[esa-l] New email worm the saniitizer does not catch
John D. Hardin
jhardin at impsec.org
Wed Jan 18 09:33:47 PST 2006
All:
There's a fresh new worm out there that has a new trick for obscuring
its payload.
The attachment is a UUE-encoded executable that is then BASE64-encoded
and attached as type x-msdownload.
I have added default poisoning of MIME type APPLICATION/X-MSDOWNLOAD
to the development sanitizer (1.151pre1); it can be disabled by
defining $SECURITY_TRUST_MS_DOWNLOAD as anything.
This will probably be released as full MIME-type poisoning support
this weekend.
Remember, this is the dev snapshot so it is not thoroughly tested.
http://www.impsec.org/email-tools/development/html-trap.procmail
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The first time I saw a bagpipe, I thought the player was torturing
an octopus. I was amazed they could scream so loudly.
-- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------
More information about the esa-l
mailing list