With these, you don't need to run CygWin ports or the Microsoft Windows Services for Unix. Bill Landry put the Declude and Message Sniffer mailing list users on to these a long time ago, and I'm still grateful to him.
Well I am grateful and frustrated at times- because it can do so much
and I have such hard time getting the results I want!
Bill,
As I recall you were putting together a group of neat scripts to run
against our logs - did that ever happen and I missed it? It sure would
be helpful... !
Thanks
-Nick
I did some speed tests a long time ago, and found that the grep tool mentioned above was an order of magnitude faster than the find.exe that comes with Windows.
John T:
Sorry, you were probably viewing the output with NotePad. I use a different editor that accomodates CR or CR/LF as the end-of-line sequence. Good old edit and WordPad will do the trick. So will using "less.exe" instead of piping to "more".
Markus:
Great tip, I just might make that part of my standard commands anyway.
Matt:
No problem, the .UU part of the search will also find all the lines that mention the .UUE format.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Don Brown
Sent: Wednesday, February 01, 2006 7:24 AM
To: Markus Gufler
Subject: Re: [Declude.Virus] Encoded viruses...worried
Off list - what grep do you use or which is the best for a W32 box?
Wednesday, February 1, 2006, 8:40:19 AM, Markus Gufler
<[EMAIL PROTECTED]> wrote:
MG>
MG>
MG> I've grep'ed trough the logfiles for the last 7 days on
my servers
MG>
MG>
MG>
MG> 2981 lines has sources of "\.BHX|\.HQX|\.B64|\.UU|\.MIM|\.MME"
MG> (ignoring double counts for the second av scanner)
MG>
MG>
MG>
MG> After filtering out all lines containing "Kapser" and "Mywife"
MG> there remains the following 4 lines
MG>
MG>
MG>
MG> 01/25/2006 11:46:45.937 q570b9f4500e492b1.smd Found file with
MG> mismatched extensions [Attachments001.BHX-Removed
Attachment.txt];
MG> assuming .exe
MG> 01/26/2006 08:07:23.078 q7525030700d4d05a.smd Found file with
MG> mismatched extensions [Attachments00.HQX-Removed
Attachment.txt];
MG> assuming .exe
MG> 01/26/2006 08:08:23.890 q755303060132d08f.smd Found file with
MG> mismatched extensions [Attachments001.BHX-Removed
Attachment.txt];
MG> assuming .exe
MG> 01/27/2006 21:51:19.375 q87bd58b10020b63d.smd Warning:
EOF in middle
MG> of MIME segment [] [--=_NextPart_001_0008_01C6238B.B6472520]
MG>
MG>
MG>
MG> This looks very promising that declude is already handling it in
MG> order to catch malicious code inside such attachments.
MG>
MG> Note: the 4.th line is listed due the "MIME"
MG>
MG>
MG>
MG> Markus
MG>
MG>
MG>
MG>
MG>
MG>
MG>
MG>
MG> From: [EMAIL PROTECTED]
MG> [mailto:[EMAIL PROTECTED]] On Behalf Of Matt
MG> Sent: Wednesday, February 01, 2006 3:19 PM
MG> To: Declude.Virus@declude.com
MG> Subject: Re: [Declude.Virus] Encodedviruses...worried
MG>
MG> You know, I was going to ask if you would do a search, but I
MG> figured you might do it anyway :) You did leave out the ".uue"
MG> extension, but I doubt that would have changed your results.
MG> I supposethat if these extensions aren't hardly ever used
MG> anymore, it might be prudentenough to just watch for the
MG> possibility of the tactic to become widespreadand
then take action.
MG> I do have a fair number of Mac users and probablymore
MG> overseas traffic that you do, so I think that I am going to have
MG> tosearch a little on my own. Unfortunately I zip all of my
MG> logs nightly,so it isn't practical to search through
all ofthem.
MG> Matt
MG> Colbeck, Andrew wrote:
MG>
MG> On the plus side, there are mitigating circumstances...
MG>
MG> First, let me point out that although the antivirus
MG> companies will lag behind the virus authors, the
antivirus guys aren't sleeping.
MG>
MG> For many years, the bad guys have been using encoding
MG> methods and 3rd party applications to obfusticate their software
MG> as a cheaper alternative on their time than writing
MG> polymorphic code whose very technique gave them away.
MG>
MG> PKLite was probably the first 3rd party tool used. I've
MG> recently seen PAK, UPX and FSG... all three of which were
MG> caught by F-Prot because the antivirus guys simply make signatures
MG> for the binary itself, and don't bother including unpacking
MG> methods for all possible compression/encryption methods.
MG> This explains why we have relatively few upgrades on
the engines themselves.
MG>
MG> The F-Prot documentation mentions (I think) only zip
MG> decoding, but we know that it certainly does UPX and RAR decoding
MG> based on issues that have been raised with each (for the
MG> former, pathetic speed and the former, a buffer o