Re: Idea for stopping e-mail viruses

[conover@xxxxxxxxx (John Conover)]

Markus Stumpf writes:
> On Mon, Feb 02, 2004 at 04:44:57PM -0500, X-Istence wrote:
> > See, what it does is only send a message back, WHEN it is not a virus. 
> > So basically, you are elinating all viruses known to scanners, but 
> > asking for confirmation on others that are not known yet, or are not a 
> > virus.
> 
> But he also said
>     with an attachment of a certain type (e.g. .exe, .com, .bat, .pif,
>     .scr, etc.)
> There are viruses that fake content-types but do extensions correct and
> vice versa. Looking at extensions or content-types gives you nothing.
> And you won't obviously catch any script exploits in HTML files.
> So you basically have to C/R all attachments and the you have a plain
> and simply C/R system.
>

MS LookOut will execute a file whether it has a .exe, etc., filename
extension, or not. In MyDoom, the virus comes as a MIME/zip file. If
the user opens it, LookOut will unzip it, then look at the file
headers to figure out what else has to be done. In the case of MyDoom,
(its a .pif file,) LookOut sees "MZ" as the first two characters of
the file, signifying a .exe executable, and tries to read the rest of
the header loader information to get the program running. See:
/usr/share/misc/magic for header details for .com files, etc.

Just looking at filename extensions is inadaquate to filter
executables for MS LookOut, (and its not specifically a LookOut
problem, either-Internet Exploder's long patch history of
cross-site-scripting issues are the same thing.)

        John

BTW, note that the LookOut problem is equivalent to a ~/.mailcap with
very generous trust. See the references in RFC1521, Section 9, for
particulars.

-- 

John Conover, conover@xxxxxxxxx, http://www.rahul.net/conover/