Fighting malware and spam

MIME tricks beat email virus scanners

Simple encoding dodges slip malware past gateways.

A security researcher released a report last week claiming that some simple manipulation allowed him to get mails containing the EICAR test virus string past a variety of mail scanning products. Software from BitDefender, ClamAV, F-Prot and Kaspersky was reported to be vulnerable to the trick.

Stuttgart-based Hendrik Wiemer used Base64 encoding, including non-standard characters which should be ignored on decoding, to create a MIME document including the virus scanner test string. This was then passed through a small selection of mail scanners, of which only Alwil avast! and Barracuda's Spam Firewall were not fooled by the alteration of the file. F-Secure's Linux Gateway product reported it could not scan the mail, while the rest let it through without comment. Many email clients, including Microsoft Outlook, would correctly reassemble the EICAR string on receipt.

Further encoding produced even more failures to detect. It remains unclear whether the proof of concept would be viable with more complex, genuine malware.

A blog entry describing the test, including perl code to generate sample mails with complex encoding, is here. More information and mail-scanner test files are available from heise Security.

11 December 2006

Tags:    del.icio.us   digg this

Quick Links

Poll

virusbtn: RT @emailsecmatters: The typical spam message has sources as diverse as the spam lunch meat: http://ht.ly/2yucd
2 hours ago

virusbtn: Can anyone write a rap about our RAP tests (http://bit.ly/255ySQ) and submit it to the Symantec competition http://bit.ly/bOJg8r
6 hours ago

VB100 certification