I'm just playing about with this and I can't seem to get it to work quite the way I expect. I've created two signatures, to match the jpeg exploit we discussed recently. My idea is that although the signature is very small it minimises false positives by being restricted to graphics files and then looking for the jpeg magic number at the start of the file. Since we established the other day that the four byte sequence that triggers the exploit can't appear in a genuine jpeg this should be okay. Anyway, I created signatures in local.ndb as follows...
Exploit.Jpeg.comment.1:5:0:ffd8*fffe0000 Exploit.Jpeg.comment.2:5:0:ffd8*fffe0001 And tried scanning the exploit sample from here http://www.gulftech.org/?node=downloads Nothing! Trying again with --debug I see this message LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.2) LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.1) I only seem able to get this to work by changing the target type in the sig to 0 i.e. Exploit.Jpeg.comment.1:0:0:ffd8*fffe0000 Exploit.Jpeg.comment.2:0:0:ffd8*fffe0001 At which point it all works, but surely it should work with a target type of 5? BTW. I tried both scanning the jpg and a message containing it same result BTW2. Symantec is now detecting this exploit as Bloodhound.exploit.13 BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
