[esa-l] New email worm the saniitizer does not catch

John D. Hardin jhardin at impsec.org
Wed Jan 18 09:33:47 PST 2006


All:

There's a fresh new worm out there that has a new trick for obscuring
its payload.

The attachment is a UUE-encoded executable that is then BASE64-encoded
and attached as type x-msdownload.

I have added default poisoning of MIME type APPLICATION/X-MSDOWNLOAD
to the development sanitizer (1.151pre1); it can be disabled by
defining $SECURITY_TRUST_MS_DOWNLOAD as anything.

This will probably be released as full MIME-type poisoning support
this weekend.

Remember, this is the dev snapshot so it is not thoroughly tested.

 http://www.impsec.org/email-tools/development/html-trap.procmail

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The first time I saw a bagpipe, I thought the player was torturing
  an octopus. I was amazed they could scream so loudly.
                                        -- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------





More information about the esa-l mailing list