All:
Apparently there's a way to obfuscate filenames in ZIP files. I need
to look into it in some more detail, but the symptom is the ZIP index
(unzip -l and unzip -v) reports a different filename than is actually
decrypted.
I've added a "decryption" scan to the development sanitizer. Note that
this DOES NOT actually decrypt the ZIP file; running "unzip -t" on it
with a bogus password is apparently sufficient to reveal the
obfuscated filename.
You need to have a version of unzip that supports the -P (password)
argument. I recommend unzip 5.50 as this also has security bugfixes.
Workaround: for the worm I've seen, add "*.ePK" to your zipfile poison
list. This may not work on variants. "*.?PK" may be better, at the
risk of more false positives.
The development snapshot of the sanitizer is at:
http://www.impsec.org/email-tools/development/html-trap.procmail
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin(_at_)impsec(_dot_)org FALaholic #11174 pgpk -a
jhardin(_at_)impsec(_dot_)org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
17 days until the Slovakian Presidential Election
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail