[Esd-l] Re: Sanitizer and zip virus

John D. Hardin jhardin at impsec.org
Wed Jan 28 05:46:01 PST 2004 

On 28 Jan 2004, Agostini yves wrote:

> First, thank you for your great work on sanitizer

You're welcome!
 
> I use it for years and it's really fine

That's good to hear.
 
> As a lot of people I'have just some trouble with zip files like
> NovArg, Sobig
> 
> I had a small idea : use strings and make grep on PK$ to find
> names of files in the zip, it could be faster than unzip -l After
> that your rules on file name could be used :
> 
> Example : 
> [agostini at agostini scripts] cat ../data.zip | uuencode /dev/stdout |
> uudecode -o /dev/stdout | strings | grep PK$
> 
> result : data.doc        .exePK
>                  ^^^...^^  
> 
> Is it usable in sanitizer ? May be by making something like
> MacroScanner?

That's actually a very good idea. Thanks!

Unfortunately the size of the scanner script is hitting limits on some
operating systems and there's not much room for expansion if we want
to be usable on those operating systems.

> If you think it's usable where can I try to put it in
> html-trap.procmail,v 1.139 ?

What would probably happen is something very like the macro scanner.
There would be some code in the MIME header processing to set a flag
if the filename ends in .ZIP, and then a block of code to process the
base64 attachment body and pull out the text strings and check them
against the poison list.

There would have to be some provision for controlling this separately
from normal attachment processing so that you can whitelist ZIPs,
otherwise how will trusted correspondents send you executable files?

(Yes, encrypted ZIPs. Still, I think we can lower the bar a bit.)

Thanks for a very good suggestion.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   67 days until the Slovakian Presidential Election

More information about the esd-l mailing list