[Esd-l] Anyone got a procmail signature for Klez?
John D. Hardin
jhardin at impsec.org
Wed May 1 19:52:01 PDT 2002
On Wed, 1 May 2002, Huba Leidenfrost wrote:
> On another list (unisog at sans.org) I just saw this:
>
> :0 B
> * AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW
> /local/virus/klez
>
> This is found in the second line of some of the infected files. Your
> procmail recipe
>
> * ^TVqQAAMAAAAEAAAA
>
> catches it on the first line and I haven't been able to find any that
> don't have both. Adding this other line probably would not hurt.
Well, the reason I have a really short base64 signature is that is
enough (I think) to catch the magic that identifies the file as a
Windows executable. That, in combination with the audio/* MIME type
and the zero-size IFRAME + CID tag trap, should be enough to avoid
false positives, where a longer signature increases the vulnerability
to spoofing.
Somebody with a more intimate knowledge of Microsoft executable file
formats is welcome to comment...
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at wolfenet.com
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"They [media giants] have no idea how to do business with resourceful
human beings rather than passive vegetables. So they run to [the]
government for protection."
-- Doc Searls on the SSSCA, in Linux Journal
-----------------------------------------------------------------------
916 days until the Presidential Election
More information about the esd-l
mailing list