| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200308050429.h754TsC48445@milan.maths.usyd.edu.au> From: psz at maths.usyd.edu.au (Paul Szabo) Subject: f-prot not catching mimail ? Nick FitzGerald <nick@...us-l.demon.co.uk> wrote: >>>>I cannot see anything "special" in the MIME structure of Mimail that would >>>>cause f-prot to miss the ZIP attachment (or maybe it is the structure of >>>>the ZIP that f-prot cannot unpack?). >>> >>> I was told its the encoding scheme in the .html file thats the problem. >>> Currently the scanner does not support that type of encoding. >> >> It seems to me that the HTML contains the binary EXE without any encoding: >> >> $ cat -v message.html | fold | head -5 >> MIME-Version: 1.0 >> Content-Location:File://foo.exe > > What's that then? > Moon dust???? Yes :-) Does not f-prot understand MIME? (Maybe it does MIME but not within MHTML, that is not without some other headers?) >>> Regardless, f-prot should list the ZIP attachment, and the files contained >>> within the ZIP ... > > I'm not sure I understand the comment or its relevance. If F-PROT is > not listing the ZIP file nor the HTML file it contains, that may be the > result of some configuration option. By default, F-PROT only lists > "infected" files ... But ... I did use the -LIST option, and normally (for innocent ZIP archives) I get the files listed, see below (and in my earlier post). Cheers, Paul Szabo - psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia --- # In the example below, mimail is a copy of that virus; caraoke is a trojan # that I trapped a week before mimail started, and has essentially the same # structure; silly is an innocent(?) message. $ f-prot silly virus/caraoke virus/mimail Do: ~/nb/m/f-prot/f-prot/f-prot silly virus/caraoke virus/mimail -ai -archive -packed -list Virus scanning report - 5 August 2003 @ 14:25 F-PROT ANTIVIRUS Program version: 4.1.1 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 2 August 2003 MACRO.DEF created 28 July 2003 Search: silly virus/caraoke virus/mimail Action: Report only Files: Attempt to identify files Switches: -ARCHIVE -PACKED -LIST -AI /usr/users/amstaff/psz/silly->qs.zip->ip.gif /usr/users/amstaff/psz/silly->qs.zip->qs.chm /usr/users/amstaff/psz/virus/caraoke->readme.zip->readme.htm is a security risk or a "backdoor" program /usr/users/amstaff/psz/virus/caraoke /usr/users/amstaff/psz/virus/mimail Results of virus scanning: Files: 3 MBRs: 0 Boot sectors: 0 Objects scanned: 6 Infected: 0 Suspicious: 1 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 $
Powered by blists - more mailing lists