mouss wrote:
RobertH a écrit :
http://pastebin.com/m2fcbe7b5
Thanks for posting the sample.
<plug type="shameless">
My email sanitizer successfuly defends against this attack.
</plug>
:)
--
John Hardin
no disrespect intended yet i would like to understand...
ummmm, if your "email sanitizer" caught it, why isnt that something
programmed "in another way" inside SA, or clamav, etc...?
i mean we have viruses, we have spyware, we have spam, we have UCE, we have
all these different terms that describe the essentially the same stuff...
cant this be dealt with in something that already exists like SA, Clamav, or
whateverm besides having another custom piece of coding ?
i mean, John, at the very least get out some them there GUNS and shoot it a
bunch and make it stop or something!
The answer probably lies in a layered defence. If you can detect the
message as spam in SA regardless of malicious content, then that's just
one option. In an ideal world AV programs should detect the trojan but
the simple reality is that AV vendors can not keep up with the current
bombardment of malware. This sample had very poor detection at the time
the email was circulated. That may have improved somewhat now, but now
is too late for those who would have been hit by this at the time it was
sent.
spam contains a URL (the fact that it is flash is only half-relevant).
That URL redirects to an exe file. you want tod do what?
The approach that consists of getting the spam filter (SA here) access
the URL has a lot of problems (easy DoS, address confirmation, higher
latency, ... etc)
Fixing the MUA may be good, but this still means that a file suffix is
meaningful. however, the internet isn't windows. a ".exe" does nothing
on a unix/linux system (assuming no windows support, be that wine or
other).
and to answer Ned's post, the problem isn't with flash running arbitrary
programs (what's the alternative? display ascii text only?). The problem
is elsewhere. I don't know much people who forbid .doc/xls/ppt in email,
and these can do a lot of harm.
Indeed, but why does flash need the ability to bind ports, open remote
connections, download executable files and run them? It's primary
function is to be a web-based multimedia player, or so I thought.
SELinux provides solutions to many of these issues by reasonably
restricting what things such as flash can do based on least privilege.
Same argument for .doc/xls/ppt or any other file formats - why does a
word processed document of spreedsheet need the ability to execute
arbitrary embedded code? Unfortunately, Windows does not offer such
protections and is quite happy to encourage users to run everything with
unrestricted privileges based on some perceived notion of usability.
