Re: [clamav-users] Obfuscated IP address.
Hi there, On Mon, 19 Sep 2011 Michael Orlitzky wrote: On 09/16/11 11:53, G.W. Haywood wrote: Is this one for Mr. Basford, or does it have wider implications? ... An IP address is a number between 0 and 2^32 (more or less). There are plenty of ways to represent them. Unless it's an IPV6 address. Yes, I believe I have seen a couple of different ways of representing numbers. :) Who's to say which ones are obfuscated? Well in this case, I am. :) That is, I'm protecting people from criminals. I do that all day long, I've been doing it for much more than a decade, and I'm more than a little tired of it. The decimal form is more efficient than the typical dotted-quad, which is easier to remember. I don't think I'll argue the efficiency point on this list. I don't remember any of them very well, unfortunately. Goodness knows what it'll be like when we're all using IPV6... :( You have to convert either to binary to figure out what a bitmask is going to do to it. Nah, after thirty-odd years I can do it in my head with dotted quads. :) But the point remains, this is a pretty obvious and easy target for any scanner which is looking for malicious activity, so wouldn't it make sense to take a shot at it? I can do something approximating to what I think is needed with one or other of the Sendmail milters that I run, but it would probably be a lot more effective (and potentially a marketing coup) if ClamAV could do it. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
A hostname cannot be all digits and except when the IP is used there will be a TLD, so if you see a pattern such as http:// 123456789/ cgi-bin/innocent_code.pl (Ignore the spaces they are there to let this post slip by most antispam detection) then you can surmise it is an attempt at obfuscation. I don't get it, what's the pattern we're looking for? An IP address is a number. Any way you specify it is fine. 123456789 is no more obfuscated than whatever it would be if you converted it to dotted quad. They both represent the same number. If you're trying to match a text pattern against an integer, you're doing it wrong. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On 09/19/11 08:18, G.W. Haywood wrote: Nah, after thirty-odd years I can do it in my head with dotted quads. :) Yeah but I'll bet you imagine the bits still =) But the point remains, this is a pretty obvious and easy target for any scanner which is looking for malicious activity, so wouldn't it make sense to take a shot at it? I can do something approximating to what I think is needed with one or other of the Sendmail milters that I run, but it would probably be a lot more effective (and potentially a marketing coup) if ClamAV could do it. Don't try to match the representation, match the number. There are a few billion ways you can represent a single IP address; we can't have signatures for all of them. Convert it to an integer. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On 9/19/2011 11:46 AM, Michael Orlitzky wrote: A hostname cannot be all digits and except when the IP is used there will be a TLD, so if you see a pattern such as http:// 123456789/ cgi-bin/innocent_code.pl (Ignore the spaces they are there to let this post slip by most antispam detection) then you can surmise it is an attempt at obfuscation. I don't get it, what's the pattern we're looking for? An IP address is a number. Any way you specify it is fine. 123456789 is no more obfuscated than whatever it would be if you converted it to dotted quad. They both represent the same number. If you're trying to match a text pattern against an integer, you're doing it wrong. He is not trying to match the IP address. He is trying to match an unusual way of presenting the IP address that seems to occur primarily in spam. Whether this is something that should be done in ClamAV or would be better done by something like SpamAssassin is another question altogether. -- Bowie ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On 09/19/11 12:04, Bowie Bailey wrote: He is not trying to match the IP address. He is trying to match an unusual way of presenting the IP address that seems to occur primarily in spam. Whether this is something that should be done in ClamAV or would be better done by something like SpamAssassin is another question altogether. Fair enough. I was just unhappy with the idea that 0.0.0.1 is somehow less obfuscated than 1. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On 9/19/2011 12:16 PM, Michael Orlitzky wrote: On 09/19/11 12:04, Bowie Bailey wrote: He is not trying to match the IP address. He is trying to match an unusual way of presenting the IP address that seems to occur primarily in spam. Whether this is something that should be done in ClamAV or would be better done by something like SpamAssassin is another question altogether. Fair enough. I was just unhappy with the idea that 0.0.0.1 is somehow less obfuscated than 1. I would tend to say that 1 is fairly well obfuscated. Most people -- even most technical people -- would not immediately see that as an IP address. We have been conditioned to see IP addresses as XX.XX.XX.XX. And while there are other valid ways of displaying an IP address, most people will not immediately recognize a number or series of numbers as an IP address if it is not in the familiar dotted-quad notation. -- Bowie ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On Sep 19, 2011, at 12:04 PM, Bowie