anomy-list

Re: Worms in zip attachments!

From: Bjarni R. Einarsson (74726@xyz.molar.is)
Date: Thu 24 Apr 2003 - 13:31:05 GMT

  • Next message: Emmanuel Lacour: "Garbage on pdf attachements using quoted-printable"

    On 2003-04-24, 15:03:29 (+0200), Szûcs János wrote:
    > It seems nowadays it is trendy for email worms to travel in zip files, thus
    > avoiding being revealed by simple mail scanners like anomy. I myself use
    > anomy and may have missed a lot of these worms until I realised this fact
    > not so long time ago.

    This is news to me. :-) Could you give me an example of a worm which
    sends itself in this fashion? Or possibly send me a sample?

    > Is it planned to build the following features into anomy?
    > - either scan inside zip attachments, or
    > - check the filenames inside the zip attachment, (and e.g. quarantine
    > any zipped attachments containing an executable).

    These features will not be added to Anomy itself, mostly because the
    functionality is already there:

     - If you are using Anomy with an antivirus scanner (which is
       recommended) then most such scanners will scan the contents of
       zip files.

     - You could quite easily create your own shell-script "scanner" and
       plug into the Anomy rulesets. Such a shell script would simply
       do "unzip -l" and grep the output for file names such as
       "blah.com" or "blah.exe". If such a filename is detected the
       scanner would return an exit code which Anomy had been configured
       to interpret as "infected" and treat accordingly (e.g. by
       defanging the attachment or quranatining it).

    -- 
    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
     74726@xyz.molar.is                -><-              http://bre.klaki.net/
    

    Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send lots of mail to: 74847@xyz.molar.is

    Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=Juggler



    hosted by molar.is