On Wed, 3 Nov 2004, Brian Morrison wrote:
> > In reality, we should never see a src > 586 bytes long. It's just
> > sane html to say keep it restricted.
>
> But do the writers of malware only produce sane html? I suspect not.
That's exactly what I mean. Any iframe with a src={256,} in an email
message is definately suspect. The working exploit found here
http://www.k-otik.com/exploits/20041102.InternetExploiter.htm.php uses a
256 byte src=. I've setup our mailserver to mark these types of messages
as an nsc/exploit.iframe virus for the short term.
My clam signature writing skills are obviously lacking or I would have
created a sig to pick this up (and it's late and I'm tired ;). I still
believe that in the next month we will see the exploit used much more
widely and I truly hope I'm wrong for the poor outlook users out there.
--
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
