Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Writing signatures for e-mail virus attachments

from [Matthew Conover] Network Security [Permanent Link]
Subject: RE: Writing signatures for e-mail virus attachments
Date: Thu, 9 Feb 2006 10:46:16 -0800 
If you already know ahead of time the original byte sequence out of the
executable that you want to match, you can usually look for
base64-encoded data from port 110/143/etc (if trying to catch the
download of the email), or to port 25 (if trying to catch the
transmission of the email). base64 is the most common encoding using by
MIME email attachments, though others are possible.

The biggest complication is that since base64 is 3 bytes of input to 4
bytes of output, such that there are multiple ways that the same input
pattern can be encoded, depending on the surrounding bytes:
Input(ABC) Variant 1 -> Encode(ABC)
Input(ABC) Variant 2 -> Encode(xAB) + Encode(Cxx)
Input(ABC) Variant 3 -> Encode(xxA) + Encode(BCx)

If you really want to be hardcore, you have to also address the possible
places that each base64-encoded line can be wrapped. So lets say you
have the base64-encoded pattern "ABC". Then you must also match
"A\r\nBC" and "AB\r\nC".

if (Size < 5)
{
        // Size must be at least 5 to generate 3 variants:
        // 12345 will be encoded as 123, 234, and 345.
        return -1;
}

for (i = 0; i < 3; i++)
{
        NewSize = Size-i;

        Output = BinaryToBase64(
                Input+i, 
                NewSize-(NewSize%3), 
                &OutputLength, 
                WrapCount);

        assert(!strchr(Output, '='));

        printf("Variant %d = ", i);
        HexDumpAsBytes(Output, OutputLength);
        putc('\n');

        free(Output); Output = NULL;
}


-----Original Message-----
From: c_sek_har@yahoo.co.in [mailto:c_sek_har@yahoo.co.in] 
Sent: Thursday, February 02, 2006 8:39 PM
To: focus-ids@securityfocus.com
Subject: Writing signatures for e-mail virus attachments

HI
  
  How can I write a signature for a virus which is coming as an  
attachment? The attachment may be done by using base64 or binhex
encoding. 
Shall I have to create signature for each type?
  
  Has anybody implemented the idea of decoding the attachment (IDS) and 
then parsing the file to look for some pattern? 
  
  Regards,
  Babu

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IPS Bad Experiences - mini survey, Mike Smith
Next by Date:  Version 0.6 of the OSSEC HIDS is available for download., Daniel Cid
Previous by Thread:  Re: Writing signatures for e-mail virus attachments, anonymous
Next by Thread:  Re: Spyware assessment techniques - hub?, Packet Man
Indexes:  [Date] [Thread] [Top] [All Lists]