Bugtraq mailing list archives
CONTENT.filtering (aka SurfinGuard Pro 5.5 )
From: "http-equiv () excite com" <http-equiv () excite com>
Date: Sat, 17 Feb 2001 15:17:26 -0800
Saturday, February 17th, 2001 Referring to last month's HTML.dropper posting (see: http://www.securityfocus.com/bid/2260), detailed examination of "buzz words" like 'content filtering' 'real-time behaviour monitoring' 'first-strike protection' used to describe many security applications, suggests otherwise. For example purposes, we take the examination of one so-called content filtering application: SurfinGuard Pro 5.5 from an interesting company called http://www.finjan.com. While at first glance, this particular security software package does indeed defeat the HTML.dropper, on closer examination and with a 'bit' of imagination we find that it is actually quite trivial to defeat. Specifically, it would seem that in this particular security software package's case, not only is it checking for legal MIME header information, e.g. content-disposition:attachment; content-type:application/malware; filename: iloveyou.vbs, it also prevents real-time firing of scripts. But in order to defeat that all we need do is set our scripts to fire on exit. That is, while the actual script has been parsed but not fired, our malware application is still allowed to open by this particular security software package . Thereafter onunload, it fires thus defeating this so-called technology. Working example below. Harmless "demo" code incorporated: SurfinGuard Pro 5.5 settings set to "HIGH" and "PANIC MODE" [right click and save to disk, open in mail client. Constructed for OE5.5] http://www.malware.com/strikeme.eml compared to: http://www.malware.com/madness.eml which is caught notes: 1. Tested Software: SurfinGuard Pro 5.5 claims to be BETA and is free-ware. 2. Hopefully the registered versions and other products don't use the same technology. 3. For good open-source filtering take a look at John D. Hardin's E-mail Sanitizer ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html and Bjarni R. Einarsson's Anomy mail tools http://mailtools.anomy.net/ --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
Current thread:
- CONTENT.filtering (aka SurfinGuard Pro 5.5 ) http-equiv () excite com (Feb 19)