On Fri, 17 Sep 2004 17:21:26 +0200 Daniel Lord <[EMAIL PROTECTED]> wrote:
> Hi List, > > On Fri, Sep 17, 2004 at 03:31:25PM +0200, Daniel Lord wrote: > > those two are valid and (IMHO) catch the xploit in JFIF and EXIF but > > may also produce false positives. Just test them. > > Those signatures don't catch the poc xploit found at > http://www.gulftech.org/?node=downloads. But maybe it's better to > leave this alone till there are real worms etc. to produce good > signatures. At the moment clamav sigs don't seem good enought to > catch this. (No support for absolute offsets) The current CVS version (Sat Sep 18 01:13:21 CEST 2004 (tk)) supports offset and type specification. The new signature format is: VirusName:TargetType:Offset:HexSignature where TargetType is a decimal number: 0 = any file 1 = EXE 2 = OLE2 3 = HTML (normalised) 4 = Mail file 5 = Graphics (to help catching exploits in JPEG files) Offset is an asterisk or a decimal number n eventually combined with a special string: * = any n EOF-n = End of file - n bytes Executables only: EP+n = Entry point + n bytes (EP+0 if you want to anchor to EP) Sx+n = Start of section's x (counted from 0) data + n bytes All signatures in the above format must be placed in *.ndb files. -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sat Sep 18 01:17:08 CEST 2004
pgpy8UUOZp5g0.pgp
Description: PGP signature
