Still more creative uses for CAPTCHA

I want to say up front that I think CAPTCHA is a stupid name. CAPTCHA stands for "Computer-Aided Process for Testing..." something something.

Why do people feel the urge the create some strained cutesy acronym for their little invention?

Anyway, it has already been noted how spammers are getting around these tests by harvesting a practically-free resource on the Internet: the desire to see pornography.

Someone designed a software robot that would fill out a registration form and, when confronted with an image processing test, would post it on a free porn site. Visitors to the porn site would be asked to complete the test before they could view more pornography, and the software robot would use their answer to complete the e-mail registration.

Ah, remember the days when you had to whisper the word "pornography"?

Anyway, it looks like the virus-writers have also taken the two-edged sword and pointed it in the other direction. (Ah, another one of Raymond's tortured mixed metaphors.)

As you may be aware, the latest trend in virus-detection-avoidance is to attach an encrypted ZIP file, since virus-checkers don't know how to decrypt them. To get the sucker to activate the payload, you put the password in the message body.

Well, virus checkers figured this out rather quickly and scanned the message body to see if there's a password in the text.

Now the virus-writers have upped the ante. The Bagle-N virus attaches an encrypted ZIP file and provides the password as an image, using the same trick as the anti-robot people.

Fortunately, the image generator they use is pretty easy to do OCR on, since they don't make any attempt to fuzz the images.

I predict the next step will be that the virus-writers send two messages to each victim. The first contains the payload, and the second contains the password. That way the virus-scanning software is completely helpless since the password to decrypt the ZIP file isn't even in the message being scanned!

Once again, just goes to show that social engineering can beat out pretty much any technological security mechanism.

(I think virus scanners are now starting to block any password-protected ZIP. But that won't stop the viruses for long. They'll just have a link to a ZIP file or something.)

Comments (25)
  1. Jack Mathews says:

    Actually, a virus checker could just get the ZIP header, so I think they’re just checking the headers for common file names and sizes. But that could easily be fixed with randomness.

    I think it’s really funny how people are going more and more out of their way to damage their own computers. Soon viruses’ll be asking people to forward the email, run to the supermarket, pick up some milk, and pour it inside their PC’s. And 2 million people will do it the next day.

  2. Henk devos says:

    I don’t really see why virus scanners need the password.

    They should scan the files that are generated after unzipping instead, before they can get executed.

  3. Raymond Chen says:

    But how can a scanner unzip the file if it doesn’t have the password?

  4. SteveM says:

    The scanner doesn’t have to unzip the file.

    It just waits until stupid Joe User unzips the file, THEN checks it for viruses.

  5. Raymond Chen says:

    Oh you’re thinking about a scanner that runs on the end-user’s machine. I’m thinking about a scanner that runs on the mail server. (ISPs can scan mail at the server but it can’t do anything about the end-user’s computer.)

  6. SteveM says:

    Ah – that would be me thinking small!

    Sorry Raymond, you’re quite right of course. I’ll leave answering that question to someone much cleverer than me :-)

  7. Edward says:

    I thought the standard zip encryption was quite trivial to crack. A bit more load on the mail server but then it could look inside the zip files without having to locate the password. There are loads of shareware apps that claim to be able to find the passwords for zip files so it can’t be that hard.

  8. Rob Meyer says:

    It’s a weak encryption algorithm, especially when trying to decode a particular zip file when you might know some of the contents, but in general it would probably take more time than a mail server has to spend on each message. That would then also create a denial of service attack against the email server, by sending lots and lots of small password protected zipfile attachments (particularly if it also tried to decrypt the bounce backs).

  9. Dumky says:

    Another name for the common CAPTCHAs is HIP, Human Interactive Proof. It’s easier to remember and type correctly, but obviously is more ambiguous when searched on Google…

  10. One of my favorite bloggers, Raymond Chen, posted this entry that is related to spam and viruses. Lke all of Raymond’s posts, he provides some interesting insights into the problems we face as programmers….

  11. Mike Dunn says:

    Build an idiot-proof system, and tomorrow someone will build a better idiot ;)

  12. p says:

    I got this email virus the other day, thought you might enjoy it:

    SUBJECT: Mexican Virus Alert









  13. Centaur says:

    Shows the uselessness of antiviruses. If your head works well, you don’t need an antivirus; if it doesn’t, none will help.

    Actually, recall the recent epidemy of Novarg. It doesn’t come with an IFrame.Download exploit to autostart itself; it doesn’t exploit a WinZip vulnerability; it… it cannot do anything by itself, you have to actively assist it in infecting your machine. But no — certain users have not yet matured to an age when they no longer take everything they pick up to their mouth. And then the toilet is occupied for the whole day :)

  14. Centaur says:

    Oh, and by the way, in Longhorn, what will the default setting for “Hide lots-of-spaces and [.exe/.pif/.scr] extensions for files of registered types [Windows application/Shortcut to MS-DOS program/Screen saver] with a Text Document icon” be?

  15. asdf says:

    "Image Copyright F-Secure Corporation", well it looks like we know who made the Bagle.N virus.

  16. Norman Diamond says:

    3/16/2004 1:34 PM Centaur

    > Shows the uselessness of antiviruses. If

    > your head works well, you don’t need an

    > antivirus; if it doesn’t, none will help.

    Wrong. If your head works well, then when you receive .doc and .pdf and .txt and .zip attachments from known senders, you save them to disk files and run an antivirus on the disk files before deciding whether or not to open them.

    If an attachment is .txt or .eml or .jpg or .gif then you have to open up OE options and disable the security check before it will let you save the attachment. Funny how OE doesn’t allow saving .jpg or .gif unless you disable the security check, but it will display them automatically regardless. Funny how OE doesn’t allow saving .txt unless you disable the security check, but it lets all users open .doc files directly without saving to disk and running antivirus on them. Between .txt and .doc, which is more likely to contain a macro virus?

    Possible reasons for scanning attachments from known senders include more than the fact that the faked sender might not be the real sender. Sometimes the sender really is the real sender and the sender is infected. For example one certain giant computer company has a department dedicated to Linux, but their Linux office uses Microsoft-based machines for internet communication[*], they got infected with Badtrans and they sent Badtrans to both my home and my office. Then when I sent them a complaint, they bounced my complaint because their scanner detected the message source of the base-64 encoding of Badtrans in my quotation of the message source of their infected message. I blew up at that and sent a complaint of average nastiness about their operation of transmitting viruses and bouncing complaints. Next example, one certain international standards agency got infected with Sobig and they sent Sobig to me. But they didn’t bounce my complaint, and they disinfected themselves within an hour.

    Plus there are some mail and news programs that automatically execute various kinds of code even before the user gets to see what attachments there are and decide to save them and scan them.

    Yes you need a working head, but you ALSO need an antivirus.

    [* I also use Microsoft-based tools for internet communication, but I’m not dedicated to Linux as that computer company’s Linux office is.]

  17. Slaven says:

    "If your head works well, then when you receive .doc and .pdf and .txt and .zip attachments from known senders, you save them to disk files and run an antivirus on the disk files before deciding whether or not to open them."

    Well, you shouldn’t have to explicitly save the attachment, OE does it for you when you try to open it (the attachment has to be saved as a real, albeit temporary file in order to launch it), so good AV software should stop it there. That said, in the days of new viruses spreading everywhere in a matter of hours I wouldn’t rely 100% on my AV software to stop anything dangerous, as AV companies often need a couple of hours to update their virus definitions.

    I’ve been having problems lately sending people zipped files (with an EXE patch inside) due to overzelaous AV filters, so I’ve had to rename them to .ZZZ and ask recipients to rename them back to .ZIP before extracting. I wonder how long until viruses start asking the same thing…?

  18. Ebbe Kristensen says:

    "Why do people feel the urge the create some strained cutesy acronym for their little invention?"

    Because they can. My favourite is:








  19. Moi says:

    Blocking all mails with zip files in is a prety stupid thing to do. Sooner or later the recipients are going to notice, complain, and either move their business somewhere else (that doesn’t have such a filter) or get that filter removed. Either way, it is a win for the virus writers.

  20. Centaur says:

    > If your head works well, then when you receive

    > .doc and .pdf and .txt and .zip attachments

    > from known senders, you save them to disk files

    > and run an antivirus on the disk files before

    > deciding whether or not to open them.

    Actually, you first wonder why they send such things as attachments. You contact them back, ask if they sent you anything, and ask them to use a safer format next time, and to upload the file to your ftp site, logging in as ___ with password ___. Then, if they say they didn’t send anything, you drop the attachment on the floor.

    If they say they did, you do some other precautions depending on the format.

    By the way, why is .txt in that list? Which well-known text file viewer is vulnerable and exploitable with a text file?

  21. Norman Diamond says:

    Replying to 3/17/2004 7:07 AM Centaur.

    I don’t know why .txt is in the list. As far as I can tell, the list is OS-dependent. At least in Windows 98 and Windows 2000, Microsoft put .txt in the list. In order to save a .txt attachment, I had to go to OE’s security options and disable the option that prevented opening and saving of attachments. (By the way, why aren’t there separate options to disable immediate opening and to disable saving to a named file?)

    As for contacting back the senders and ask if they sent the attachments deliberately, in the two cases I mentioned the sending companies were a few orders of magnitude too big to submit a question like that randomly. After verifying that the attachments were viruses, I could guess relevant addresses to submit complaints to.

    Pardon me while I don’t give other people the password for uploading to my ftp site. I think you know why, but even if you don’t, at least let’s expect my ISP would terminate my account immediately if I did such things.

  22. foo says:

    I’m sure there was a buffer overflow bug in notepad and instead of fixing it they declared TXT files "dangerous".

  23. vic10us says:

    BTW, WTF happened to the topic?

    I think we were talking about CAPTCHA?

Comments are closed.

Skip to main content