[Esa-l] Re: Idea: Multiple extension detector
John D. Hardin
jhardin at wolfenet.com
Sun Jun 11 08:20:32 PDT 2000
On Sat, 10 Jun 2000, Brett Glass wrote:
> This week, some skript kiddies attempted to spread a Trojan by
> disguising it as a movie file (.mpg.exe or .avi.exe, depending on
> who you ask). This suggests that a sanitizer should probaby detect
> such "double extensions" and treat them with extreme prejudice....
Not so new. All of the .VBS worms were written that way too.
Interesting idea. I don't think the current version could do it too
well, but there's a simple way to put that into your poisoned-files
list, assuming you don't want to poison *all* .EXE attachments:
*.[a-z0-9]+.exe
I'll add that to the recommended list on the home page.
Thanks.
--
John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/
jhardin at wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
140 days until Daylight Savings Time ends
More information about the esd-l
mailing list