Re: [Exim] Re: MS-DOS signature (was: needed: beagle/bagle p…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MChris Edwards at <-
MChris Edwards at ->
Delete this message
Reply to this message
Author: Exim User's Mailing List
Date:  
To: Chris Edwards
CC: Exim User's Mailing List
Subject: Re: [Exim] Re: MS-DOS signature (was: needed: beagle/bagle pattern)
[ On Wednesday, January 21, 2004 at 12:01:02 (+0000), Chris Edwards wrote: ]
> Subject: [Exim] Re: MS-DOS signature (was: needed: beagle/bagle pattern)
>
> On Tue, 20 Jan 2004, Greg A. Woods wrote:
>
> | If I'm not mistaken the very same regular expression that detects mail
> | bodies with sobig and many other viruses and worms will also detect this
> | new worm:
> |
> |     "^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA"
> |
> | Apparently this pattern matches all M$ Win32 executables when they've
> | been MIME encoded using BASE-64.

>
> Many of them, yes. However, the M$ gurus here tell me we can only rely
> on the first two bytes being 4D 5A (MZ ascii).

Perhaps, though as long as one doesn't care about matching OS/2
executables, Alpha and MIPS NT executables, and such, as well as things
that were hand-coded, then I think the pattern I show is "safer". This
isn't an academic discussion about what type of binary file M$ Windoze
might execute but rather about what's happening today in the real world
with e-mail-borne viruses and worms.

I can no longer consider myself a M$ expert (I haven't used M$ software
since about 1989 or so), but I learned that expression from *Hobbit* a
couple of years ago: 

    http://archives.neohapsis.com/archives/postfix/2002-04/1841.html


(I think that was the first time I saw that RE)

He explains why the pattern is sufficient here: 

    http://archives.neohapsis.com/archives/postfix/2002-04/1931.html


I've yet to find a BASE-64 encoded M$ executable that the pattern I show
above did not match. (i.e. I don't think his prediction about worm
writers writing their own linkers has come true (yet) :-)

> Base64-encoded this
> corresponds to regexp:
>
> TV[o-r]
>
> If you use a longer expression its possible you may miss stuff.

You missed the 'n' in third position -- it's quite common. :-)

If you use that expression (even with both of the spaces -- you should
quote strings like that :-), particularly if what Fred said about the
way newlines are converted to spaces in the value of $message_body, then
you may "catch" a whole lot of stuff that's not executable content.
This regular expression is a balancing act. Much more recently someone
on the Postfix list noted that even hobbit's expression will stand a
chance (remote as it may be) of matching BASE-64 encoded raw data that
one might find in some spreadsheet or photo of the kids, or such. 

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] not getting to verizon[Exim] Virtual domain aliasfile problems->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)