[Esd-l] Revised SoBig-F local rule

John D. Hardin jhardin at impsec.org
Thu Aug 21 10:14:06 PDT 2003

On Thu, 21 Aug 2003, Scott Taylor wrote:

> That new rule doesn't seem to catch:
> REPORT: Trapped poisoned executable "wicked_scr.scr"

It's not intended to. The sanitizer catches those just fine without
any special local rules.

The only reason I published this update was that I misread the
Symantec writeup and thought SoBig.F had changed the .ZIP file
attachment names, when actually it has stopped using .ZIP files
entirely (thank goodness).

Apart from trapping specific .ZIP-file-based attacks, the local rules
are only intended to identify *which* attack was trapped.

In the case of SoBig.F, where it's .pif and .scr files and the sender
address is forged, there's really no point to even having a local
rule, as it doesn't improve the chances of trapping it and there's no
way to notify the sender what they are infected with.

> There are a couple of very long lines there, should they be one line?
> ie:
> * 9876543210^1 ^Content-(Type|Disposition):.*name *=
> *"?(action|your_(details|document)|application|details|document(_all)?|screensaver|movie|thank_you|wicked_scr)_?[0-9]*\.zip"?

Yes. Mailers like to wrap lines.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
   72 days until Matrix Revolutions

More information about the esd-l mailing list