March 15, 2004

New computer virus prompts campus to block problematic attachments

By Louise Donahue

A new wave of virus-laden attachments headed to campus e-mail accounts has prompted UCSC to impose the computer equivalent of a blockade.

Since last week, UCSC’s Information Security Team has blocked all .zip attachments coming to campus e-mail accounts. That block was broadened Monday to include .RAR and .SIT attachments.

E-mails with .zip, .rar or .sit attachments are still being received, but with the attachment removed. The subject line of the e-mail is being modified with “{Virus?}” inserted before the original subject.

In addition, the body of the e-mail then includes the following message: “Warning: This message has had one or more attachments removed. Warning: Information about the virus follows the original message content.”

The move to block .zip, .rar, and .sit attachments came after the team began seeing e-mails destined to campus users containing the new “Beagle” or “bagle” virus.

“The action was taken to help protect our e-mail users' systems from infection until there was a better way to detect the viruses,” said Steve Zenone, UCSC information security manager.

“Once we determine that our e-mail antivirus software effectively detects and blocks Beagle, and new variants of Beagle, we will remove the global blocking of .zip, .rar and .sit attachments,” said Zenone. “We may implement a temporary block again in the future if a similar threat arises--we continue to see new techniques used by virus writers to bypass antivirus.”

Zenone noted that the security team continually monitors e-mail traffic to determine what impact these new worms/viruses might have and respond as needed.

He acknowledged that the blocking poses a problem for those using .zip, .rar and .sit attachments to share files and data. “It is a balancing act between security and convenience.”

The blocking of .zip, .rar and .sit files manages the spread of the virus via e-mail passing through the campus mail servers, the primary method of propagation used by the Beagle virus. The threats come packaged as an e-mail with an attachment containing a randomly named .exe file inside a .zip , .rar, or .sit file.

The embedded .exe file is password-protected with a random password. Up to this point, anti-virus software has been unable to crack and look inside these password-protected .zip files for analysis.

Zenone has these suggestions for those who rely on .zip, .rar or .sit files:

• Have the sender change the .zip, .rar or .sit extension to something else, such as .txt, that isn't being blocked. When you receive the attachment via e-mail change the extension’s name back to .zip, .rar or .sit for your use.

• If you and the sender are comfortable using a different protocol/method for sharing the files, consider SFTP (or other methods) as opposed to SMTP.

“Until we come up with a better way to handle the issues Beagle brings to the table, I believe it continues to be important that we follow the best practices of mitigation,” Zenone said.

These practices include:

• Do not open or execute unexpected message attachments; mass-mailing worms can often originate from people the user knows.

• Filter attachments not on a list of approved types at the e-mail gateway.

• Apply the Outlook E-mail Security Update (Q262631) in order to block user access to certain attachment types. This update will also notify the user of applications attempting to access the Outlook address book.

• Use of a firewall or Intrusion Detection System may block or detect back-door server communications with the remote client application.

Return to Front Page