Oldies Online Casino - Happy New Year!!!

From brett at lariat.org Mon Jan 1 23:49:54 2001 From: brett at lariat.org (Brett Glass) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] Defanging of HTML mail Message-ID: <4.3.2.7.2.20010102004613.04789bb0@localhost> We just got a nasty HTML spam which contained directives to fetch content fromt he spammer's site; it was not fully neutralized by John's current sanitizer code. The source looked like this after defanging: > > > >Oldies Online Casino - Happy New Year!!! > > >

Oldies >Online > Casino
> Would like to >welcome > you and your family a Happy New Year!
> src="http://www.oldiesonlinecasino.com/img/25perbonus.gif" width="253" >height="164" border="0">
> We Would also like > to offer ALL NEW & EXISTING Members a
> Holiday 25% Bonus
> Oldies Online > Casino offers Free no download Flash Internet
> gambling, games include craps, keno, slots, video poker,
> roulette and blackjack in real time. Play for fun or cash!
> href="http://www.oldiesonlinecasino.com">http://www.oldiesonlinecasino.com>
>
> to color="#FF0000">unsubscribe > click here

> Note that the background sound got through.... I suspect that a background bitmap would as well. --Brett From jhardin at wolfenet.com Tue Jan 2 07:06:26 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] New variant of Hybris? Message-ID: I just got a message in my inbox that looked really suspicious: a message with an executable attachment named AKBHIJAK.EXE, but no body, To: or Subject: line. Looking at the attachment in vi showed that it's a copy of the Hybris worm. This might be a useful rule to add just before the Sanitizer call: =================================== :0 * ^Content-type: multipart/mixed; * ! ^To: * ! ^Subject: { :0 B * ^Content-type: application/octet-stream; * name=.*\.EXE $SECURITY_QUARANTINE } =================================== Untested and subject to refinement. Comments? -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ ----------------------------------------------------------------------- 1400 days until the Presidential Election From jhardin at wolfenet.com Tue Jan 2 06:55:52 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] Defanging of HTML mail In-Reply-To: <4.3.2.7.2.20010102004613.04789bb0@localhost> Message-ID: On Tue, 2 Jan 2001, Brett Glass wrote: > > > > Note that the background sound got through.... I suspect that a > background bitmap would as well. Good idea. I'll research it and see what I can do about it. -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ ----------------------------------------------------------------------- 1400 days until the Presidential Election From joaopaulo at unimetro.com.br Tue Jan 2 11:00:08 2001 From: joaopaulo at unimetro.com.br (=?iso-8859-1?Q?Jo=E3o?= Paulo Andrade) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] mail.local Message-ID: <5.0.0.25.0.20010102165403.00a75b40@mail.unimetro.com.br> I am wanting to know as I edit the rules in the mail.local. I want to allow only to the archives * zip thanks > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ < > Jo?o Paulo G. de Andrade < > joaopaulo@unimetro.com.br < > Setor de Inform?tica < > Unimed Metropolitana de Salvador < > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ < From brett at lariat.org Tue Jan 2 12:49:32 2001 From: brett at lariat.org (Brett Glass) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] Minor nit: agreement in number Message-ID: <4.3.2.7.2.20010102134805.00e19a30@localhost> There is a minor grammatical mistake in the message generated when a TNEF attachment is stripped. The current message says: >SECURITY NOTICE >The mail system has removed a Microsoft attachment for security reasons. >Please contact the sender of this message and ask them to >disable Rich Text format in their mail program and >disable sending TNEF to the Internet from their Microsoft Exchange gateway. "ask them" should be "ask him or her." --Brett From jhardin at wolfenet.com Tue Jan 2 20:49:16 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] New variant of Hybris? In-Reply-To: Message-ID: On Tue, 2 Jan 2001, Karl Dunn wrote: > I think this trick can be used to send ANY type of attachment past > the filters: no body, just a nasty atachment. We should run such > stuff through the same perl script as attachments that FOLLOW a > body. No? Sorry, I wasn't being clear there. I should have said, "no body text". There was a text/plain MIME body part, with no content. The sanitizer will sanitize a message that consists of only an attachment. -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ ----------------------------------------------------------------------- 1400 days until the Presidential Election From bre at netverjar.is Mon Jan 8 04:42:21 2001 From: bre at netverjar.is (Bjarni R. Einarsson) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] Stopping Hybris via. global /etc/procmailrc Message-ID: <20010108124221.C21400@klaki.net> Hi, I've been getting huge amounts of Hybris via. mail lately, and alot of it is (as previously discussed here) sent with comletely random file names and few recognizable headers. I've been collecting my specimens, and have found the following trends: - Hybris always prefixes it's MIME boundaries with "VE". - The anonymous messages don't have subject lines. - The first lines of the Base64-encoded attachment are always the same. So I created a procmail ruleset which checks for these tell-tales, checks the message size and some other headers. It's a pretty tight match, and I doubt it will discard anything that isn't really Hybris. I'd recommend using a variation of this rule before passing the message on to my or John's sanitizers. As usual: deploy with care, and don't blame me if it eats your mail. Hope it helps. :) My /etc/procmailrc contains: # Global procmail ruleset to block spam and other icky stuff. # Icky stuff is dumped in /tmp/spam.USERNAME # DROPPRIVS=yes ############################################################################## # Detect Hybris when sent from hahaha@sexyfun.net # :0 * ^From:.*hahaha@sexyfun.net /tmp/spam.$LOGNAME # Detect Hybris when sent as an anonymous message. # :0 i * > 32000 * < 33000 * !^Subject: * ^Content-Type: multipart/mixed; boundary="--VE { :0 B * ^Content-Type: text/plain; charset="us-ascii" * ^Content-Disposition:.*\.EXE * ^Content-Type:.*\.EXE * ^TVqQAAMAAAAEAAAA * ^SiXLG3Lv\+wdKT1hwcrOTfD7rduGAY5LvseJ7 * ^D4TKBAAAUFVQ/1QkSAEs /tmp/spam.$LOGNAME } -- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 bre@netverjar.is -><- http://bre.klaki.net/ Netverjar gegn ruslp?sti: http://www.netverjar.is/baratta/ruslpostur/ From bre at netverjar.is Mon Jan 8 08:33:21 2001 From: bre at netverjar.is (Bjarni R. Einarsson) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] Stopping Hybris via. global /etc/procmailrc In-Reply-To: <20010108124221.C21400@klaki.net>; from Bjarni R. Einarsson on Mon, Jan 08, 2001 at 12:42:21PM +0000 References: <20010108124221.C21400@klaki.net> Message-ID: <20010108163321.C25115@klaki.net> On 2001-01-08, 12:42:21 (+0000), Bjarni R. Einarsson wrote: > > # Detect Hybris when sent as an anonymous message. > # > :0 i > * > 32000 > * < 33000 Minor update - the size bounds here are too tight. Depending on which path the message takes through the network, the total message size can be anywhere from about 31000 bytes to infinity. :-) 31000-33000 seems like a pretty good range though. Using 32000 as a lower bound will cause some messages to slip through (I just got one). Sorry about that... -- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 bre@klaki.net -><- http://bre.klaki.net/ Check out my open-source email sanitizer: http://mailtools.anomy.net/ From floydp at boxusa.com Mon Jan 8 08:34:27 2001 From: floydp at boxusa.com (Floyd Pierce) Date: Mon Dec 26 10:17:48 2005 Subject: FW: [Esa-l] Stopping Hybris via. global /etc/procmailrc Message-ID: Has anyone seen anything other than an exe or a scr from Hybris? I'm poisoning them so I hope that's good enough... -- Floyd Pierce | Director of Information Technology Phone 847-790-2830 (IL) | Box USA Phone 817-783-2355 (TX) | floydp@boxusa.com Fax 847-790-2880 | floydp@imagin.net -----Original Message----- From: esa-l-admin@spconnect.com [mailto:esa-l-admin@spconnect.com]On Behalf Of Bjarni R. Einarsson Sent: Monday, January 08, 2001 6:42 AM To: esa-l@spconnect.com Subject: [Esa-l] Stopping Hybris via. global /etc/procmailrc Hi, I've been getting huge amounts of Hybris via. mail lately, and alot of it is (as previously discussed here) sent with comletely random file names and few recognizable headers. I've been collecting my specimens, and have found the following trends: From bre at netverjar.is Mon Jan 8 08:44:06 2001 From: bre at netverjar.is (Bjarni R. Einarsson) Date: Mon Dec 26 10:17:48 2005 Subject: FW: [Esa-l] Stopping Hybris via. global /etc/procmailrc In-Reply-To: ; from Floyd Pierce on Mon, Jan 08, 2001 at 10:34:27AM -0600 References: Message-ID: <20010108164406.A25228@klaki.net> On 2001-01-08, 10:34:27 (-0600), Floyd Pierce wrote: > Has anyone seen anything other than an exe or a scr from Hybris? > I'm poisoning them so I hope that's good enough... No, those extensions are always used (as far as I can tell). In fact, the anonymous messages with the random file names seem to always use the .EXE extension, although that may change. My procmail rule only catches .EXE extensions for anonymous messages, it should probably be enhanced to catch .SCR as well. I deliberately made it as specific as possible, because I feel it's better to let a few Hybris copies through than drop legitimate email. Unfortunately, this is all just temporary relief, because Hybris can update itself over the 'net. So don't be surprised if the author of Hybris figures out how to embed it in some other file format (hacking up Flash files would be cool) and it begins to propgate that way. I've noticed that the anonymous messages are much more common now than they used to be - messages from hahaha@se*yfun.net are more rare, which is the opposite of how it was the first few weeks I was aware of this. I expect things to continue to change. P.S. Has anyone here mentioned the Shockwave Flash bugs? Apparently there are exploitable buffer overruns in all versions of the flash player, so paranoid people should probably add .swf to their poisoned list. Details can be found on securityfocus.com. -- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 bre@klaki.net -><- http://bre.klaki.net/ Check out my open-source email sanitizer: http://mailtools.anomy.net/ From brett at lariat.org Mon Jan 8 11:06:52 2001 From: brett at lariat.org (Brett Glass) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] Stopping Hybris via. global /etc/procmailrc In-Reply-To: <20010108124221.C21400@klaki.net> Message-ID: <4.3.2.7.2.20010108115845.046777d0@localhost> At 05:42 AM 1/8/2001, Bjarni R. Einarsson wrote (in part): >So I created a procmail ruleset which checks for these tell-tales, >checks the message size and some other headers. It's a pretty tight >match, and I doubt it will discard anything that isn't really Hybris. > >I'd recommend using a variation of this rule before passing the message >on to my or John's sanitizers. Actually, John's santizer (with my add-ons, which don't affect that part of it) seems to have been catching Hybris for me, because I added the list of Hybris .EXE files to my "poisoned" list. (I didn't bother to put in any of the .SCR file names, because I poison *.SCR. This has the advantage that it also catches MTX, which is really destructive and hard to remove.) What I'd prefer to the recipe you posted is something that hooks into the existing quarantining mechanism; -- a way of creating "add-on" filters that use the same variables I've set up for John's sanitizer. So, if I've defined a quarantine file or a person to notify in /etc/procmailrc, the message can be sent there without more programming. I'd also like to keep the recipe in a separate file, so that things are modular. --Brett From brett at lariat.org Mon Jan 8 14:39:23 2001 From: brett at lariat.org (Brett Glass) Date: Mon Dec 26 10:17:48 2005 Subject: FW: [Esa-l] Stopping Hybris via. global /etc/procmailrc In-Reply-To: <20010108164406.A25228@klaki.net> References: Message-ID: <4.3.2.7.2.20010108153725.04e9bb00@localhost> At 09:44 AM 1/8/2001, Bjarni R. Einarsson wrote: >P.S. Has anyone here mentioned the Shockwave Flash bugs? Apparently >there are exploitable buffer overruns in all versions of the flash >player, so paranoid people should probably add .swf to their poisoned >list. I'd say, add it to the default "mangle" list. Posioning it should be optional, since so many people trade flash movies (e.g. the frog in the blender" bit) . --Brett From jhardin at wolfenet.com Mon Jan 8 20:47:47 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:48 2005 Subject: FW: [Esa-l] Stopping Hybris via. global /etc/procmailrc In-Reply-To: <20010108164406.A25228@klaki.net> Message-ID: On Mon, 8 Jan 2001, Bjarni R. Einarsson wrote: > P.S. Has anyone here mentioned the Shockwave Flash bugs? > Apparently there are exploitable buffer overruns in all versions > of the flash player, so paranoid people should probably add .swf > to their poisoned list. And MANGLE_EXTENSIONS as well. Remember, if you don't mangle it you cannot poison it. -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ ----------------------------------------------------------------------- 1394 days until the Presidential Election From jhardin at wolfenet.com Mon Jan 8 21:10:05 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] Stopping Hybris via. global /etc/procmailrc In-Reply-To: <4.3.2.7.2.20010108115845.046777d0@localhost> Message-ID: On Mon, 8 Jan 2001, Brett Glass wrote: > What I'd prefer to the recipe you posted is something that hooks into > the existing quarantining mechanism; -- a way of creating "add-on" > filters that use the same variables I've set up for John's sanitizer. So, > if I've defined a quarantine file or a person to notify in /etc/procmailrc, > the message can be sent there without more programming. I'd also like > to keep the recipe in a separate file, so that things are modular. Hmmm.... {tinkers a bit} The notification and quarantine responses key off X-Content-Security headers inserted into the message. Here's one possible way to dowhat you want: Put the following into (say) /etc/procmail/local-rules.procmail # Detect Hybris when sent as an anonymous message. # :0 i * > 31000 * < 36000 * !^Subject: * ^Content-Type: multipart/mixed; boundary="--VE { :0 B hf * ^Content-Type: text/plain; charset="us-ascii" * ^Content-Disposition:.*\.EXE * ^Content-Type:.*\.EXE * ^TVqQAAMAAAAEAAAA * ^SiXLG3Lv\+wdKT1hwcrOTfD7rduGAY5LvseJ7 * ^D4TKBAAAUFVQ/1QkSAEs | formail -A "X-Content-Security: NOTIFY" \ -A "X-Content-Security: QUARANTINE" \ -A "X-Content-Security: REPORT: Anonymous Hybris" } Then change /etc/procmailrc to be: ...{initialization}... INCLUDERC=/etc/procmail/local-rules.procmail INCLUDERC=/etc/procmail/html-trap.procmail If local-rules detects something and inserts X-Content-Security headers, the sanitizer will quarantine/notify/etc. the message. (untested, of course) Comments solicited. -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ ----------------------------------------------------------------------- 1394 days until the Presidential Election From jhardin at wolfenet.com Sat Jan 13 08:32:36 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] ANN: Sanitizer update Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The procmail sanitizer has been updated. The current version is 1.126 It is available via: US: http://www.impsec.org/email-tools/procmail-security.html US: ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html CAN: ftp://netserv.on.ca/pub/jhardin/antispam/procmail-security.html EU: ftp://kanon.net/pub/jhardin/antispam/procmail-security.html - From the changelog: 01/11/2001 Added the tag to web-bug defanging. Moved the quarantine and notification routines out of the encrypted-message skip block so that custom rules can still poison encrypted messages. Minor wording change in the MS-TNEF notification text. The sanitizer home page is at http://www.impsec.org/email-tools/procmail-security.html -----BEGIN PGP SIGNATURE----- Version: PGP 5.0 Charset: noconv iQA/AwUBOmB0v9gi5ua4cy55EQKJawCgwiNlMbXGkOvVu72smQ0vxbBVaqcAoIrz qGAYZZum8VzM95l+Cyp4cyyv =Kmq8 -----END PGP SIGNATURE----- -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ ----------------------------------------------------------------------- 1389 days until the Presidential Election From michael.meltzer at sicad.de Mon Jan 15 09:21:25 2001 From: michael.meltzer at sicad.de (Michael Meltzer) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] sanitizer 1.126 error Message-ID: <3A633195.18E08090@sicad.de> after installing the new sanitizer 1.126 (in /etc/procmail) on IRIX 6.2 I get the following error(s) in the procmail log: 15. 16:33:21# Sanitizing MIME attachment headers in "Declined: Snowboard Event (social) - Skifahrer notfalls erlaubt" from "..." <....> to ... msgid= procmail: Failed to execute " perl -p -e ' #\ $pastmsghdr = 1 if /^\s*$/; #\ if ($pastmsghdr) { #\ if (!$mimeboundary && $mimeboundaries[0]) { #\ warn " Found no MIME boundary.\n" if $ENV{"DEBUG"}; #\ $mimeboundary = pop @mimeboundaries; #\ $newboundary = pop @newboundaries; #\ $rawboundary = pop @rawboundaries; #\ $boundarytoolong = pop @boundariestoolong; #\ $gotboundary = pop @gotboundaries; #\ $nullboundary = pop @nullboundaries; #\ } #\ .... } else { #\ $poisoned = 0; #\ } #\ } #\ ' 2>> $LOGFILE" procmail: Error while writing to " perl -p -e ' #\ $pastmsghdr = 1 if /^\s*$/; #\ if ($pastmsghdr) { #\ if (!$mimeboundary && $mimeboundaries[0]) { #\ warn " Found no MIME boundary.