On Fri, 2004-09-17 at 16:21, Daniel Lord wrote: > Those signatures don't catch the poc xploit found at > http://www.gulftech.org/?node=downloads. But maybe it's better to > leave this alone till there are real worms etc. to produce good > signatures. At the moment clamav sigs don't seem good enought to > catch this. (No support for absolute offsets)
Yes, looking at the file there is more than one comment section, and it is the second that uses the exploit. It stands to reason that since there is some flexibility in the file format that a signature that doesn't account for that flexibility (by looking for the comment in a certain offset eg) could be easily avoided by the exploit writers. I wouldn't rely of finding very much at all, only the ffd8 at the start of the file and the ffe0 000[01] exploit (the poc doesn't even have the APP0 marker until some way in). Clearly without the ability to anchor the ffd8 to the start of the file a useful signature is impossible. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
