Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: blocking BHX files with MIME

from [lsi] Network Security [Permanent Link]
Subject: Re: blocking BHX files with MIME
Date: Wed, 17 May 2006 19:17:43 +0100 
Peter,

Good call.  A quick search suggests that BinHex is a form of 
UUencoding, ie. uuencode for Mac... so I agree the sig might miss 
some attachments.

I don't have any other samples, tho, and since my policy is to only 
filter on strings in use by malware, not the full set of theoretical 
strings malware might use, I don't think I'll change the sig just 
yet.

I don't filter on the full set because if the string is not in use, 
there's no need to slow my filter down looking for something that's 
not there.

You're right though, if some virus starts using 'begin 4', I will 
need to remove a few characters from the end of the string.  

Stu

On 17 May 2006 at 3:33, Peter Kosinar wrote:


YmVnaW4gNj


Is it really the BHX (=BinHex) file format? Decoding the MIME sequence 
yields "begin 6" (+one incomplete character), which looks very similar to 
the UUE format. If it is actually UUE, the signature might be a bit too 
weak because a perfectly valid UUEncoded file could start with "begin 4" 
or "begin 7" or any other octal digit, as the three octal digits following 
"begin" specify the permissions of the encoded file.



---
Stuart Udall
stuart at@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Indemnifying virus handlers - 'Hold harmless' statements of work?, Bill Stout
Next by Date:  Re: blocking BHX files with MIME, Peter Kosinar
Previous by Thread:  Re: blocking BHX files with MIME, Peter Kosinar
Next by Thread:  Re: blocking BHX files with MIME, Nick FitzGerald
Indexes:  [Date] [Thread] [Top] [All Lists]