procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: softlabs

2004-03-04 04:01:46
from [Nikos K. Kantarakias] [Permanent Link] 
For detection through base64 Dan Wilder passed a mail to me that had some
good info for the zip files used by Bagle worm only.

U*EsDBAoAAAAAA   <= Matches unencrypted ZIP file
U*EsDBAoAAQAAA   <= Matches encrypted version.

The asterisk shouldn't be there of course.

files compressed with WinZip 8.1SR1 as I tested have the following headers
U*EsDBBQAAwAI <= Matches encrypted version.
U*EsDBBQAAgAI <= Matches unencrypted ZIP file

again remove the asterisk


----- Original Message ----- 
From: "Professional Software Engineering" 
<PSE-L(_at_)mail(_dot_)professional(_dot_)org>
To: <procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE>
Sent: Thursday, March 04, 2004 11:50 AM
Subject: Re: softlabs





At 01:04 2004-03-04 -0700, LuKreme wrote:



There might be a way to check the encoding on the zip to be  able to
detect it is a password protected zip file isntead of a plain zip file,

yes?


BTW, there's a post in comp.mail.sendmail about this very topic.  They're
passing a null P/W, but otherwise it's the same thing as I suggested.  One
might choose to monitor the thread to see if there's any useful followup:

<http://groups.google.com/groups?selm=40462b72%241%40e-post.inode.at>

Having written a few ZIP tools ages ago (incl. a ZIP password cracker that
really screamed), I know there's sufficient data in the header of the zip
to identify that the files are encrypted, but checking for that purely in
procmail would be ugly and rather file dependant (at that point, you're
already checking for a very specific file stream).

---
  Sean B. Straw / Professional Software Engineering

  Procmail disclaimer:

<http://www.professional.org/procmail/disclaimer.html>

  Please DO NOT carbon me on list replies.  I'll get my copy from the

list.



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail




____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: softlabs, Ruud H.G. van Tol
Next by Date:  Re: softlabs, Professional Software Engineering
Previous by Thread:  Re: softlabs, Professional Software Engineering
Next by Thread:  Re: softlabs, Robert Allerstorfer
Indexes:  [Date] [Thread] [Top] [All Lists]