Bailey wrote: On 9/19/2011 11:46 AM, Michael Orlitzky wrote: A hostname cannot be all digits and except when the IP is used there will be a TLD, so if you see a pattern such as http:// 123456789/ cgi-bin/innocent_code.pl (Ignore the spaces they are there to let this post slip by most antispam detection) then you can surmise it is an attempt at obfuscation. I don't get it, what's the pattern we're looking for? An IP address is a number. Any way you specify it is fine. 123456789 is no more obfuscated than whatever it would be if you converted it to dotted quad. They both represent the same number. If you're trying to match a text pattern against an integer, you're doing it wrong. He is not trying to match the IP address. He is trying to match an unusual way of presenting the IP address that seems to occur primarily in spam. Basically an IPv4 address can be anything that inet_addr() can handle. See http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/commtrf2/inet_addr.htm ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On Mon, 2011-09-19 at 12:40 -0400, Bowie Bailey wrote: On 9/19/2011 12:16 PM, Michael Orlitzky wrote: On 09/19/11 12:04, Bowie Bailey wrote: He is not trying to match the IP address. He is trying to match an unusual way of presenting the IP address that seems to occur primarily in spam. Whether this is something that should be done in ClamAV or would be better done by something like SpamAssassin is another question altogether. Fair enough. I was just unhappy with the idea that 0.0.0.1 is somehow less obfuscated than 1. I would tend to say that 1 is fairly well obfuscated. Most people -- even most technical people -- would not immediately see that as an IP address. We have been conditioned to see IP addresses as XX.XX.XX.XX. That's the whole problem as both are legal and correct (as in RFC-compliant) form. And you want to flag it as spam? And while there are other valid ways of displaying an IP address, most people will not immediately recognize a number or series of numbers as an IP address if it is not in the familiar dotted-quad notation. But in the context of http://0.0.0.1/ or http://1/ most people should only think: Is this an IP address or a hostname? And it makes no real sense to have syntactically illegal links in spam mails. So the obfuscation so IMHO more for the tools to avoid matches on blacklists of domains and IP addresses. No, one should really extend the blacklist checks to the not so well known forms and not only dotted-quads. Bernd -- Bernd Petrovitsch Email : be...@petrovitsch.priv.at LUGA : http://www.luga.at ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On Mon, Sep 19, 2011 at 6:46 PM, Bernd Petrovitsch be...@petrovitsch.priv.at wrote: That's the whole problem as both are legal and correct (as in RFC-compliant) form. And you want to flag it as spam? Regardless of form I would call it spam since I've never seen legit numeric links. I've had my own SA rule for the common form for a long time now and it has served me well, I will probably expand that to include this form. /peter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On 9/19/2011 12:46 PM, Bernd Petrovitsch wrote: On Mon, 2011-09-19 at 12:40 -0400, Bowie Bailey wrote: On 9/19/2011 12:16 PM, Michael Orlitzky wrote: On 09/19/11 12:04, Bowie Bailey wrote: He is not trying to match the IP address. He is trying to match an unusual way of presenting the IP address that seems to occur primarily in spam. Whether this is something that should be done in ClamAV or would be better done by something like SpamAssassin is another question altogether. Fair enough. I was just unhappy with the idea that 0.0.0.1 is somehow less obfuscated than 1. I would tend to say that 1 is fairly well obfuscated. Most people -- even most technical people -- would not immediately see that as an IP address. We have been conditioned to see IP addresses as XX.XX.XX.XX. That's the whole problem as both are legal and correct (as in RFC-compliant) form. And you want to flag it as spam? Since when does legal and correct have anything to do with whether an email is spam? If a certain marker appears in spam emails and not in non-spam emails, then there is a fairly strong case to flag emails that contain that marker as spam. It makes no difference whether that marker is something legal or not. However, I would tend to leave this type of spam detection to a dedicated program such as SpamAssassin rather than using Clam for this purpose. Clam works better with strictly-defined patterns for more obvious spam. -- Bowie ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On Sep 19, 2011, at 19:04, Bowie Bailey bowie_bai...@buc.com wrote:
On 9/19/2011 11:46 AM, Michael Orlitzky wrote:
A hostname cannot be all digits and except when the IP is used there
will be a TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore the spaces they are there to let this post slip by most antispam
detection) then you can surmise it is an attempt at obfuscation.
I don't get it, what's the pattern we're looking for? An IP address is a
number. Any way you specify it is fine. 123456789 is no more obfuscated
than whatever it would be if you converted it to dotted quad. They both
represent the same number.
If you're trying to match a text pattern against an integer, you're
doing it wrong.
He is not trying to match the IP address. He is trying to match an
unusual way of presenting the IP address that seems to occur primarily
in spam.
