The Annoyance Filter.pdf - Fourmilab
The Annoyance Filter.pdf - Fourmilab
The Annoyance Filter.pdf - Fourmilab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
§166 ANNOYANCE-FILTER MAIL FOLDER 139<br />
166. Certain versions of Microsoft Outlook contain a horrific bug where Outlook decides whether an<br />
attachment is executable based on its “Content−Type” declaration, but then actually decides whether<br />
to execute it based on its “file type” (the extension on the file name, for example “.EXE”). Predictably,<br />
mail worm programs exploit this by tagging their payload as an innocuous file type such as an audio or<br />
image file, but with an executable extension.<br />
<strong>The</strong> static method tests an attachment’s name against a list of vulnerable extensions. If it matches,<br />
this is almost certainly a worm, which we should filter through the byte stream parser rather than<br />
process normally. This will crack out the strings embedded in the worm, which will help us to fingerprint<br />
subsequent worms of the same type.<br />
<strong>The</strong> list of vulnerable extensions was compiled empirically from examining mail worms collected over<br />
a three year period. I do not know if the list is exhaustive; Microsoft vulnerability experts aware of any<br />
I omitted are encouraged to let me know about them.<br />
〈 Class implementations 11 〉 +≡<br />
bool mailFolder ::isSpoofedExecutableFileExtension (const string &s)<br />
{<br />
string sc = s;<br />
}<br />
stringCanonicalise (sc);<br />
if ((sc.length ( ) > 4) ∧ (sc[sc.length ( ) − 4] ≡ ’.’)) {<br />
string ext = sc.substr (sc.length ( ) − 3);<br />
stringCanonicalise (ext );<br />
return ((ext ≡ "exe") ∨ (ext ≡ "bat") ∨ (ext ≡ "scr") ∨ (ext ≡ "lnk") ∨ (ext ≡ "pif") ∨ (ext ≡<br />
"com"));<br />
}<br />
return false ;<br />
167. Calculate the size in bytes of the message transcript if written to a monolithic file with<br />
lineOverhead bytes (by default 1) per line.<br />
〈 Class implementations 11 〉 +≡<br />
unsigned int mailFolder ::sizeMessageTranscript (const unsigned int lineOverhead ) const<br />
{<br />
assert(tlist ≠ Λ);<br />
}<br />
unsigned int n = tlist ⃗ size ( ), totsize = 0;<br />
if ((n > 1) ∧ (tlist ⃗ back ( ).substr (0, (sizeof messageSentinel ) − 1) ≡ messageSentinel )) {<br />
n−−;<br />
}<br />
list〈string〉::iterator p = tlist ⃗ begin ( );<br />
for (unsigned int i = 0; i < n; i++) {<br />
totsize += p ⃗ length ( ) + lineOverhead ;<br />
p++;<br />
}<br />
return totsize ;