Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

CONTENT.filtering (aka SurfinGuard Pro 5.5 )

From: "http-equiv () excite com" <http-equiv () excite com>
Date: Sat, 17 Feb 2001 15:17:26 -0800
Saturday, February 17th, 2001

Referring to last month's HTML.dropper posting
(see: http://www.securityfocus.com/bid/2260), detailed examination of "buzz
words" like 'content filtering' 'real-time behaviour monitoring'
'first-strike protection' used to describe many security applications,
suggests otherwise.

For example purposes, we take the examination of one so-called content
filtering application: SurfinGuard Pro 5.5 from an interesting company
called http://www.finjan.com.

While at first glance, this particular security software package does
indeed defeat the HTML.dropper, on closer examination and with a 'bit' of
imagination we find that it is actually quite trivial to defeat.

Specifically, it would seem that in this particular security software
package's case, not only is it checking for legal MIME header
information, e.g. content-disposition:attachment;
content-type:application/malware; filename: iloveyou.vbs, it also prevents
real-time firing of scripts. But in order to defeat that all we need do is
set our scripts to fire on exit. That is, while the actual script has been
parsed but not fired, our malware application is still allowed to open by
this particular security software package . Thereafter onunload, it fires
thus defeating this so-called technology.

Working example below. Harmless "demo" code incorporated:

SurfinGuard Pro 5.5 settings set to "HIGH" and "PANIC MODE"

[right click and save to disk, open in mail client. Constructed for OE5.5]

http://www.malware.com/strikeme.eml

compared to:

http://www.malware.com/madness.eml

which is caught

notes:

1. Tested Software: SurfinGuard Pro 5.5 claims to be BETA and is free-ware.
2. Hopefully the registered versions and other products don't use the same
technology.
3. For good open-source filtering take a look at John D. Hardin's E-mail
Sanitizer
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html and
Bjarni R. Einarsson's Anomy mail tools http://mailtools.anomy.net/


---

http://www.malware.com





_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
Previous By Date Next
Previous By Thread Next

Current thread: