[esd-l] Detecting double-zip attack messages

John D. Hardin jhardin at impsec.org
Tue Feb 21 08:08:31 PST 2006 

All:

Just a reminder: the Sanitizer does *not* unwrap ZIP and RAR archives
to arbitrary depth while scanning them. This is to avoid DoS attacks
and exposing the system to a crafted archive file that is itself an
exploit.

As an archive that contains an archive (Double-Zipping) is a good
indicator of suspicious activity in random emails, the simplest course
of action is to poison archives that contain archives. It is strongly
recommended that you have the following filespecs in your default
poisoned-zip filespec list:

	*.arc
	*.arj
	*.cab
	*.lha
	*.lzh
	*.msi
	*.rar
	*.sea
	*.sit
	*.taz
	*.zip
	*.zoo

If there is a legitimate reason for a correspondent to be sending you
archives-within-archives (e.g. they are sending you install sets for
testing or for software updates), then that correspondent should have
an individualized poisoned-zip filespec list that is more permissive
than the one used for general email. For example:

    ZIPPED_EXECUTABLES=/etc/procmail/poisoned-files-zip

    :0
    * ^From:.*<devel at partner\.com>
    * ^Received:.*from mail\.partner\.com.*by mail\.mydomain\.com
    {
        # let zipped .MSI and .CAB files through
        ZIPPED_EXECUTABLES=/etc/procmail/poisoned-files-zip-devs
    }


If you are not explicitly specifying a poisoned filespec list for
archives via $ZIPPED_EXECUTABLES the sanitizer will use your default
$POISONED_EXECUTABLES filespec list, which does NOT contain these
extensions. It is strongly recommended that your default policy
include an explicit $ZIPPED_EXECUTABLES pointing at a filespec list
that includes the above archive extensions.

The suggested $ZIPPED_EXECUTABLES file list is available at:

    http://www.impsec.org/email-tools/poisoned-files-zip

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The first time I saw a bagpipe, I thought the player was torturing
  an octopus. I was amazed they could scream so loudly.
                                        -- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------
 Tomorrow: George Washington's 274th Birthday

More information about the esd-l mailing list