[Mimedefang] On Avoiding Signature-Based Content Filters

David F. Skoll dfs at roaringpenguin.com
Tue Sep 17 14:33:00 EDT 2002


Hi,

I posted this to Bugtraq.  May be of interest to people on this list.

--
David.

---------- Forwarded message ----------
Date: Tue, 17 Sep 2002 14:28:50 -0400 (EDT)
From: David F. Skoll <dfs at roaringpenguin.com>
To: bugtraq at securityfocus.com
Subject: On Avoiding Signature-Based Content Filters

Hi,

I've put a short paper up at:

http://www.roaringpenguin.com/thinning.pdf

Abstract:

Many people use anti-virus scanners which rely on detecting
special signatures to identify viruses.  The scanners have a
database of known signatures (which are simply sequences of byte
values), and any file or e-mail message matching a signature is
flagged as a virus.  In this paper, we demonstrate how to construct
an executable which has no signature.  In other words, the executable
can "mutate" at each transmission, and the mutations have no reliable
signature by which to identify them.

I'm not sure if the ideas in the paper are new, but they are quite
simple and easy to implement.

--
David.





More information about the MIMEDefang mailing list