Time for a reminder regarding your AV products and messages from
NTBugtraq.
From time to time, NTBugtraq messages contain code snippets of exploits.
Usually these are snippets of some sort of HTML scripting. Occasionally,
these messages come out after other lists have published them, or, they
are variations on previously published code snippets.
As such, AV Vendors may have already created a definition which finds
the snippet to be a virus. Typically it is identified as being some sort
of generic virus type. Depending on your AV settings, it may be blocked
completely and a report generated.
Here is some information that will hopefully help you understand what
has happened and what you can do about it;
1. NTBugtraq messages are always "plain/text", never HTML. As such, code
snippets shouldn't run. That said, some email clients might render HTML
code snippets in plain text messages. Which client will do what is
unknown to me, and any that do render HTML code in plain text messages
are brain-dead IMO. Outlook will render anything that looks like a URL
as a clickable URL, it will not however render a code snippet.
2. Your AV products detect code snippets regardless of what the message
type is. They don't concern themselves with whether or not the message
format could produce an exploit, they simply look at the plain text and
see if it looks like known code snippets. If there's a sufficient match,
it detects and blocks the message. This sucks IMO, but they are probably
equally unsure of what email client will do what. Better safe than
sorry.
So you may very well get an alert about an NTBugtraq message when, in
fact, there is, IMO, no good reason for the alert.
3. Links contained in NTBugtraq messages may lead you to a page which
describes how to run a Proof of Concept, or, they may take you directly
to a Proof of Concept. I make every effort to test all links prior to
sending the messages through, and I try to verify that the PoC is
benign. I make no guarantees, however, just my best efforts.
Nobody should be following a link to any site mentioned in an NTBugtraq
message without first seriously considering the potential for exploit as
a result of doing so. The very nature of the list lends itself well to
alleged security information being offered from a site that may, for
example, exploit you quietly while you retrieve the security info
contained there.
You've been warned!
4. The NTBugtraq email address, as well as my own, are in use in a
variety of viruses. Nothing I can do about that, unfortunately, but it
means that you may very well receive a valid virus alert pertaining to a
message that seems to have been sent by me or the list. Of course proper
inspection of the headers will show you that such messages aren't coming
from me or the list.
5. AV programs often are configured to send an alert notification to a
variety of addresses. So if any AV product is detecting any part of an
NTBugtraq message as alert-able, I get hundreds of such alerts
automatically. This means its unnecessary for anyone on the list to send
me a message telling me a message was detected. Trust me, I know.
I have said for years that such notifications should be turned off. I've
long believed that they cause more harm than good. I get hundreds of
notifications every day due to messages that contain one of my
addresses, where in fact the message never originated from my systems.
No doubt many people are in the same situation. As such, these messages
are more likely to be ignored today than heeded. You waste your
bandwidth responding to people who have no idea what you're talking
about.
So, what should you do when you receive such a notification about an
NTBugtraq message or a site referenced in an NTBugtraq message?
Well, if your AV blocks a message, the first thing is to go to the
NTBugtraq online web archives;
http://www.ntbugtraq.com
and then click on the Archives link at the top of the page. You can then
view all of the messages for the current month, including the message
that caused your alert.
Depending on what security software you are using, you may in fact end
up getting another alert when you attempt to view the message. If it
cannot tell whether the code snippet can execute, or doesn't try to
determine this, some proxies and such may block viewing the web version
too. Again, since the message in the NTBugtraq archive is plain text it
will not be executable code there either, but your security products may
err on the side of caution again.
If you cannot view the web archive version either, you probably need to
reconsider a couple of things;
a) Maybe NTBugtraq isn't a good list for you to be subscribed to. I'm
not going to dumb down such messages in order to try and get them past
security products, so you're likely going to encounter this problem
repeatedly. I doubt you'd be able to see the information on any list or
site anyway.
b) Use a tool that allows you to retrieve the contents of the page as
plain text and view it in Notepad.
If you get an alert from a site linked in an NTBugtraq message, feel
free to let me know what you got. I'm not interested in hearing about
PoC sites, I've looked at those myself already. If, however, you get a
silent delivery from a site linked, say a Spyware installation or
something similar, then definitely let me know.
I hope this explains things a bit better regarding messages you received
today.
Cheers,
Russ - NTBugtraq Editor
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