\n" if $ENV{"DEBUG"}; #\ $mimeboundary = pop @mimeboundaries; #\ $newboundary = pop @newboundaries; #\ I am running the sanitizer since about 1 year and I am very happy about. Thanks in advance. Regards, Michael -- +---- Michael Meltzer ---+-----------------------------------------+ | SICAD Geomatics | EMail : Michael.Meltzer@sicad.de | | Otto-Hahn-Ring 6 | Phone : +49-89-636-46239 | | 81739 Muenchen | Fax : +49-89-636-51313 | +------------------------+-----------------------------------------+ From jhardin at wolfenet.com Thu Jan 18 00:09:06 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] HTML.dropper (fwd) Message-ID: How in the world could MS possibly have written the mail program such that it would interpret a long subjcet as an attachment name? BO, anyone? So what do we do? Arbitrarily limit all headers to 256 characters? Sigh. -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray ----------------------------------------------------------------------- 17 days until she returns ---------- Forwarded message ---------- Date: Wed, 17 Jan 2001 09:09:14 -0800 From: "http-equiv@excite.com" To: BUGTRAQ@SECURITYFOCUS.COM Subject: HTML.dropper Internet Explorer 5.5 and accompanying mail and news client afford us the unique ability to dictate which icons and file extensions we require. Specifically, we are able to manufacture an email message to appear as one thing when in fact it is not: 1. What? By carefully calculating a certain length of characters in the subject field of an email message, Outlook Express 5.5 for whatever reason creates an attachment incorporating the text in the body of the message. 2. And We have in fact not attached anything, yet there is a fully functional attachment. Furthermore we can dictate which file association and applicable icon we require in order to execute our file. We can create it to appear as an image file, sound file, html file etc. etc. 3. What does this mean: MIME-Version: 1.0 To: http-equiv@excite.com Subject: .hta Content-Type: image/gif; charset=us-ascii Content-Transfer-Encoding: 7bit This will create an email message with no reference to attachments in the headers.This can be particularly troublesome to content filtering gateways and/or security applications that strip attachments through header information that is content disposition: attachment; content-type: application/malware; filename: iloveyou.vbs What the above does is create an attachment, which in this case is an *.hta file, but by manipulating the content-type, it is given an image file icon. We then include in the body of our email message the very simple code to execute whatever we wish, which is automatically incorporated into the manufactured attachment. 4. Working example below. Note: Right-click and save to disk.To be opened in the mail client. Harmless WSH code to execute telnet.exe on the local machine. http://www.malware.com/dropper.eml 5. The possibilities are endless. Any text based executable will suffice. It is also trivial to introduce outside code into the temporary internet folder, where the *.hta is opened. We can draw an executable into the TIF via the image tag (though it numbers), and also by the bgsound tag (which is not numbered). The main problem lies in the fact that we can dictate the icon which has always been a goal of VX community to dupe recipients. Furthermore the fact that there are not legitimate header informations for content filtering and security application screening of attachments etc. is equally problematic. Tested on IE5.5. and OE5.5. win98, fully patched and updated with all so-called service packs. Notes: 1. There is still the security warning with opening the file. However the icon representing the content type should override, most if not all's concern. 2. The actual file extension (*.hta in this case) seems to have to appear in the security warning dialogue box, you can see it at the very end to execute. If the subject length is too long, it creates an odd *.tx file which calls up 'what do you want to open this with [something to this effect]' system requirement. 3. This appears to be somewhat similar to something examined several months ago: http://www.malware.com/yoko.html === Irrelevant Notes: a. We don't mind multi-million dollar security companies cutting and pasting our working examples into test sites to promote their products, you can at least acknowledge who's creation it is. b. We received numerous unsolicited offerings to acquire our domain, ranging from ridiculous quantums of currency to bizarre JV proposals. We will examine for the next several months proposals under both circumstances and should anyone have genuine interest, contact bug@malware.com, all communications will be held in the strictest of confidence. Time-wasters will be shown the door however. end call === --- http://www.malware.com | _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ From bre at klaki.net Thu Jan 18 00:46:24 2001 From: bre at klaki.net (Bjarni R. Einarsson) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] HTML.dropper (fwd) In-Reply-To: ; from jhardin@wolfenet.com on Thu, Jan 18, 2001 at 12:09:06AM -0800 References: Message-ID: <20010118084623.A459@diskordiah.mmedia.is> On 2001-01-18, 00:09:06 (-0800), John D. Hardin wrote: > > How in the world could MS possibly have written the mail program such > that it would interpret a long subjcet as an attachment name? BO, It's User Friendly! :) > So what do we do? Arbitrarily limit all headers to 256 characters? I think this particular problem can be defanged simply by *appending* the word "DEFANGED" to unusually long subject lines. Hopefully few mailers will make stupid assumptions about subject lengths, but appending this word will remove any odd chance that the Subject's last few characters get interpreted as an extension name. Actually, though, I'm somewhat sceptical of the validity of the Bugtraq post you quoted. I suspect the Subject: line isn't really important here - what's important is that Microsoft products tend to ignore MIME types, when it comes to actually executing/displaying something. For example, it has long been known that Internet Explorer will ignore the MIME type of a file it downloads. Just try renaming one of your web pages to .txt and viewing it. It'll still appear as HTML. So my theory is: 1. MIME type dictates icon, in the example case image/gif 2. "Magic" check on contents dictates how it is run - which is *not* image/gif in this exploit. It may be that fixing the Subject line provides some of the info used by the "magic" check - but this exploit may *not* depend on the contents of the Subject line alone. This brings me back full-circle to my previous ponderings on making my sanitizer do magic checks of it's own, and reject, mangle or defang messages where the actual contents don't match the MIME headers... which is hard to do, but would work against this sort of stupidity. Of course, verifying this little theory of mine will take some expirimentation. I'm going to try a few things at work today, I'll let you all know how it goes. -- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 bre@klaki.net -><- http://bre.klaki.net/ Check out my open-source email sanitizer: http://mailtools.anomy.net/ From brett at lariat.org Thu Jan 18 13:56:14 2001 From: brett at lariat.org (Brett Glass) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] File to poison: anniv.doc Message-ID: <4.3.2.7.2.20010118145544.049e6c30@localhost> See http://www.zdnet.com/zdhelp/stories/main/0,5594,2675677,00.html --Brett From jhardin at wolfenet.com Thu Jan 18 19:52:10 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] HTML.dropper (fwd) In-Reply-To: <20010118084623.A459@diskordiah.mmedia.is> Message-ID: On Thu, 18 Jan 2001, Bjarni R. Einarsson wrote: > > So what do we do? Arbitrarily limit all headers to 256 characters? > > I think this particular problem can be defanged simply by > *appending* the word "DEFANGED" to unusually long subject lines. > Hopefully few mailers will make stupid assumptions about subject > lengths, but appending this word will remove any odd chance that > the Subject's last few characters get interpreted as an extension > name. Hmm. If we're going to modify the subject header to sanitize this, I's say simply collapse all runs of blanks. That, or look for a long subject header ending with \.[a-z0-9][a-z0-9][a-z0-9] and defang that. -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray ----------------------------------------------------------------------- 16 days until she returns From jhardin at wolfenet.com Thu Jan 18 20:08:34 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] File to poison: anniv.doc In-Reply-To: <4.3.2.7.2.20010118145544.049e6c30@localhost> Message-ID: On Thu, 18 Jan 2001, Brett Glass wrote: > http://www.zdnet.com/zdhelp/stories/main/0,5594,2675677,00.html Mutant Melissas Murder Millions! um, no... how about: Mutant Melissas Mob Mailservers! Millions of Messages Missing! I expect this would be poisoned by the macro scanner (assuming you haven't turned it off... :) -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray ----------------------------------------------------------------------- 16 days until she returns From bre at klaki.net Fri Jan 19 08:35:01 2001 From: bre at klaki.net (Bjarni R. Einarsson) Date: Mon Dec 26 10:17:48 2005 Subject: [Esa-l] HTML.dropper (fwd) In-Reply-To: ; from John D. Hardin on Thu, Jan 18, 2001 at 07:52:10PM -0800 References: <20010119091945.23663.qmail@securityfocus.com> <20010118084623.A459@diskordiah.mmedia.is> Message-ID: <20010119163501.D17727@klaki.net> On 2001-01-18, 19:52:10 (-0800), John D. Hardin wrote: > > Hmm. If we're going to modify the subject header to sanitize this, I's > say simply collapse all runs of blanks. That, or look for a long > subject header ending with \.