Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MyDoom-M evades attachment filters
From: "lsi" <stuart () cyberdelix net>
Date: Tue, 27 Jul 2004 11:14:20 +0100

Since the first MyDoom (which appeared almost six months ago, to the 
day) I have been nice and snug behind my executable attachment 
filter.  And my zipfile attachment filter.  But then MyDoom-M slips 
past ....

The reason is because it puts spaces or newlines into its MIME.  Very 
smart.  Apparently the MIME decodes OK (spaces and newlines are 
ignored by the MIME parser) but it sure makes it look different to my 
filters.

I post this message so that folks can get working on regexp rules 
that take spaces and newlines into account.

This MIME filter worked on almost all zipfiles until now:

UEsDBAoAA*

MyDoom-M however sends itself like this (two examples only):

U EsDBAoAA [rest of MIME here]

or

UEs 
DBAo
AA [rest of MIME here]

Not one shy of a challenge, I'll admit this beat my filter.  And I'll 
also speculate that this will not pose a long-term problem.  If 
you're a regexp w1zard, feel free to share how you'd approach this!

My current thoughts are something like this:

U*E*s*D*B*A*o*A*A*

Still got newline prob though.

Stu

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192.168.0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]