[Dshield] RE: Dshield digest- Klez Question- Paul Marsh.
efleckles at goodsill.com
Sat May 4 22:33:41 GMT 2002
Klez has many variants now(7 or 8); we are capturing many that have no file
extension at all, along with others that run the gambit of attachment types.
There are actually two things to worry about with the Klez. The first is
the need to block email attachments not only based on their file extension,
but on their ability to actually execute code (ie program.exe can still
execute if it is renamed to program.txt etc.)so that you have layered
protection against the renaming/multi-naming tricks. More importantly, I
found that the Klez comes equipped with it's auto-launching mechanism
embedded in the html code that will execute WHATEVER is attached(Thanks to
John Harding for schooling me on this one). So it is also critical to strip
out any html with embedded scripting. This is different than the microsoft
vulnerability that was posted, as these are valid html commands running as
they were intended. Using this method they can shove whatever they want in
there and have it run.
Goodsill Anderson Quinn & Stifel
More information about the list