IDS mailing list archives
RE: Writing signatures for e-mail virus attachments
From: "Matthew Conover" <matthew_conover () symantec com>
Date: Thu, 9 Feb 2006 10:46:16 -0800
If you already know ahead of time the original byte sequence out of the executable that you want to match, you can usually look for base64-encoded data from port 110/143/etc (if trying to catch the download of the email), or to port 25 (if trying to catch the transmission of the email). base64 is the most common encoding using by MIME email attachments, though others are possible. The biggest complication is that since base64 is 3 bytes of input to 4 bytes of output, such that there are multiple ways that the same input pattern can be encoded, depending on the surrounding bytes: Input(ABC) Variant 1 -> Encode(ABC) Input(ABC) Variant 2 -> Encode(xAB) + Encode(Cxx) Input(ABC) Variant 3 -> Encode(xxA) + Encode(BCx) If you really want to be hardcore, you have to also address the possible places that each base64-encoded line can be wrapped. So lets say you have the base64-encoded pattern "ABC". Then you must also match "A\r\nBC" and "AB\r\nC". if (Size < 5) { // Size must be at least 5 to generate 3 variants: // 12345 will be encoded as 123, 234, and 345. return -1; } for (i = 0; i < 3; i++) { NewSize = Size-i; Output = BinaryToBase64( Input+i, NewSize-(NewSize%3), &OutputLength, WrapCount); assert(!strchr(Output, '=')); printf("Variant %d = ", i); HexDumpAsBytes(Output, OutputLength); putc('\n'); free(Output); Output = NULL; } -----Original Message----- From: c_sek_har () yahoo co in [mailto:c_sek_har () yahoo co in] Sent: Thursday, February 02, 2006 8:39 PM To: focus-ids () securityfocus com Subject: Writing signatures for e-mail virus attachments HI How can I write a signature for a virus which is coming as an attachment? The attachment may be done by using base64 or binhex encoding. Shall I have to create signature for each type? Has anybody implemented the idea of decoding the attachment (IDS) and then parsing the file to look for some pattern? Regards, Babu ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Writing signatures for e-mail virus attachments c_sek_har (Feb 06)
- Re: Writing signatures for e-mail virus attachments lucien Fransman (Feb 07)
- Re: Writing signatures for e-mail virus attachments David W. Goodrum (Feb 07)
- <Possible follow-ups>
- Re: Writing signatures for e-mail virus attachments anonymous (Feb 07)
- RE: Writing signatures for e-mail virus attachments Matthew Conover (Feb 13)