Full Disclosure mailing list archives
Re: MyDoom-M evades attachment filters
From: William Warren <hescominsoon () emmanuelcomputerconsulting com>
Date: Wed, 28 Jul 2004 08:12:53 -0400
what are you using for attachment filters? my astaro attachment filter is killing mydoom without one getting through.
lsi wrote:
Since the first MyDoom (which appeared almost six months ago, to the day) I have been nice and snug behind my executable attachment filter. And my zipfile attachment filter. But then MyDoom-M slips past ....The reason is because it puts spaces or newlines into its MIME. Very smart. Apparently the MIME decodes OK (spaces and newlines are ignored by the MIME parser) but it sure makes it look different to my filters.I post this message so that folks can get working on regexp rules that take spaces and newlines into account.This MIME filter worked on almost all zipfiles until now: UEsDBAoAA* MyDoom-M however sends itself like this (two examples only): U EsDBAoAA [rest of MIME here] orUEs DBAoAA [rest of MIME here]Not one shy of a challenge, I'll admit this beat my filter. And I'll also speculate that this will not pose a long-term problem. If you're a regexp w1zard, feel free to share how you'd approach this!My current thoughts are something like this: U*E*s*D*B*A*o*A*A* Still got newline prob though. Stu --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/--- * Origin: lsi: revolution through evolution (192.168.0.2)_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- My "Foundation" verse:Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
-- carpe ductum -- "Grab the tape" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MyDoom-M evades attachment filters lsi (Jul 27)
- Re: MyDoom-M evades attachment filters William Warren (Jul 28)
- Re: MyDoom-M evades attachment filters lsi (Jul 29)
- <Possible follow-ups>
- Re: MyDoom-M evades attachment filters Marek Isalski (Jul 27)
- Re: MyDoom-M evades attachment filters William Warren (Jul 28)