[a-z0-9][a-z0-9][a-z0-9] and defang that. I agree that that is also a good strategy. Bugtraq had more info on this today, which sorta helps decided which strategy is best: On 2001-01-19, 09:19:45 (-0000), Shane Hird wrote: > > It seems OE is cutting the file name short to a > specified length when trying to open it (consequently > chopping off the real extension), but not cutting it > short when determining which icon to use. (Note that > the icon choice doesn't seem to be affected like this > with the subject overflow problem.) This implies two things: - Outlook will use the Subject as a file name, if no file name is provided in the MIME headers. So we have to add the Subject: line to our list of fields-to-mangle. *sigh* I'm tempted to do so conditionally - only when filename="" tags are missing from the MIME headers, since long subject lines are very useful. - Truncating file names or appending stuff to them may not always work. Chopping stuff off the front (like I do in my Sanitizer) appears to be safest. How the icon is chosen appears, judging from this message I just quoted and from the original HTML.dropper report, to be determined by a mixture of filename and MIME-type. It's all quite confusing. So, instead of thinking about it... chop chop chop! :-) -- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 bre@klaki.net -><- http://bre.klaki.net/ Check out my open-source email sanitizer: http://mailtools.anomy.net/ From jhardin at wolfenet.com Fri Jan 19 21:45:58 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:49 2005 Subject: [Esa-l] HTML.dropper (fwd) In-Reply-To: <20010119163501.D17727@klaki.net> Message-ID: On Fri, 19 Jan 2001, Bjarni R. Einarsson wrote: Options: > > collapse all runs of blanks. Simple, but will break spam rules trapping on / [0-9]+$/ I'm also reluctant to twiddle things that people can see (vs. modifying metadata in the headers). > > look for a long subject header ending > > with \.[a-z0-9][a-z0-9][a-z0-9] and defang that. Tougher, and possibly ineffective if it's a truncation bug. It may also generate a DoS given the exact nature of the bug in Outlook. > - Outlook will use the Subject as a file name, if no file name > is provided in the MIME headers. So we have to add the Subject: > line to our list of fields-to-mangle. No, I don't think so. Subject: is too free-form for such checking to be reliable. > *sigh* I'm tempted to do > so conditionally - only when filename="" tags are missing from > the MIME headers, since long subject lines are very useful. Better still: in a MIME header specifying a content-type other then text/ message/ or multipart/, if no name="whatever" clause is provided then insert one. This should take care of the Outlook subject-becomes-filename hack. Comments? I have a test version of this if anyone wants to beat on it. You can also send exploit attempts to me at if you like. > On 2001-01-19, 09:19:45 (-0000), Shane Hird wrote: > > > > It seems OE is cutting the file name short to a > > specified length when trying to open it (consequently > > chopping off the real extension), but not cutting it > > short when determining which icon to use. (Note that > > the icon choice doesn't seem to be affected like this > > with the subject overflow problem.) The example given in this post - a very long filename overflowing a buffer and dropping the extension - is defanged by the existing truncate-excessively-long-filename sanitization. -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray ----------------------------------------------------------------------- 15 days until she returns From jhardin at wolfenet.com Sun Jan 21 14:06:30 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:49 2005 Subject: [Esa-l] HTMLDropper - more details Message-ID: I've been talking with the people at malware who posted the initial advisory about this. It seems that no MIME content is needed at all, not even badly formatted MIME, just a very long subject line. I don't have ready access to an Outlook client, so a proper fix for this will have to wait, but it looks like the suggestion to include the Subject: header in attachment filename checking is going to be the most correct response. A simpler response might be to limit the length of the Subject line to a sane length, but then we get into the difficult area of defining "what is sane"? -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray ----------------------------------------------------------------------- 13 days until she returns From jhardin at wolfenet.com Tue Jan 30 21:18:14 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:49 2005 Subject: [Esa-l] Incorporating traditional virus scanning Message-ID: Has anybody actually hacked the sanitizer to call a regular a/v tool? I've had a request and I'd like to know if anybody has actually done this. (I've already pointed them at you, Bjarni. :) -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray ----------------------------------------------------------------------- 4 days until she returns From miggie at obsidian.co.za Tue Jan 30 23:08:09 2001 From: miggie at obsidian.co.za (Miguel Louro) Date: Mon Dec 26 10:17:49 2005 Subject: [Esa-l] UUCP sanitizer Message-ID: Hi there, Was just thinking, Would it be possible to hack the sanitizer to scan mail in a UUCP host`s spooled mail, it would be a great for UUCP main nodes to eliminate the problem before it reaches their offline mail servers before its spooled there. Would this be difficult to hack together? Any comments on this would be apreciated. :) I have a feeling that this wouldnt be too difficult to do. Kind regards Miggie -- ____________________________________________ Miguel Louro Technical Consultant Obsidian Systems Linux Solutions Reachable @ +27 83 380 8333 Office +27 11 792 6500 -------------------------------------------- Sometimes I dream, sounds all stay the same. The Cure From robby at obsidian.co.za Tue Jan 30 23:14:49 2001 From: robby at obsidian.co.za (Robert Mc Donald) Date: Mon Dec 26 10:17:49 2005 Subject: [Esa-l] Re: UUCP sanitizer In-Reply-To: Message-ID: Well we could just use the poisened file and grep through the whole directory and delete any matches, that would stop the "known" viruses but wouldn't do the filename renaming or the quarentining. Sounds like a good idea though. On Wed, 31 Jan 2001, Miguel Louro wrote: > Hi there, > Was just thinking, Would it be possible to hack the sanitizer to scan mail > in a UUCP host`s spooled mail, it would be a great for UUCP main nodes to > eliminate the problem before it reaches their offline mail servers before > its spooled there. Would this be difficult to hack together? Any comments > on this would be apreciated. :) > I have a feeling that this wouldnt be too difficult to do. > > Kind regards > Miggie > > From jhardin at wolfenet.com Wed Jan 31 08:14:28 2001 From: jhardin at wolfenet.com (John D. Hardin) Date: Mon Dec 26 10:17:49 2005 Subject: [Esa-l] UUCP sanitizer In-Reply-To: Message-ID: On Wed, 31 Jan 2001, Miguel Louro wrote: > Was just thinking, Would it be possible to hack the sanitizer to > scan mail in a UUCP host`s spooled mail, it would be a great for > UUCP main nodes to eliminate the problem before it reaches their > offline mail servers before its spooled there. Would this be > difficult to hack together? Any comments on this would be > apreciated. :) > > I have a feeling that this wouldnt be too difficult to do. I don't think it would be too difficult. I haven't worked with UUCP mail in a very long time, but my hazy memories of it lead me to think that if you replaced mail.local with procmail, you could then sanitize messages delivered from UUCP. -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray ----------------------------------------------------------------------- 3 days until she returns From faxguy at deanox.com Wed Jan 31 11:59:13 2001 From: faxguy at deanox.com (Lee Howard) Date: Mon Dec 26 10:17:49 2005 Subject: [Esa-l] Incorporating traditional virus scanning In-Reply-To: Message-ID: <3.0.6.32.20010131125913.00898570@server.deanox.com> At 09:18 PM 1/30/01 -0800, John D. Hardin wrote: > >Has anybody actually hacked the sanitizer to call a regular a/v tool? >I've had a request and I'd like to know if anybody has actually done >this. I use an antivirus agent on the mail before it goes to the sanitizer, but called by /etc/procmailrc just before the sanitizer gets called. I know, though, that you're asking about scanning *from* the sanitizer, which isn't the case here. I didn't want to mangle the sanitizer to a point where it wouldn't be overwrite-upgraded as updates are released. Lee.