|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: dealing with w32/bagle
| What follows are the base64 encoded strings. I have put an asterisk | between the first and second character, so my own filters won't reject | this message, do remove that before using... | | U*EsDBAoAAAAAA <= Matches unencrypted ZIP file | U*EsDBAoAAQAAA <= Matches encrypted version. Hi, That'll get the current bagle strains, but the thing could mutate further, setting some of the initial zip header fields differently. As of today we're blocking all possible encrypted zips, not just bagles, with this reg-exp: UEsDB....[Q-Za-fw-z0-9\+/] checking the start of attachments. Derivation below for anyone who cares. Cheers Chris --------------------------------------------------------------------- According to the zip spec (http://www.idcnet.us/zip/zip-format.txt) - The zip header has first four bytes hex = 50 4b 03 04 - The "encrypted" flag is first bit of the 7th byte Doing the maths: Hex 50 4b 03 04 X X bit0set X Binary 01010000 01001011 00000011 00000100 xxxxxxxx xxxxxxxx xxxxxxx1 xxxxxxxx 6bits: 010100 000100 101100 000011 000001 00xxxx xxxxxx xxxxxx xxxxxx x1xxxx Dec: 20 4 44 3 1 0-15 . . . 16-31, 48-63 Base64 U E s D B A-P . . . Q-Za-fw-z0-9+/ Regexp: UEsDB....[Q-Za-fw-z0-9\+/] -- Chris Edwards, Glasgow University Computing Service
|