MS04-028 trojan - a customer written A-V engine

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Tue Sep 28 12:08:16 IST 2004 

Julian

In spite of having up to date Sophos and McAfee virus scan engines and
data files they both failed to detect what is supposed to be an example
of the MS04-028 JPEG exploit.

A number of Perl scripts are now available which _will_ detect the
exploit, or at least the example we have. How can we use these scripts
in MailScanner?

One suggestion made by a colleague here is for you to provide an
interface in MS to a GENERIC anti-virus engine. Your MS interface would
specify the strings/codes to be returned by this engine and the method
of return. 

You would publish details of this interface. As far as MS is concerned
it would be just another A-V engine that it can use.  

Sites could then write their own Perl script that conform to this
interface and have the script used by MS by adding the "GENERIC" engine
to the list in "MailScanner.conf" of the A-V engines to be used by
MailScanner.

In our case the GENERIC A-V engine would implement one of the publicly
available Perl scripts that can detect the JPEG trojan.

Being able to quickly respond ourselves to known virus/worm/trojan
threats would be of significant benefit. Has implementing a "custom
anti-virus" engines been suggested before?

PS. Why can't we simply block JPEGs using an existing MS mechanism? Well
it is more likely that a JPEG carrying this exploit will be embedded in
Word docs and other file types rather than appear as a JPEG attachment
to a message. 

Quentin 
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list