PDA

View Full Version : Virus / trojan delivered via SMIME?



Blacksheep
05-30-2001, 02:46 PM
MrByte is doing a great job.:-) The new forums are super!
I posted this SMIME question before and got no replies. I dunno if it's a stupid question or nobody has an answer, idea, s***estion, etc..
I received a smime.p7s email attachment from a suspicious source, and would be happy to send this attachment to anyone who could analyze it. I've read that viruses/trojans can be delivered via SMIME but can find little info on this on the Web. Also believe anti-virus progs can't detect all encrypted viruses/trojans. Does anybody have any info on this?

BS

System Penetrator
05-30-2001, 04:28 PM
Yeah...I think you might be thinking of something called "God Message". It is a HUGE VBS or Java script.

It really just links you to a website
that has the download you want on. but on the website you came from it's got
the safe for scripting tag. But yes...if you wanted it to it could download a malicious program onto the HDD. "The user could've logged off, you could be uploading this script to a totally innocent user, and thinking that you got the culprit." Yes...there are a few checks that you can perform to get the "right" IP. First you may designate an IP class i.e.:

255.255.255.255

You have to designate the second from the left class. I get confused wether
that it is the B or C class...oh well...anyway. You can't really designate a
single IP but only the class. This means that (255 x 255) people could get
infected. That is unfortunate...but you WILL GET them this way.

"What about firewalls?". Good point! But the firewalls aren't really
effected since it is only "safe for scripting" java passing through. It's
not as though it is a UDP scan which would cause any half decent firewall to
respond.

You could open the file on the users PC but you'd have to get the file path
exactly right. Firstly when you say to the script "download this file
without the users permission" you can't specify where to download it. It
just downloads it. You could make a lucky guess and say
"C:\Windows\Temporary Internet Files\Unsafescript.exe"
There again...the user may not have a C:\ drive. I have mine called G:\ and
H:\. This is a good last resort just incase it get's past all my stuff. Also
their windows path may not be called "C:\Windows". I've changed mine to
"G:\Needed Files". If you execute the exe in supposedly "Windows" but it is
really in "Needed files". The user gets alovely warning in their IE browser
saying "cannot find hostilescript in c:\Windows\Temporary Internet Files.
Would you like to search for this file yourself". So you usually have to
wait for them to open it. Although with some really complicated scripting,
well beyond me you can import it into the Windows startup registry so the
next time he boots back up it's autostarted. A bit useless on a server
though since they don't reboot for ages.






I'm sorry if parts of that are confusing. I've just explained it to another guy so I just copied and pasted what was said! Hope you don't mind!

Blacksheep
05-30-2001, 05:31 PM
Hmmm...

Your right- I didn't "get" all that.:-)
This smime.p7s email attachment is small; *KB.

BS

System Penetrator
05-31-2001, 04:23 AM
It could probably then be a virus, Or a trojan only waiting for you to download it, so it can set itself up into the your registry to mask it's signature.

SP