[ILUG] encrypted zip files
pete at yerma.org
Wed Mar 3 16:13:42 GMT 2004
Has anyone got a way of getting exim 3.36/exiscan/clamav to detect and drop
the encrypted zip files that W32/Bagle.j at MM et al are so fond of using?
So far Ive managed to ascertain that the following will output a capital
letter if a zip file is encrypted:
if zipinfo $Z | grep exe$ | perl -pe's/ +/ /g' | cut -d\ -f5 | cut -b1
So if i had a way to run that on the mail and if the output is between
65 and 90 on the acsii table - drop the mail.
This is as far as I've got, there undoubtedly is a much better way to do
this sort of thing (quarantining all zip attachments isnt an option) but
at the moment Im too busy running stinger.exe on all the people that
have fell for this so far to do any real research on it.
Any pointers would be greatly appreciated.
More information about the ILUG