lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <s1064054.077@mail.smuht.nwest.nhs.uk>
From: Marek.Isalski at smuht.nwest.nhs.uk (Marek Isalski)
Subject: MyDoom-M evades attachment filters

>>> "lsi" <stuart@...erdelix.net> 27/07/2004 11:14:20 >>>
> My current thoughts are something like this:
> U.*E.*s.*D.*B.*A.*o.*A.*A.*
> Still got newline prob though.

Careful -- that (corrected) regexp will overoptimistically match strings like: 'United Arab Emirates branch seeks Data Base Administrator to work in providing supporting "Follow-Up" project in Alcoholics Anonymous.'

You probably want to use a regexp matcher that doesn't care about newlines -- i.e. it treats the while MIME attachment as one big string, and you just search for U[:white:]E[:white:]... Though it could be possible that other malformed MIME is accepted by mail clients' parsers but fails your regexp match.  Perhaps [:white:] should really be [^A-Za-z0-9./] (i.e. a regexp matching characters which aren't valid Base64.

Regards,
Marek

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