On Tue, 2 Nov 2004, Minica, Nelson (EDS) wrote: > Looks like there is proof of concept code here: > http://felinemenace.org/~nd/crash_ie/ file 2446.html > http://www.securityfocus.com/bid/11515/exploit/
>From Nelson's file and from another code example of this exploit that I found (http://www.k-otik.com/exploits/20041102.InternetExploiter.htm.php), the following signature should work if I understand correctly. This isn't perfect and there are many javascripty ways arround it so please add your thoughts. Matches a case-sensitive regex of: IFRAME={256,} Exploit.IFRAME.foo:*:494652414d453d??{256-} You can probably all see the problem already. IfRaMe is not cought by our sig. Does this mean 6! (factorial) additional signatures are needed to match this? Am I doing this completely wrong somewhere? Are our virus sigs quickly becoming a dictionary of regex's for malware? -- 'cause that could be bad and error-prone. Your thoughts? -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
