On Wed, 29 Sep 2004, Dennis Peterson wrote:
Anyone got a plan for when encrypted zip'd jpeg files start showing up?
Either start a "password greper/parser" which should be able to be updated to recognize new formats in a non-executable way (regex or something) included in the sigs to rip \w+ out of images and html. If it's a passworded zip we can forward what we think the password is into the decompressor.
I was under the impression that zip passwords could easily be cracked. If that is the case, we could just crack them all and scan the contents. Of course, CPU time would go way up for the password cracking.
Could start to make a profile of the zips too and ship 'em in with a signature. Remember that you can still read the CRC of the files within the encrypted zip and the filename would probably follow a strict format like IMG001.jpg to keep it looking innocent. Yes, I am almost talking about bayes virus detection and I think that is where we (the antivirus industry) will end up in the future otherwise we will never be proactive.
/me waits for a polymorphic jpeg
I was just looking into the reason for false positives with the previous jpeg signature, and discovered it's due to detecting bytes *within* the comment sections of the jpegs. So there goes our simple rule for detecting all possible jpeg malware... now we have to write rules for each case (and accept the associated risk of FPs). A polymorphic jpeg would kill us right now. And the rules:
Exploit.JPEG.Comment.1:5:0:ffd8ffe0{-2048}fffe00(00|01){-4096}ffd9
Exploit.JPEG.Comment.2:5:0:ffd8fffe{-8192}fffe00(00|01){-10240}ffd9 imply that two polymorphic jpegs (one that is around 4k, another that is around 10k) already exist. Both of those rules have some chance of a false positive. Only the third rule:
Exploit.JPEG.Comment.3:5:0:ffd8fffe00(00|01)
is 100% safe. (Note that I work for the Imaging Technology Group, so a false positive on a jpeg would be a Very Bad Thing. And even a 0.01% failure rate is bad when you have 1765217 jpegs.)
Of course, one option would be to handle a .jpg in the same way as a .zip, .tar, etc and actually look at it with an understanding of the file format. That means not scanning the comments themselves, only the data headers. Of course, that means writing an entire scanning module just for .jpg files. This does NOT scale well.
... It's interesting that viruses are finally starting to implement what we were joking about in 1995 at high school...
I'm impressed with how far we've come. Less than a year ago, I could most email viruses with simple procmail scripts. Now even antivirus products are having difficulty keeping up with the threats.
Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
