RE: Writing signatures for e-mail virus attachments

["Matthew Conover" <matthew_conover () symantec com>]

If you already know ahead of time the original byte sequence out of the
executable that you want to match, you can usually look for
base64-encoded data from port 110/143/etc (if trying to catch the
download of the email), or to port 25 (if trying to catch the
transmission of the email). base64 is the most common encoding using by
MIME email attachments, though others are possible.

The biggest complication is that since base64 is 3 bytes of input to 4
bytes of output, such that there are multiple ways that the same input
pattern can be encoded, depending on the surrounding bytes:
Input(ABC) Variant 1 -> Encode(ABC)
Input(ABC) Variant 2 -> Encode(xAB) + Encode(Cxx)
Input(ABC) Variant 3 -> Encode(xxA) + Encode(BCx)

If you really want to be hardcore, you have to also address the possible
places that each base64-encoded line can be wrapped. So lets say you
have the base64-encoded pattern "ABC". Then you must also match
"A\r\nBC" and "AB\r\nC".

if (Size < 5)
{
        // Size must be at least 5 to generate 3 variants:
        // 12345 will be encoded as 123, 234, and 345.
        return -1;
}

for (i = 0; i < 3; i++)
{
        NewSize = Size-i;

        Output = BinaryToBase64(
                Input+i, 
                NewSize-(NewSize%3), 
                &OutputLength, 
                WrapCount);

        assert(!strchr(Output, '='));

        printf("Variant %d = ", i);
        HexDumpAsBytes(Output, OutputLength);
        putc('\n');

        free(Output); Output = NULL;
}


-----Original Message-----
From: c_sek_har () yahoo co in [mailto:c_sek_har () yahoo co in] 
Sent: Thursday, February 02, 2006 8:39 PM
To: focus-ids () securityfocus com
Subject: Writing signatures for e-mail virus attachments

HI
  
  How can I write a signature for a virus which is coming as an  
attachment? The attachment may be done by using base64 or binhex
encoding. 
Shall I have to create signature for each type?
  
  Has anybody implemented the idea of decoding the attachment (IDS) and 
then parsing the file to look for some pattern? 
  
  Regards,
  Babu

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------