[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] MyDoom-M evades attachment filters

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] MyDoom-M evades attachment filters
From: "Marek Isalski" <Marek.Isalski@xxxxxxxxxxxxxxxxxx>
Date: Tue, 27 Jul 2004 11:45:10 +0100

>>> "lsi" <stuart@xxxxxxxxxxxxxx> 27/07/2004 11:14:20 >>>
> My current thoughts are something like this:
> U.*E.*s.*D.*B.*A.*o.*A.*A.*
> Still got newline prob though.

Careful -- that (corrected) regexp will overoptimistically match strings like: 
'United Arab Emirates branch seeks Data Base Administrator to work in providing 
supporting "Follow-Up" project in Alcoholics Anonymous.'

You probably want to use a regexp matcher that doesn't care about newlines -- 
i.e. it treats the while MIME attachment as one big string, and you just search 
for U[:white:]E[:white:]... Though it could be possible that other malformed 
MIME is accepted by mail clients' parsers but fails your regexp match.  Perhaps 
[:white:] should really be [^A-Za-z0-9./] (i.e. a regexp matching characters 
which aren't valid Base64.

Regards,
Marek





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: FW: [Full-Disclosure] Question for DNS pros
Next by Date: [Full-Disclosure] DNS query???
Previous by thread: Re: [Full-Disclosure] MyDoom-M evades attachment filters
Next by thread: [Full-Disclosure] ASPRunner Multiple Vulnerabilities
Index(es):
- Date
- Thread