers with up-to-date AV protection, the worm is detected once the user provides the password and decompresses/decrypts the zip file. This fact provides a graphic example why it is important to implement defense in-depth on all layers of your IT infrastructure.

In addition, a gateway antivirus solution should have the possibility of handling scanning exceptions, such as is the case when a password protected file is unable to be scanned.


Most IT pros have seen potentially embarrassing information about their colleagues

More than three-quarters of IT professionals have seen and kept secret potentially embarrassing information about their colleagues, according to new research conducted by AlienVault.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th