Whether this is something that should be done in ClamAV or would be
better done by something like SpamAssassin is another question altogether.
Try adding this to a local.pdb file in your dbdir (untested):
R:[0-9]{1,10}(\.[0-9]{1,10}){0,2}:.+
Of course you can improve the regex to detect hexadecimal encoded numbers, etc.
Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On 9/19/11 8:46 AM, Michael Orlitzky wrote:
A hostname cannot be all digits and except when the IP is used there
will be a TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore the spaces they are there to let this post slip by most antispam
detection) then you can surmise it is an attempt at obfuscation.
I don't get it, what's the pattern we're looking for? An IP address is a
number. Any way you specify it is fine. 123456789 is no more obfuscated
than whatever it would be if you converted it to dotted quad. They both
represent the same number.
If you're trying to match a text pattern against an integer, you're
doing it wrong.
FWIW, here is a regex that will match the suspicious pattern example:
http:\/\/[0-9]{1,9}\/cgi-bin\/.*\.pl
How valuable it may be, I don't know. It can turn up false positives but I kind
of have the philosophy that if a real post is indistinguishable from spam there
is probably something wrong with the post. Evalluating this pattern in the
context of spam volume is a key part of the go, no go decision to use it. In my
milter (J-Chkmail) I give these experiments a very low weight so that they
cannot easily condemn a message. It allows me to evaluate messages in a live
system with little concern it will trigger a FP.
dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On 9/19/2011 2:33 PM, Török Edwin wrote:
Try adding this to a local.pdb file in your dbdir (untested):
R:[0-9]{1,10}(\.[0-9]{1,10}){0,2}:.+
Of course you can improve the regex to detect hexadecimal encoded numbers,
etc.
My IP v4 v6 regex from the CCEE patchset.
([.:[:xdigit:]]{2,45}|[.[:digit:]]{7,15})
Perfect it isn't, but its better than what was there, which was nothing.
:-)
--
Sincerely,
Nathan Gibbs
Systems Administrator
Christ Media
http://www.cmpublishers.com
signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On 09/16/11 11:53, G.W. Haywood wrote: The string 11064393 concatenated after the string 95. is converted without fuss by browsers to the IP address of the criminal server. I use most of the third party databases available for ClamAV. Using clamscan I scanned the text in its original form and it wasn't flagged as suspect. Is this one for Mr. Basford, or does it have wider implications? Despite an hour or so of trying I haven't thought of a legitimate reason for obfuscating an IP address in this way. An IP address is a number between 0 and 2^32 (more or less). There are plenty of ways to represent them. Who's to say which ones are obfuscated? The decimal form is more efficient than the typical dotted-quad, which is easier to remember. You have to convert either to binary to figure out what a bitmask is going to do to it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On 9/18/11 6:41 PM, Michael Orlitzky wrote: On 09/16/11 11:53, G.W. Haywood wrote: The string 11064393 concatenated after the string 95. is converted without fuss by browsers to the IP address of the criminal server. I use most of the third party databases available for ClamAV. Using clamscan I scanned the text in its original form and it wasn't flagged as suspect. Is this one for Mr. Basford, or does it have wider implications? Despite an hour or so of trying I haven't thought of a legitimate reason for obfuscating an IP address in this way. An IP address is a number between 0 and 2^32 (more or less). There are plenty of ways to represent them. Who's to say which ones are obfuscated? A hostname cannot be all digits and except when the IP is used there will be a TLD, so if you see a pattern such as http:// 123456789/ cgi-bin/innocent_code.pl (Ignore the spaces they are there to let this post slip by most antispam detection) then you can surmise it is an attempt at obfuscation. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Obfuscated IP address.
Hi there, At about 1300 GMT today one of my mailservers rejected a message as being an obvious scam. As it happened I took a look at it. It's a typical bank phishing attempt. Here's a part of the mail which includes a part of the link which the reader is invited to visit. Obviously I've removed the protocol name and the trailing colon from the URI, and replaced them by x. Hopefully now the text won't trigger too many scanners. :) -- [snip, snip] place a new [snip, snip] cookie on your computer. To securely BA href=x//95.11064393/www1.firstdirec[snip] -- The string 11064393 concatenated after the string 95. is converted without fuss by browsers to the IP address of the criminal server. I use most of the third party databases available for ClamAV. Using clamscan I scanned the text in its original form and it wasn't flagged as suspect. Is this one for Mr. Basford, or does it have wider implications? Despite an hour or so of trying I haven't thought of a legitimate reason for obfuscating an IP address in this way. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
