Re: Another new worm???

[bet () RAHUL NET (Bennett Todd)]

I've not yet had time to hunt the project down and get subscribed,
but I've been told that there's a SourceForge project, the
Linux/Unix Anti Virus Project, ID #6040.

My own approach has focused on trying to deal with the classes of
problem that are being exploited. With a little more precision than
just matching on X-Mailer:.*Microsoft.

So far, I've got a big list of MIME types, all of which share the
feature that they're never used for anything useful, they only exist
in email for propogating worms. .vbs, .shs, and a bunch of others.
I've got code that's using multiline regexp matching to pick out
both MIME and uue attachments. Any matches get disabled: the entire
suspect message, headers and all, gets quoted with "> ", a new
header gets grafted on, and the result is then allowed on to the
original recipients. This seems to have gone down well with our
users.

At the moment I've gotten side-tracked onto other work, but the
pursuit I'd focused on was trying to tune up the performance of a
re-implementation of the scanner. The original was a wrapper around
procmail, for use as an LDA, so it only caught things delivered
locally, not outbound or relay traffic. So I'm trying to make a fast
filter to deposit in Postfix's new hooks for content filtering,
which means it needs to be an SMTP proxy for the very best speed.
Not there yet.

Once that gets fixed, the next bit will be tackling more elaborate
file content scanning. The next thing I want to try is to see if I
can do something groovy with MS-Word docs. I've gotten some tips
about what to look for in the OLE structures to tell whether a doc
has macros or not; if I can recognize them, then when I get a match
use wvHtml->w3m to make a pretty text representation and send that
on, with a URL at the bottom (with a warning) where the original,
macro-infested copy can be found.

-Bennett

<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>