FW: [Esa-l] Stopping Hybris via. global /etc/procmailrc
Bjarni R. Einarsson
bre at netverjar.is
Mon Jan 8 08:44:06 PST 2001
On 2001-01-08, 10:34:27 (-0600), Floyd Pierce wrote:
> Has anyone seen anything other than an exe or a scr from Hybris?
> I'm poisoning them so I hope that's good enough...
No, those extensions are always used (as far as I can tell). In fact,
the anonymous messages with the random file names seem to always use the
.EXE extension, although that may change. My procmail rule only catches
.EXE extensions for anonymous messages, it should probably be enhanced to
catch .SCR as well.
I deliberately made it as specific as possible, because I feel it's
better to let a few Hybris copies through than drop legitimate email.
Unfortunately, this is all just temporary relief, because Hybris can
update itself over the 'net. So don't be surprised if the author of
Hybris figures out how to embed it in some other file format (hacking
up Flash files would be cool) and it begins to propgate that way.
I've noticed that the anonymous messages are much more common now than
they used to be - messages from hahaha at se*yfun.net are more rare,
which is the opposite of how it was the first few weeks I was aware of
this. I expect things to continue to change.
P.S. Has anyone here mentioned the Shockwave Flash bugs? Apparently
there are exploitable buffer overruns in all versions of the flash
player, so paranoid people should probably add .swf to their poisoned
list. Details can be found on securityfocus.com.
Bjarni R. Einarsson PGP: 02764305, B7A3AB89
bre at klaki.net -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/
More information about the esd-l