[Esa-l] Re: Idea: Multiple extension detector

Brett Glass brett at lariat.org
Sun Jun 11 17:28:32 PDT 2000


At 09:20 AM 6/11/2000, John D. Hardin wrote:
  
>On Sat, 10 Jun 2000, Brett Glass wrote:
>
>> This week, some skript kiddies attempted to spread a Trojan by
>> disguising it as a movie file (.mpg.exe or .avi.exe, depending on
>> who you ask). This suggests that a sanitizer should probaby detect
>> such "double extensions" and treat them with extreme prejudice....
>
>Not so new. All of the .VBS worms were written that way too.

That's where they got the idea.

>Interesting idea. I don't think the current version could do it too
>well, but there's a simple way to put that into your poisoned-files
>list, assuming you don't want to poison *all* .EXE attachments:
>
>   *.[a-z0-9]+.exe

Doesn't one need to "escape" the dots? (One would in a Perl regular
expression, but I haven't checked to see whether your pattern language
is different.)

--Brett





More information about the esd-l mailing list