Ask the Expert

Why Bugbear-B is bypassing my company's gateways

Our Internet gateways are running Symantec for Lotus Notes and Trend Micro ScanMail for AS400. We have a lot of hits from Bugbear-B through our gateways but we are also getting hits to our secondary Lotus Notes servers. It looks as though Bugbear is bypassing our gateways. I believe it has something to do with the SMTP (Simple Mail Transfer Protocol) engine that Bugbear carries, but I don't know exactly how this happens. Can you explain it, please? Thanks.

    Requires Free Membership to View

This seemed to be a bit of a puzzler at first glance, so I popped over to consult the experts in AVI-EWS, and they pointed out a few things that might cause this sort of a problem.

The first thing to consider is that since you are using two different scanners, it is not uncommon for one to detect a file as suspicious (or infected) when another has not. This is why most people use more than one scanner -- to achieve an overlap of detection coverage.

The second thing to determine is if the files being flagged as infected are, in fact, infected. The best way to do this is to send samples to both vendors involved. There are likely to be three possible responses:

  • The files are infected, and one scanner is missing them.
  • The files are not infected, and the scanner is false alarming.
  • The files were infected at some point and have been partially repaired or have become damaged.
  • With Bugbear-B, many vendors have been seeing more damaged samples than functioning infected files. In some cases the executables have been truncated with the end being replaced with the key log information. In other cases the key log file (with an .EXE, .SCR or .PIF extension) is being mailed.

    You should seriously consider blocking all files with those extensions, as well as any others that may carry infections.

    Another issue that might be at play here involves how a worm might use its SMTP engines to talk directly to the secondary MX (Mail Exchange) servers at your location. In other words, it may be possible that the worm somehow has been getting the IP address of the servers inside your network and then connecting to them directly, bypassing the gateways.

    It is recommended that if you aren't blocking port 25 from the Internet to all addresses except the gateways, you should do that immediately.

    I hope this helps you solve the problem.


    For more info on this topic, check out these SearchSecurity.com resources:
  • Featured Topic: Virus Alert: BugBear-B
  • Best Web Links: Common vulnerabilities and prevention tips

  • This was first published in June 2003

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: