Trend Scanmail 2.6 bug?

Yes, I know this isn’t a Trend support forum, but a number of posters here seem to use Trend products and I wonder if any of you have seen this:

Worm email containing Klez.H arrives at Domino 6.0.1 server running Trend ScanMail for LN version 2.6 with scan engine 6.510-1002 and pattern file 486.

Message passes right by ScanMail and lands in victim’s mailbox intact!

On detaching .exe file into host OS, client AV software (eTrust Innoculate-IT) immediately kicks in and deletes said file, warning that it has found Klez.H.

On disabling client AV, saving .exe to OS, creating new test email in Notes and attaching said .exe file, Trend ScanMail spots and deletes Klez.H immediately the test email is sent.

On creating a new MIME email using Outlook Express, attaching said .exe file and injecting via SMTP into any Domino server running the same combination of software as above, ScanMail spots and deletes the attachment, correctly identifying it as Klez.H.

On viewing the MIME of the original, unmolested message, still containing the viral payload, copying this to the clipboard intact, then telnetting to port 25 of any Domino server running the same combination of software as above and hand cranking a message through using HELO, MAIL FROM, RCPT TO, DATA then pasting the original MIME and typing . on a blank line to finish (pause for breath) - viral message is once again delivered without ScanMail doing anything to it.

This is 100% reproducible.

The only difference is the MIME rendering of the three types of test. Notes MIME is lovely (we all know that, don’t we). Outlook Express seems to do a decent job, rendering as multipart/mixed. The original MIME of the worm message is badly broken, with the whole thing being rendered as multipart/alternative and the viral payload being the second alternative part.

This appears to confuse the ScanMail MIME renderer, though not the Lotus Notes client which renders the first alternative part (text/html) as rich text, then inserts a page break and shows the two attachments including the one with the viral payload.

It occurs to me that producing syntactically correct MIME is not high on the agenda of most virus writers, so if this is a broken MIME issue, other sites are likely seeing the same thing

Anyone else seeing this? I thought virus activity was suspiciously low at the moment, but at least this variant of Klez if not others just strolls past my Trend ScanMail installation and Trend themselves have it in their hot list at the moment.

http://tinyurl.com/k00

Subject: New Scanmail 2.6: build 1278 as of 16 June

You can find an updated 2.6 version, also called SP1 here:

http://www.trendmicro.com/download/product.asp?productid=10

Somebody has already tried this out in order to verify the MIME bug with Klez ?

I also have another question for Scanmail users before planning to change my AV solution:

If you install outlook2000 in internet only mode and under the mail preferences you set the encoding method to UUENCODE for attachments, then you create a Scanmail rule in order to reject EXE file and send an email from such a client with an exe file attached what’s happen ? It goes trough without any problem or it get sripped as it should ?

Thanx in advance for any answer.

Regards,

Simone

Subject: Trend Scanmail 2.6 bug?

I have had similiar problems with Trend-Micro as well. Small problems on the virus side of things as you mentioned with 2.6, large problems on the eManager piece of ScanMail for Lotus Notes 2.6 … that product was released way too premature and the functionality is very poor at best.

Subject: Trend Scanmail 2.6 bug?

Sorry to reply to my own post, but I thought this page illuminating:

http://www.virusbtn.com/magazine/archives/200211/malformed.xml

It appears to suggest that the notion of using malformed MIME to conceal malware from AV programs has been thought of and is being investigated.

Not sure if that applies here but it seems to fit…

[edited by author to add the following]

Just testing that hypothesis further and I did the same test as before, pasting the MIME source into the data stream of a Telnet session on port 25, but made one small change.

Original malware message that ScanMail ignored had this for the MIME part containing the payload:

Content-Type: application/octet-stream; name=rock.exe

Content-ID:

Content-Transfer-Encoding: base64

I edited this and changed it to:

Content-Type: application/octet-stream; filename=rock.exe

Content-ID:

Content-Disposition: attachment; filename=“rock.exe”

Content-Transfer-Encoding: base64

Basically just adding in the Content-Disposition line and a small tweak to the Content-Type and…

Bingo! Resulting mail, when it landed on the Domino server was immediately checked by ScanMail, which found Klez.H and removed it, delivering a harmless 2 byte attachment in its place.

So there you have it. This particular installation of Trend ScanMail 2.6 does not seem to be able to handle malformed MIME.

Now pressing Trend for an update.

Thanks for listening.

Subject: RE: Trend Scanmail 2.6 bug?

Please keep us up to date on the any solution Trend Micro gives you for the problem. I was just getting ready to test 2.6 in our pilot R6 environment. If it’s not catching viruses, that’s gonna be a problem.

Thanks,

D

Subject: RE: Trend Scanmail 2.6 bug?

Pending a response from Trend, I have uninstalled ScanMail 2.6 from a sample server and installed version 2.51 patch 3 in its place.

The same test as before, manually injecting the malformed MIME containing the Klez.H viral payload using Telnet against port 25, now yields the hoped for result.

ScanMail 2.51 patch 3 correctly identifies and deletes Klez.H, leaving the malformed MIME structure intact.

MIME structure of delivered document remains:

Content-Type: multipart/alternative;

with

Content-Type: application/octet-stream; name=rock.exe

Content-ID:

Content-Transfer-Encoding: base64

as the MIME headers for the viral part (i.e. no Content-Disposition)

but the whole of the Base64 encoded payload has been replaced with the harmless “DQo=” which is 2 bytes (I suspect CR LF) - this is the expected behaviour.

So I guess we will have to revert to 2.51 patch 3 on all servers for the time being.

And the 2.6 eManager functionality looked quite promising… Oh well.

Subject: RE: Trend Scanmail 2.6 bug?

Ok,

So are you using 2.51 on Domino R6.0.1? According to Trend, it’s not supposed to work.

Thanks again for your research. Its saving me from pulling out what remains of my hair!

D

Subject: Using patch 3

Release notes say (among other things)

“Domino R6 Compatibility”

http://www.trendmicro.com/ftp/documentation/readme/smln251_patch3_win32.txt

Subject: Where can I download patch 3 for SMLN 2.51?

I couldn’t find it in www.trenmicro.com support page…

Subject: RE: Where can I download patch 3 for SMLN 2.51?

If you are looking for this patch for Windows*, Linux, Solaris or AIX - you should be upgrading to version 2.6 instead.

If you still require this for the old 2.51 version, please contact your Trend Micro support representative for this.

Regards

Rolf

Subject: Thanks for the heads-up

I’m deploying Trend Scanmail 2.5 (on AIX unix) right now. Ver 2.6 is not yet out for the unix Domino platforms. In the test environment I threw 1300 virus-infected emails of various virii families and mutations at it and Trend nailed every last one of them. I also employ a separate unix box as an Internet email filtering gateway that scans all inbound and outbound smtp mail to/from the public internet, and this box uses the open source “Amavis” tool which invokes a command line virus scanner (currently Trend, soon to be Sophos) upon every attachment before allowing the mail to pass thru. I figure having two different brands of antivirus product serially in a row checking all email coming into our organization ought to offer an improved chance at stopping a virus from getting inside via email attachments.

Me paranoid? Naw!

Subject: If you have questions, please email me

I’ll respond 1:1 on questions you have about SMLN.

Rolf

Subject: Trend Scanmail 2.6 bug?

Yes, we’re having the same issue with SM 2.6 on Domino 6.0.1. It looks like only the KLEZ.H virus is causing grief at the moment.

I ran into your post by accident yesterday while searching for something else. When I read your post, it explained why my Exchange server has been detecting the KLEZ.H virus.

Our environment uses Domino 6 as the main Internet SMTP server, some users are on Exchange in another office so their e-mail is forwarded to the Exchange server there. The Exchnage server has reported several KLEZ.H viruses but no other virus type has been seen by the Exchange server.

I have also placed a call to Trend which was escilated to level 3. We’ll see what happens, but I was promised a quick fix… lets hope its a good one.

Subject: Update on Trend Scanmail 2.6 bug?

I applied a fix provided by Trend and it fixed the problem.

Subject: RE: Update on Trend Scanmail 2.6 bug?

I have the same configuration (Domino 6.0.1 on Win2k SP3 with SM 2.6) and some infected mails are not disinfected.

Where you you found the trend micro patch?

I surf all the TrendMicro site and I can’t found

anything similar to a fix for 2.6 version.

I also try the 2.51 version with patch 3 but it give me more problems than 2.6.

Thanks

Subject: RE: Update on Trend Scanmail 2.6 bug?

Yes, me too.

This fixes just the malformed MIME vulnerability I (and possibly others) have described although I have not tested it extensively (I have neither the time nor a suitably large archive of worm message source to do this).