lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <41C2D841.17385.515F6A5@localhost>
From: stuart at cyberdelix.net (lsi)
Subject: (Fwd) how to filter the xmas virus


------- Forwarded message follows -------
From:           	lsi <stuart@...erdelix.net>
To:             	focus-virus@...urityfocus.com
Subject:        	how to filter the xmas virus
Send reply to:  	stuart@...erdelix.net
Date sent:      	Fri, 17 Dec 2004 12:57:48 -0000

Hmm, the Xmascard virus uses different headers and so skipped past my 
existing filters, until I added the strings below:

UEsDBBQAA
TVoAAAAAAAAAAAAAUEUAAE

What to do with those strings?  Well, you need to tell your mail 
processing software to find messages with those strings in it, and 
any it finds, flag them as a likely virus, and filter them out of the 
inbox somehow.

The strings above can be used in a variety of situations: on an SMTP 
server (qmail, for example), in a spamfilter (such as SpamPal), or 
indeed in a POP3 client such as Pegasus Mail.

There's a few other strings, those are the new ones required to 
filter the xmas virus.

I have details on how to do it with Pegasus here:

http://www.cyberdelix.net/tech/filtering.htm

The SpamPal syntax is:

# +++++++++++++++++++++++++++++
# ++ generic MIME signatures ++
# +++++++++++++++++++++++++++++
# use these to filter mails based on their MIME content

=Line: 9999 {^TVqQAAMAAA*} [MIMEAV: Win32 executable variant 1]
=Line: 9999 {^TVoAAAEAAAA*} [MIMEAV: Win32 executable variant 2]
=Line: 9999 {^TVoAAAAAAAAAAAAAUEUAAE*} [MIMEAV: Win32 executable 
variant 3]

=Line: 9999 {^UEsDBAoAA*} [MIMEAV: Zipfile variant 1]
=Line: 9999 {^UEsDBBQAA*} [MIMEAV: Zipfile variant 2]

In Spampal, if you place these filters into the top of your 
DEFAULT_FILTERS.DAT file rather than in your FILTERS_VIRUS.DAT file, 
you will experience a significant performance boost.  You can even 
comment out the call to filters_virus, since these work better.

In general, the further back toward the source that filtering is 
applied, the less time/money/resources are wasted processing the 
filtered material.

Happy Hollydays :)

Stu


------- End of forwarded message -------

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