We do stuff like this in our "badfiles" package.
Straight from the online help in the product:
"it collects file transmission bytestreams from compatible network
protocol state machines and performs quick decoding on file formats that
have been used as exploit transmission vectors, thus treating the file
format itself as a network data protocol"
So take for example, how this worked for the recent wmf flaws:
"This backend examines the file header structures of 32-bit Enhanced
Metafiles and 16-bit Windows Metafiles, including the popular Aldus
Placable Metafile variety. In addition to validating the header
structures of these metafiles, this backend can also examine the
individual GDI graphics rendering commands that are contained within the
metafile by enabling the INSPECT_GDI toggle value. This is especially
important when discussing attacks of the style demonstrated by..."
the help file continues for quite a while, but you get the picture.
NFR users can read the actual ".nfr" file to see the actual code that we
wrote to do the analysis. It's our own language called N-Code, so end
users could theoretically write additional checks for other types of
viri if you really wanted to. In all, it was about 3300 lines of code
(wc -l *.nfr) to rip apart and monitor most of the recent major attack
vectors such as .jpg, .gif, .wmf, .riff, .png, etc. 3300 is probably on
the high side, since that probably includes a lot of inline comments in
the code.
Keep in mind, this stuff is extremely processor intensive. On
multi-gigabit networks we had to move away from the x86 model to achieve
real performance.
Hope this helps,
David W. Goodrum, CEH
(nfr)(security)
http://www.nfr.com
(M)703.731.3765
(O)240.747.3425
(F)240.632.0200
[EMAIL PROTECTED] wrote:
HI
How can I write a signature for a virus which is coming as an
attachment? The attachment may be done by using base64 or binhex encoding.
Shall I have to create signature for each type?
Has anybody implemented the idea of decoding the attachment (IDS) and
then parsing the file to look for some pattern?
Regards,
Babu
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
