<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 9/22/2021 8:10 PM, Kenneth Porter
via MIMEDefang wrote:<br>
</div>
<blockquote type="cite"
cite="mid:294A241AB876D4CDE76C350C@[192.168.1.16]">I'm already
running ClamAV and I block on file extensions. Is there any way to
recognize executables by content and block them? I just saw this
article on a coming attack vector through Windows Subsystem for
Linux (WSL) in which the payload is an ELF binary that then
downloads and spawns a Windows binary.
<br>
<br>
<a class="moz-txt-link-rfc2396E"
href="https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/"
moz-do-not-send="true"><https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/></a>
<br>
<br>
The hard part would be defining "executable" but that could be
extensible.
</blockquote>
<p>You could use some quick code that reads the first few bytes of
the file attachments and then compares it for certain matches
called Magic Bytes. For ELF, it's 0x7F followed by ELF in ASCII
(45 4c 46).</p>
<p>You could use that to block any ELF file.</p>
<p>Regards,</p>
<p>KAM<br>
</p>
<p><br>
</p>
<div class="moz-signature">
<div class="moz-signature">
<table width="722" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td style="width: 75px; height: 179px; text-align: center;
vertical-align: top;line-height:2.8"><br>
</td>
<td style="width: 14px; text-align: center;"><br>
</td>
<td style="width: 478px; height: 179px; vertical-align:
top; padding-top: 18px;"><br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</body>
</html>