Vulnerability Development mailing list archives
Re: Another new worm???
From: bet () RAHUL NET (Bennett Todd)
Date: Sat, 24 Jun 2000 09:57:26 -0400
I've not yet had time to hunt the project down and get subscribed, but I've been told that there's a SourceForge project, the Linux/Unix Anti Virus Project, ID #6040. My own approach has focused on trying to deal with the classes of problem that are being exploited. With a little more precision than just matching on X-Mailer:.*Microsoft. So far, I've got a big list of MIME types, all of which share the feature that they're never used for anything useful, they only exist in email for propogating worms. .vbs, .shs, and a bunch of others. I've got code that's using multiline regexp matching to pick out both MIME and uue attachments. Any matches get disabled: the entire suspect message, headers and all, gets quoted with "> ", a new header gets grafted on, and the result is then allowed on to the original recipients. This seems to have gone down well with our users. At the moment I've gotten side-tracked onto other work, but the pursuit I'd focused on was trying to tune up the performance of a re-implementation of the scanner. The original was a wrapper around procmail, for use as an LDA, so it only caught things delivered locally, not outbound or relay traffic. So I'm trying to make a fast filter to deposit in Postfix's new hooks for content filtering, which means it needs to be an SMTP proxy for the very best speed. Not there yet. Once that gets fixed, the next bit will be tackling more elaborate file content scanning. The next thing I want to try is to see if I can do something groovy with MS-Word docs. I've gotten some tips about what to look for in the OLE structures to tell whether a doc has macros or not; if I can recognize them, then when I get a match use wvHtml->w3m to make a pretty text representation and send that on, with a URL at the bottom (with a warning) where the original, macro-infested copy can be found. -Bennett <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: Red Hat 6.2's ftp segmentation fault, (continued)
- Re: Red Hat 6.2's ftp segmentation fault Jason Storm (Jun 24)
- Re: Another new worm??? sigipp () WELLA COM BR (Jun 21)
- Keyboard recording Martin M Samson (Jun 21)
- Re: Another new worm??? Blue Boar (Jun 21)
- Re: Another new worm??? Steve Mosher (Jun 22)
- disclosure and risk to list subscribers (Re: Another new worm???) Mark Rafn (Jun 22)
- Re: Another new worm??? Andrew Griffiths (Jun 21)
- Re: Another new worm??? Dan Schrader (Jun 23)
- Re: Another new worm??? Dan Schrader (Jun 23)
- Re: Another new worm??? Michael W. Shaffer (Jun 23)
- Re: Another new worm??? Bennett Todd (Jun 24)
- Re: Another new worm??? Crispin Cowan (Jun 25)
- Re: Another new worm??? Elias Levy (Jun 26)
- Re: Another new worm??? Crispin Cowan (Jun 27)
- Re: Another new worm??? Dino Amato (Jun 28)
- dalnet 4.6.5 remote vulnerability Matt Conover (Jun 28)
- *snprinf vs strncpy (misconception) Matt Conover (Jun 28)
- Re: Another new worm??? Mark Rafn (Jun 26)
- Re: Another new worm??? Blue Boar (Jun 26)