News



CyberSoft News For May 2001

New & Improved: MV Filter 5.0

CyberSoft, Inc.'s Customer Newsmagazine

New & Improved: MV Filter 5.0

Cybersoft has just completed a new version of their macro disinfection tool called MVFilter. This new version (MVFilter 5.0) contains a new
feature called Raven. To quote Edgar Allen Poe, your virus is "Never More". This new version of our MVFilter tool is unlike other AV disinfection tools because:

1) Will not leave ghosts (macro code) in the file(s)
2) Removes ghosts (macro code) which remain in the file after disinfection by other AV disinfection tools.

The term "Ghost" refers to the macro source code, which remains in the file after disinfection by AV products. Some AV products flip a few bytes in the file so their scanning engine will not detect a virus and that applications such as Word and Excel will be unable to detect macros even though they are still present. Cybersoft, however, completely removes all macros and macro ghosts from the infected file whether or not the macro is infected or not and therefore assures complete and accurate disinfection of files infected with macro viruses.

MVFilter 5.0 will be released in the next version of the VFind Security ToolKit 158. Release date to be determined.

A word from our Virus Wrangler

Within the last, say, half year, there has been a rash of macrovirii which have been detecting strangely. VFind would find them under one name, but they would be bearing another. There is a reason for this. His name is MacroMan.

MacroMan is what we call a script kiddie. He takes an existing virus and modifies it so that it does not detect as the original does and performs different functions within the confines of your computer. MacroMan is also what we call a P.I.A. for the same reason.

Now, mind you, this does not take a brilliant mind to do, just a warped one. All this script kiddie wants to do is be noticed, and this is the best way he knows of to do it. Unfortunately, it does serve its purpose, since I have had to wrangle so many MacroMan virii that I would like to strangle him with a long IDE ribbon. Since I am unable to do that, I have provided all CyberSoft customers with new vdl called MacroMan. This vdl detects any MacroMan-replicated virus by detecting his telltale signature (which is actually more like a billboard—like I said, he wants attention). This way, even if the virus has been modified to not be detected by any existing vdl, it will still be caught.

Suffice it to say that script kiddies, while being a real annoyance on a number of levels, are usually undone by their desire for fame. MacroMan is only the most recent. There have been many others who have left their signature on their work, if you know where to look. Oftentimes this signature is part of what we use to detect their virii in the wild (I won't say what the rest is—the internet has ears, you know!).

So, git along, little virii! I think we've got this one corralled.

At least, for now.

From the President's Desk

Many people call all software attacks viruses. In fact, there are dozens of different types of attacks including viruses, worms, logic bombs, trojans, etc. Many of the most destructive attacks have recently been worm attacks. The Love Letter "Viruses", the Killer Resume "Viruses" and dozens more are actually worms that enter systems via email. There is one special fact about all of the mentioned attacks. They were all written in Microsoft's Visual Basic for Applications (VBA). There are several programs that require you to use VBA in email messages but if you are not using one of these programs and they are rare, then there is no reason why you should allow VBA applications on your system. After all, if you are not using it, it has no business being there. The significance of this fact is that you can become immune to all VBA based attacks, both known and unknown by just blocking all messages containing VBA applications.

This same theory can be generalized to all types of applications. If you are operating a Microsoft Windows 2000 system, there is no reason why Unix applications should exist on its file system. The reverse is also usually true of the Unix system. While this is not as useful as the first example involving email messages, the theory can taken a step farther. For example, if you are running a Windows 2000 system and you don't use VBA applications, OLE based Macros or Java applications, then there is no legitimate reason for these applications to exist on the system. If as a company policy you do not use Macros then any files containing Macros may be a new unknown attack. It is at the very least a violation of company policy. By blocking or eliminating all Macro based files on a system, the system becomes immune to all Macro viruses. This can be made practical in two ways. Add type blocking to a virus scanner or add type blocking to an Antivirus Real Time System (ART). An ART system scans files for viruses when they are copied, executed or moved in real time. It does not wait for an event like a system scan, but operates "real time", on a as needed basis. By adding type blocking to an ART system, virus scanner and network communications, you can extend your virus scanners ability to locate new unknown viruses. This can be very significant.

