Focus on Virus
Re: blocking BHX files with MIME May 17 2006 06:17PM
lsi (stuart cyberdelix net) (1 replies)
Peter,

Good call. A quick search suggests that BinHex is a form of
UUencoding, ie. uuencode for Mac... so I agree the sig might miss
some attachments.

I don't have any other samples, tho, and since my policy is to only
filter on strings in use by malware, not the full set of theoretical
strings malware might use, I don't think I'll change the sig just
yet.

I don't filter on the full set because if the string is not in use,
there's no need to slow my filter down looking for something that's
not there.

You're right though, if some virus starts using 'begin 4', I will
need to remove a few characters from the end of the string.

Stu

On 17 May 2006 at 3:33, Peter Kosinar wrote:

> > YmVnaW4gNj
>
> Is it really the BHX (=BinHex) file format? Decoding the MIME sequence
> yields "begin 6" (+one incomplete character), which looks very similar to
> the UUE format. If it is actually UUE, the signature might be a bit too
> weak because a perfectly valid UUEncoded file could start with "begin 4"
> or "begin 7" or any other octal digit, as the three octal digits following
> "begin" specify the permissions of the encoded file.

---
Stuart Udall
stuart at (at) cyberdelix (dot) dot [email concealed] net - http://www.cyberdelix.net/

---
* Origin: lsi: revolution through evolution (192:168/0.2)

[ reply ]
Symantec AV reporting metrics. Jun 03 2006 08:50AM
Serge Vondandamo (serge vondandamo wanadoo fr) (2 replies)
Re: Symantec AV reporting metrics. Jun 05 2006 06:50PM
sekure (sekure gmail com)
RE: Symantec AV reporting metrics. Jun 04 2006 09:21PM
Benny Czarny (benny opswat com)


 

Privacy Statement
Copyright 2010, SecurityFocus