On Wed, 29 Sep 2004, Dennis Peterson wrote: > > Anyone got a plan for when encrypted zip'd jpeg files start showing up? > > dp > _______________________________________________ > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >
Either start a "password greper/parser" which should be able to be updated to recognize new formats in a non-executable way (regex or something) included in the sigs to rip \w+ out of images and html. If it's a passworded zip we can forward what we think the password is into the decompressor. Could start to make a profile of the zips too and ship 'em in with a signature. Remember that you can still read the CRC of the files within the encrypted zip and the filename would probably follow a strict format like IMG001.jpg to keep it looking innocent. Yes, I am almost talking about bayes virus detection and I think that is where we (the antivirus industry) will end up in the future otherwise we will never be proactive. /me waits for a polymorphic jpeg ... It's interesting that viruses are finally starting to implement what we were joking about in 1995 at high school... -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
