Problem solve Get help with specific problems with your technologies, process and projects.

Why Bugbear-B is bypassing my company's gateways

Our Internet gateways are running Symantec for Lotus Notes and Trend Micro ScanMail for AS400. We have a lot of hits from Bugbear-B through our gateways but we are also getting hits to our secondary Lotus Notes servers. It looks as though Bugbear is bypassing our gateways. I believe it has something to do with the SMTP (Simple Mail Transfer Protocol) engine that Bugbear carries, but I don't know exactly how this happens. Can you explain it, please? Thanks.

This seemed to be a bit of a puzzler at first glance, so I popped over to consult the experts in AVI-EWS, and they pointed out a few things that might cause this sort of a problem.

The first thing to consider is that since you are using two different scanners, it is not uncommon for one to detect a file as suspicious (or infected) when another has not. This is why most people use more than one scanner -- to achieve an overlap of detection coverage.

The second thing to determine is if the files being flagged as infected are, in fact, infected. The best way to do this is to send samples to both vendors involved. There are likely to be three possible responses:

  • The files are infected, and one scanner is missing them.
  • The files are not infected, and the scanner is false alarming.
  • The files were infected at some point and have been partially repaired or have become damaged.
  • With Bugbear-B, many vendors have been seeing more damaged samples than functioning infected files. In some cases the executables have been truncated with the end being replaced with the key log information. In other cases the key log file (with an .EXE, .SCR or .PIF extension) is being mailed.

    You should seriously consider blocking all files with those extensions, as well as any others that may carry infections.

    Another issue that might be at play here involves how a worm might use its SMTP engines to talk directly to the secondary MX (Mail Exchange) servers at your location. In other words, it may be possible that the worm somehow has been getting the IP address of the servers inside your network and then connecting to them directly, bypassing the gateways.

    It is recommended that if you aren't blocking port 25 from the Internet to all addresses except the gateways, you should do that immediately.

    I hope this helps you solve the problem.

    For more info on this topic, check out these SearchSecurity.com resources:
  • Featured Topic: Virus Alert: BugBear-B
  • Best Web Links: Common vulnerabilities and prevention tips

  • This was last published in June 2003

    Dig Deeper on Malware, virus, Trojan and spyware protection and removal

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.