[Esd-l] Sanitizer rule for Novarg .ZIP attack

John D. Hardin jhardin at impsec.org
Mon Jan 26 20:09:43 PST 2004


All:

Okay, minor tweaking and it appears to be working.

See attachment.

The .EXE et. al. variants don't need special rules to be trapped, but
if you want to identify them you could change the "\.zip" in this to
something like:

	\.(zip|exe|com|bat|pif|scr)

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   68 days until the Slovakian Presidential Election
-------------- next part --------------
#
# Trap NovArg
# Signature as of 01/26/2004
#
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
{
        :0 B hfi
        * ^Content-Type: text/plain;$.*charset="Windows-1252"
        * ^Content-Disposition: attachment;
        * ^Content-Transfer-Encoding: base64
        * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
        * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
        | formail -A "X-Content-Security: [$HOST] NONOTIFY" \
                  -A "X-Content-Security: [$HOST] DISCARD" \
                  -A "X-Content-Security: [$HOST] REPORT: Trapped NovArg worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html"
}



More information about the esd-l mailing list