-----Original Message----- From: Matthew Wilson [mailto:matthew@boomer.com] Sent: Wednesday, September 22, 2004 11:33 AM To: SURBL Discussion list Subject: [SURBL-Discuss] JPEG flaw in Windows - URLs in emails
Since proof-of-concept code for the JPEG flaw in Windows has been posted online, we can surely expect at least one mass mailing exploit soon. The form will likely take the form of either:
- A JPEG file embedded in an email message with the exploit code
embedded in the embedded image. Theoretically, the exploit pattern should already be known, no matter what the encoding is, so anti-virus companies should theoretically be able to detect this already, if this method is used.
- Because of the above, the more likely method seems to be the
embedding of a URL in the message that either refers to the actual JPEG itself or refers to a webpage that loads the infected JPEG. It seems then that the only tool that could detect worms of this sort would be SURBL.
And so on to my question: if I (or anyone else for that matter) submit a domain name that hosts an infected JPEG file, how quickly will the SURBL databases be updated to reflect this infection?
Also, what if the exploit is multi-stage, and tries to infect actual http servers with infected JPEGs, and thousands of websites become infected...? Would it then be necessary to create a separate SURBL list for these infected domains, or could they be listed in, say, the phishing list?
Thanks, Matthew Wilson
Well here are some random thoughts in no order:
1) I'm not getting web submissions right now. Something is FUBAR there. 2) Perhaps we can work something out with a third party to maintain virus type links like this? I'll email Jeff Off List as I have some other questions there. 3) Ehhh....I think Jeff is going to say something along the lines of "SURBL wasn't intended to be used like that." To which I agree, yet sadly SURBL is the tool to catch these.
--Chris
Hi!
- I'm not getting web submissions right now. Something is FUBAR there.
- Perhaps we can work something out with a third party to maintain virus
type links like this? I'll email Jeff Off List as I have some other questions there. 3) Ehhh....I think Jeff is going to say something along the lines of "SURBL wasn't intended to be used like that." To which I agree, yet sadly SURBL is the tool to catch these.
Did you see any sites totally dedicated on those exploits? I dont think there are many out there? Since they are shut down ast usually... ?
Bye, Raymond.