IDS mailing list archives
Re: Writing signatures for e-mail virus attachments
From: "David W. Goodrum" <dgoodrum () nfr com>
Date: Tue, 07 Feb 2006 09:25:26 -0500
We do stuff like this in our "badfiles" package. Straight from the online help in the product:"it collects file transmission bytestreams from compatible network protocol state machines and performs quick decoding on file formats that have been used as exploit transmission vectors, thus treating the file format itself as a network data protocol"
So take for example, how this worked for the recent wmf flaws:"This backend examines the file header structures of 32-bit Enhanced Metafiles and 16-bit Windows Metafiles, including the popular Aldus Placable Metafile variety. In addition to validating the header structures of these metafiles, this backend can also examine the individual GDI graphics rendering commands that are contained within the metafile by enabling the INSPECT_GDI toggle value. This is especially important when discussing attacks of the style demonstrated by..."
the help file continues for quite a while, but you get the picture.NFR users can read the actual ".nfr" file to see the actual code that we wrote to do the analysis. It's our own language called N-Code, so end users could theoretically write additional checks for other types of viri if you really wanted to. In all, it was about 3300 lines of code (wc -l *.nfr) to rip apart and monitor most of the recent major attack vectors such as .jpg, .gif, .wmf, .riff, .png, etc. 3300 is probably on the high side, since that probably includes a lot of inline comments in the code.
Keep in mind, this stuff is extremely processor intensive. On multi-gigabit networks we had to move away from the x86 model to achieve real performance.
Hope this helps, David W. Goodrum, CEH (nfr)(security) http://www.nfr.com (M)703.731.3765 (O)240.747.3425 (F)240.632.0200 c_sek_har () yahoo co in wrote:
HIHow can I write a signature for a virus which is coming as an attachment? The attachment may be done by using base64 or binhex encoding. Shall I have to create signature for each type? Has anybody implemented the idea of decoding the attachment (IDS) and then parsing the file to look for some pattern? Regards,Babu ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Writing signatures for e-mail virus attachments c_sek_har (Feb 06)
- Re: Writing signatures for e-mail virus attachments lucien Fransman (Feb 07)
- Re: Writing signatures for e-mail virus attachments David W. Goodrum (Feb 07)
- <Possible follow-ups>
- Re: Writing signatures for e-mail virus attachments anonymous (Feb 07)
- RE: Writing signatures for e-mail virus attachments Matthew Conover (Feb 13)