March 15, 2004
New computer virus prompts campus to block problematic
attachments
By Louise Donahue
A new wave of virus-laden attachments headed to campus e-mail accounts
has prompted UCSC to impose the computer equivalent of a blockade.
Once we determine that our e-mail antivirus software
effectively detects and blocks Beagle, and new variants of Beagle,
we will remove the global blocking of .zip, .rar,
or .sit attachments."
--Steve Zenone
UCSC informations security Manager
|
Since last week, UCSCs Information Security Team has blocked
all .zip attachments coming to campus e-mail accounts. That block
was broadened Monday to include .RAR and .SIT attachments.
E-mails with .zip, .rar or .sit attachments are still
being received, but with the attachment removed. The subject line of
the e-mail is being modified with {Virus?} inserted before
the original subject.
In addition, the body of the e-mail then includes the following message:
Warning: This message has had one or more attachments removed.
Warning: Information about the virus follows the original message content.
The move to block .zip, .rar, and .sit attachments
came after the team began seeing e-mails destined to campus users containing
the new Beagle or bagle virus.
The action was taken to help protect our e-mail users' systems
from infection until there was a better way to detect the viruses,
said Steve Zenone, UCSC information security manager.
Once we determine that our e-mail antivirus software effectively
detects and blocks Beagle, and new variants of Beagle, we will remove
the global blocking of .zip, .rar and .sit attachments,
said Zenone. We may implement a temporary block again in the future
if a similar threat arises--we continue to see new techniques used by
virus writers to bypass antivirus.
Zenone noted that the security team continually monitors e-mail traffic
to determine what impact these new worms/viruses might have and respond
as needed.
He acknowledged that the blocking poses a problem for those using .zip,
.rar and .sit attachments to share files and data. It
is a balancing act between security and convenience.
The blocking of .zip, .rar and .sit files manages
the spread of the virus via e-mail passing through the campus mail servers,
the primary method of propagation used by the Beagle virus. The threats
come packaged as an e-mail with an attachment containing a randomly
named .exe file inside a .zip , .rar, or .sit
file.
The embedded .exe file is password-protected with a random password.
Up to this point, anti-virus software has been unable to crack and look
inside these password-protected .zip files for analysis.
Zenone has these suggestions for those who rely on .zip, .rar
or .sit files:
Have the sender change the .zip, .rar or .sit
extension to something else, such as .txt, that isn't
being blocked. When you receive the attachment via e-mail change the
extensions name back to .zip, .rar or .sit
for your use.
If you and the sender are comfortable using a different protocol/method
for sharing the files, consider SFTP (or other methods) as opposed to
SMTP.
Until we come up with a better way to handle the issues Beagle
brings to the table, I believe it continues to be important that we
follow the best practices of mitigation, Zenone said.
These practices include:
Do not open or execute unexpected message attachments; mass-mailing
worms can often originate from people the user knows.
Filter attachments not on a list of approved types at the e-mail
gateway.
Apply the Outlook E-mail Security Update (Q262631) in order
to block user access to certain attachment types. This update will also
notify the user of applications attempting to access the Outlook address
book.
Use of a firewall or Intrusion Detection System may block or
detect back-door server communications with the remote client application.
Return to Front Page
|