On last.fm: Listen to Shwayze's Music for Free
BNET Business Network:
BNET
TechRepublic
ZDNet
23 TalkBacks

By Munir Kotadia
Posted on ZDNet News: Mar 4, 2004 7:51:00 PM

Security companies have started updating their products with more sophisticated techniques aimed at getting inside the encrypted attachments in which the Bagle worm has spread.

Recent versions of the Bagle worm have bypassed corporate gateway security measures because they are distributed in password-protected Zip files, which are next to impossible for antivirus programs to scan. E-mails infected with the Bagle worm, however, contain the password required for opening the Zip file.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

On Wednesday, antivirus vendors BitDefender and Kaspersky Labs both launched updates enabling their software to open any encrypted attachments using the password contained in the e-mail text. Once the file is decrypted, it is treated as an executable file and scanned normally.

Eugene Kaspersky, head of antivirus research at Kaspersky Labs, said: "This new technology protects users from a new generation of worms, specifically worms that hide in password-protected Zip files. Five worms using this technique appeared within only four days--a new trend has been set in the computer underground," he said.

Viorel Canja, head of BitDefender Labs, said in a statement: "We have developed an engine tasked with finding the Zip password in the e-mail text. Most (antivirus) products could only offer protection after the archive is extracted; that could be a little too late for inexperienced users," he said.

Network Box, a security appliance vendor that licenses Kaspersky's antivirus software, has updated its gateway product to include complete protection against Bagle--a first, according to the company.

Simon Heron, director of Network Box, said the product combines Kaspersky's software with Network Box's own technology to deal with the latest Bagle mutations at the network perimeter.

According to Heron, this does mean the gateway is fractionally slower, but by no more than 50 milliseconds per e-mail. "The worst case scenario is we will take 50ms extra to parse an e-mail that has a password-encrypted attachment. We don't think this is a problem," he said.

Munir Kotadia of ZDNet UK reported from London.

  • Talkback
  • Most Recent of 23 Talkback(s)
#3 won't work.
FYI, with the recent w32.beagle.(A-F) virus, the from line is spoofed to display people you know, making your #3 impossible to apply.... (Read the rest)
Posted by: alloro Posted on: 03/05/04 You are currently: Logged In | Log out
Bagle? Beagle? Whatever it is, I had it. jonkopp   | 03/04/04
What do you do michael-t   | 03/04/04
Personally bhanes@...   | 03/04/04
Re: Should I continue to pay? Rabid Conservative   | 03/05/04
Save it. alloro   | 03/05/04
Bagle? Beagle? Whatever it is, I had it. jonkopp   | 03/04/04
depends on your connection JoeMama_z   | 03/04/04
Cat vs. Mouse heatlesssun   | 03/04/04
Hmmm.. bhanes@...   | 03/04/04
Good comment. heatlesssun   | 03/04/04
That is correct michael-t   | 03/04/04
Its not that bad. heatlesssun   | 03/04/04
Actually, few notice it's happening jfrankcarr   | 03/04/04
I don't see michael-t   | 03/04/04
Some precautions are one time, others ongoing jfrankcarr   | 03/04/04
Re: Unknown senders Rabid Conservative   | 03/05/04
BTW Rabid Conservative   | 03/05/04
#3 won't work. alloro   | 03/05/04
It works! michael-t   | 03/04/04
man... jdahs@...   | 03/04/04
only after MS starts getting it right .... michael-t   | 03/04/04
but what does... JoeMama_z   | 03/04/04
It has to do michael-t   | 03/04/04

What do you think?

advertisement
advertisement
Click Here
advertisement
Click Here