Oct 1, 2004, 3:12 PM
Administrator (9387 posts)
Oct 1, 2004, 3:12 PM
Post #2 of 10
Views: 11574
Yup, pretty scary stuff. Here's some tech details on it:
http://easynews.com/virus.html
Can't even view images safely any more.
Cheers,
Alex
--
Gossamer Threads Inc.
http://easynews.com/virus.html
Can't even view images safely any more.
Cheers,
Alex
--
Gossamer Threads Inc.
Oct 2, 2004, 10:10 AM
Enthusiast (819 posts)
Oct 2, 2004, 10:10 AM
Post #4 of 10
Views: 11550
It looks like it. From the Project News @ http://www.clamav.net/:
nervoso - 2004-09-28 06:30 - Clam AntiVirus
ClamAV 0.80rc3 successfuly detects JPEG files with modified comment section that allows attackers to remotely execute arbitrary code on unpatched Windows machines.
~Charlie
Quote:
ClamAV JPEG Exploit (MS04-028) Detection nervoso - 2004-09-28 06:30 - Clam AntiVirus
ClamAV 0.80rc3 successfuly detects JPEG files with modified comment section that allows attackers to remotely execute arbitrary code on unpatched Windows machines.
~Charlie
Oct 2, 2004, 10:35 AM
Enthusiast (928 posts)
Oct 2, 2004, 10:35 AM
Post #5 of 10
Views: 11541
Oh Good.
We updated our servers the very hour (Sept 28th 2004) 0.80rc3 was released, though it's a Non Witchcraft OS (ie not windows).
Pretty much uptodate with updates and security fixes. BTW, clamav also offers a Windows Version Free
HyTC
We updated our servers the very hour (Sept 28th 2004) 0.80rc3 was released, though it's a Non Witchcraft OS (ie not windows).
Pretty much uptodate with updates and security fixes. BTW, clamav also offers a Windows Version Free
HyTC
Last edited by:
HyperTherm: Oct 2, 2004, 10:49 AM
Oct 2, 2004, 2:21 PM
Administrator (9387 posts)
Oct 2, 2004, 2:21 PM
Post #6 of 10
Views: 11548
Hi,
Not sure how effective it is though, as you'd have to grab every remote image on an html page! To do that on a large scale would just be an incredible amount of bandwidth. Also, you'd need a pretty good html engine inside the virus scanner for this, as imagine the number of ways a browser can download an image.
Cheers,
Alex
--
Gossamer Threads Inc.
Not sure how effective it is though, as you'd have to grab every remote image on an html page! To do that on a large scale would just be an incredible amount of bandwidth. Also, you'd need a pretty good html engine inside the virus scanner for this, as imagine the number of ways a browser can download an image.
Cheers,
Alex
--
Gossamer Threads Inc.
Oct 2, 2004, 3:13 PM
Enthusiast (928 posts)
Oct 2, 2004, 3:13 PM
Post #7 of 10
Views: 11523
Hi.
Infected Messages Rejected At SMTP level.
Do not deploy the traditional Mailscanner Route To Allow The Messages In And Then Scan As Find That Useless and a definite waste of resource ...
Messages being propagated by worms are blocked At HELO/EHLO stage as most of them push dubious HELO/EHLO... I have seen about 80%+ reduction in messages reaching that level where Virus Scan starts Post implementation of Message Rejection With dubious HELO/EHLO as per two weeks live runs. Would disable that for a week and see if Virus Message Rejected Count Pushes Up again to original levels...
Sharing my thoughts ...
Could be wrong ...
Thanks
HyTC
Infected Messages Rejected At SMTP level.
Do not deploy the traditional Mailscanner Route To Allow The Messages In And Then Scan As Find That Useless and a definite waste of resource ...
Messages being propagated by worms are blocked At HELO/EHLO stage as most of them push dubious HELO/EHLO... I have seen about 80%+ reduction in messages reaching that level where Virus Scan starts Post implementation of Message Rejection With dubious HELO/EHLO as per two weeks live runs. Would disable that for a week and see if Virus Message Rejected Count Pushes Up again to original levels...
Sharing my thoughts ...
Could be wrong ...
Thanks
HyTC
Oct 2, 2004, 3:24 PM
Administrator (9387 posts)
Oct 2, 2004, 3:24 PM
Post #8 of 10
Views: 11531
Hi,
Sure, there are a lot of ways to try and stop spam/viruses from getting in before you even get to the virus scanner: helo checks, valid rcpt checks, valid envelopes, tarpitting, force slow connections, reject mail that is bursted, etc.
All I was saying, is that this particular virus is very hard to detect, as you can have a piece of virus-free html mail that links to an image on a remote site, so the payload is not even in the message! It's very nasty..
Cheers,
Alex
--
Gossamer Threads Inc.
Sure, there are a lot of ways to try and stop spam/viruses from getting in before you even get to the virus scanner: helo checks, valid rcpt checks, valid envelopes, tarpitting, force slow connections, reject mail that is bursted, etc.
All I was saying, is that this particular virus is very hard to detect, as you can have a piece of virus-free html mail that links to an image on a remote site, so the payload is not even in the message! It's very nasty..
Cheers,
Alex
--
Gossamer Threads Inc.
Oct 2, 2004, 3:43 PM
Enthusiast (928 posts)
Oct 2, 2004, 3:43 PM
Post #9 of 10
Views: 11518
Hi.
force slow connections --- naah , i would never include a
delay xx s
for slowing down attacks ... Dictionary Attack for example. That could be telling on a busy server. Just drop connection after 4 failures and just working on how to add a repeating IP to iptables and block it temporarily at least...
HyTC
force slow connections --- naah , i would never include a
delay xx s
for slowing down attacks ... Dictionary Attack for example. That could be telling on a busy server. Just drop connection after 4 failures and just working on how to add a repeating IP to iptables and block it temporarily at least...
HyTC