Users login

Create an account »


Users login

Home » Hacking News » Gateway Scanners Plug Holes Against SirCam

Gateway Scanners Plug Holes Against SirCam

by phiber on July 28th, 2001 Developers of anti-virus scanners for e-mail gateways are scrambling in response to customer complaints that the SirCam worm has wriggled through their defenses and onto users' desktops. Symantec Corp. on Thursday released a new version of its Norton AntiVirus for Gateways product, after receiving several reports that the scanner was not detecting e-mails infected with SirCam, the company confirmed.

Earlier this week, Baltimore Technologies posted a notice at its site advising users of its MIMEsweeper scanner that the worm "may pass through detection mechanisms."

Gateway anti-virus scanners are designed to inspect e-mail attachments for viruses before allowing them into a network and onto end users' computers. But according to Symantec product manager Chris Miller, messages generated by SirCam contain malformed MIME header information that fools some gateway scanners into thinking the e-mails don't contain attachments.

"Whether intentionally or accidentally through bad programming, the author of SirCam wrote the worm so that it morphs the header, and so we're missing it at that level," said Miller, who added that SMTP-based gateway virus scanners from all vendors may be vulnerable to the issue.

Since it first hit the Internet last month, the SirCam worm has been clogging e-mail inboxes and mail servers with its sometimes bulky attachments. SirCam spreads by grabbing a copy of a document from an infected user's computer and adding its malicious code to the file. The infected file is then attached to new outgoing messages with a double-extension filename such as .doc.exe.

According to Symantec, the SirCam detection problem has been corrected in a new build of its Norton AntiVirus for Gateways version 2.5.1. The company said it expects to release a new build of NAV for Gateways 2.1 at a later date.

Neither fix was listed today, however, at the main support site for the NAV for Gateways product.

Baltimore Technologies advises MIMEsweeper customers to implement a workaround which is detailed at the Threatlab section of the company's site.

While vendors' support message boards contain several recent reports from customers that SirCam is slipping past their gateway scanners, many administrators also say the worm is being picked up by anti-virus software running on desktop PCs.

Anti-virus experts generally advise corporations to take such a multi-tier approach to combating viruses. According to an article by the SANS Institute, a computer research and education organization, "Relying on just one layer of virus defense, such as anti-virus software on the desktop, is like a bank with no locks or alarm system. The safe may be impressive, but without the other safeguards it would be relatively simple for thieves to breach the safe undetected, and leave with all the money."

Gateway e-mail scanners can only provide partial protection against SirCam infections. Besides spreading by messages sent to e-mail addresses found in the user's Windows address book or in temporary Internet files, the worm can also propagate itself silently across a network using open network shares.

The support site for Norton AntiVirus for Gateways is here.

Baltimore Technology's advisory on SirCam detection problems is here.

The SANS article on gateway scanners is here.
by Newsbytes

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »