lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040803105226.D83717@fledge.watson.org>
From: arr at watson.org (Andrew R. Reiter)
Subject: broken virus / worm email has attachment not
 found by grisoft proxy scanner

I've seen binaries that resemble this situation lately as well.  If you
`strings` the binary, it has some strings that would lead you to believe
it's a PE file, ie. it contains UPX0 & UPX1 strings which are commonly
used as tghe section labels for PE files that are UPX packed.  However, if
you try to analyze the binary as a PE, even if you took the new executable
offset found in the DOS header as being valid, the values one would read
at the offset are bogus... just completely bogus.

I haven't done anymore investigation than this and apologize if this is
old info.

On Tue, 3 Aug 2004, Denis McMahon wrote:

:Hmm
:
:I've had a couple of suspicious emails this week with headers, blank
:line, a line of text, mime headers.
:
:Thunderbird doesn't see the mime attachment due to the broken headers,
:which is good, but nor does the grisoft email proxy scanner, which is
:bad, especially as I guess that certain broken applications (no I don't
:have outlook [express] on my system) might try and be snart and find the
:attachment.
:
:This might be broken malware sending unusable stuff out, but my worry is
:that somene may have found a technique that will sneak an attachment
:past some a-v scanners in a "broken" format that certain popular email
:apps will try and fix, possibly putting active malware on the hard disk.
:
:I tried to talk to grisoft about this, but all I get back is "you have
:to pay to talk to us cheapskate" ... whilst I can agree that they might
:not want to provide tech support to users of their free scanner, does
:anyone have an email address at grisoft for submitting suspicious items
:that have got past their proxy scanner?
:
:Denis
:
:_______________________________________________
:Full-Disclosure - We believe in it.
:Charter: http://lists.netsys.com/full-disclosure-charter.html
:
:

--
Andrew R. Reiter
arr@...son.org
arr@...eBSD.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