Using the UAD tool, which is part of the CyberSoft VFind Security Tool Kit (VSTK), you can automatically and recursively decompose complex files for scanning and analysis. As part of this process it will resolve the type of a file or message, including all of it's attachments or subcomponents. Email messages are complex "file" types that consist of a message header, message body and other encapsulated attachments. UAD identifies each attachment recursively by its encapsulation method and contents. In addition, UAD makes no assumptions about the files contents based upon the files name. UAD makes its identification based upon direct inspection of the data itself.

For those of you who prefer Unix Bourne shell script languages to the English language here is a small example of how to use UAD to block email of various types:

$VSTK_HOME/bin/uad -z $filename 2>/dev/null | nawk '$2 == "Name:" && ( \
$3 ~ /\.vbs$/ || $3 ~ /\.com$/ || $3 ~ /\.exe$/ || \
$3 ~ /\.shs$/ || $3 ~ /\.wsf$/ || $3 ~ /\.wsh$/ || \
$3 ~ /\.scr$/ || $3 ~ /\.dll$/ || $3 ~ /\.hlp$/ || \
$3 ~ /\.js$/ ) { print "bad attachment type: "$3 }'

Another tool included in the VSTK is MVFilter. This is the OLE Macro disinfection tool. It can also be used to insure no Macro viruses exist in a message or file. A Unix Bourne shell script example of how to do this is:

FILENAME=/export/home/test/engineering.doc
export FILENAME
VSTK_HOME=/usr/lib/vstk
export VSTK_HOME
${VSTK_HOME}/bin/mvfilter ${FILENAME} 2> /dev/null > /dev/null
ERR=$?
case ${ERR} in
20)
echo ${FILENAME} " contains no macros"
;;
40)
echo ${FILENAME} " unrecognized file type"
;;
81)
echo ${FILENAME} " not an OLE document/message"
;;
*)
echo "It worked"
;;
esac

If you combine the first example with the second example while additionally using UAD to decompose an email that contains Macro bearing OLE attachments then you could effectively detect, decompose and disinfect attachments in email. The now disinfected and decomposed message would have to be rebuilt but that can be done using public domain software like gzip and various mime encoders.

The purpose of this paper was not to present a completed program. It was to provide concepts, ideas and known working code segments to solve complex
problems. This is in keeping with the VFind tool mentality. All of the VSTK tools mentioned in this article are included in the VSTK, VSTKP and VSTKCW tool kits. If you are interested in additional examples of programs written around the VSTK and VSTKP products visit www.cybersoft.com.

General Information

PRODUCT INFORMATION

Why VFind Security ToolKit? (History of development)

Special Features of VFind Security ToolKit

VFind Security ToolKit Applications with Multimedia Publishers and CD-ROMs

Y2K Resolution

The waVeAntivirus Antivirus

B.)VFIND SECURITY TOOLKIT COMPONENTS

CVDL (CyberSoft Virus Description Language) Description

UAD (Universal Atomic Disintegrator) Description
http://www.cyber.com/products/uad/

CIT (Cryptographic Integrity Tool) Description
http://www.cyber.com/products/cit/

C.)VIRUS INFORMATION

Unix Virus Attacks Plausibility

Unix Virus Attacks

Heterogeneous Computer Viruses

Virus Migration (by Sung Moo Yang)

D.)PRICING INFORMATION

Master Price Schedule

E.)TRAINING INFORMATION

Call CyberSoft for Information

F.)OCCUPATIONAL OPPORTUNITIES

We list all our job openings on Monster.com

Editor's Note

To subscribe, please email me at support@cyber.com

To unsubscribe, you can email me too (please NO foul language...that's rough to read
the first thing in the morning and it will ruin my day!!).

How To Contact Us:
Phone:

Voice: 610-825-4748
Fax: 610-825-6785
Mondays - Fridays: 8 A.M. - 5 P.M. EST
Email: General Email Address: info@cyber.com
Sales Email Address: sales@cyber.com
Tech Support Address: support@cyber.com
Mail: 1508 Butler Pike
Conshohocken, PA 19428



View CyberSoft On-line Magazine Archive

Copyright (c) 2005 by CyberSoft, Inc. All rights reserved world wide.

This product is marketed exclusively under license by the CyberSoft Operating Corporation and it's wholly owned division, CyberSoftInternational. Copyright 2000 - 2005