Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: (Fwd) how to filter the xmas virus

(Fwd) how to filter the xmas virus

From: lsi <stuart_at_cyberdelix.net>
Date: Fri, 17 Dec 2004 12:59:45 -0000

------- Forwarded message follows -------
From: lsi <stuart_at_cyberdelix.net>
To: focus-virus_at_securityfocus.com
Subject: how to filter the xmas virus
Send reply to: stuart_at_cyberdelix.net
Date sent: Fri, 17 Dec 2004 12:57:48 -0000

Hmm, the Xmascard virus uses different headers and so skipped past my
existing filters, until I added the strings below:

UEsDBBQAA
TVoAAAAAAAAAAAAAUEUAAE

What to do with those strings? Well, you need to tell your mail
processing software to find messages with those strings in it, and
any it finds, flag them as a likely virus, and filter them out of the
inbox somehow.

The strings above can be used in a variety of situations: on an SMTP
server (qmail, for example), in a spamfilter (such as SpamPal), or
indeed in a POP3 client such as Pegasus Mail.

There's a few other strings, those are the new ones required to
filter the xmas virus.

I have details on how to do it with Pegasus here:

http://www.cyberdelix.net/tech/filtering.htm

The SpamPal syntax is:

# +++++++++++++++++++++++++++++
# ++ generic MIME signatures ++
# +++++++++++++++++++++++++++++
# use these to filter mails based on their MIME content

=Line: 9999 {^TVqQAAMAAA*} [MIMEAV: Win32 executable variant 1]
=Line: 9999 {^TVoAAAEAAAA*} [MIMEAV: Win32 executable variant 2]
=Line: 9999 {^TVoAAAAAAAAAAAAAUEUAAE*} [MIMEAV: Win32 executable
variant 3]

=Line: 9999 {^UEsDBAoAA*} [MIMEAV: Zipfile variant 1]
=Line: 9999 {^UEsDBBQAA*} [MIMEAV: Zipfile variant 2]

In Spampal, if you place these filters into the top of your
DEFAULT_FILTERS.DAT file rather than in your FILTERS_VIRUS.DAT file,
you will experience a significant performance boost. You can even
comment out the call to filters_virus, since these work better.

In general, the further back toward the source that filtering is
applied, the less time/money/resources are wasted processing the
filtered material.

Happy Hollydays :)

Stu

------- End of forwarded message ------- 

---
Stuart Udall
stuart at@cyberdelix.dot net - http://www.cyberdelix.net/
--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Dec 23 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos