I was messing around with this kind of stuff a while back, theres a lot of ways you can get past mail filtering systems, because most of them wont emulate the exact behaviour of the e-mail clients, especaily if you have multiple clients. Anyway, one of the most effective methods against Outlook/Outlook express is to just name the file eviltrojan."e"x"e Outlook/OE will just take the quotes out of the filename before its run. I tested this on a couple mail filtering systems, and it will let the file through. I wrote a perl file to automagicly do it http://packetstormsecurity.org/0107-exploits/attqt.pl Of course most filtering systems will scan the file and recognize it as a executable(PE) and disallow it(same goes for vbs/js files etc, they usually look for very common VB or JS code) but Im sure they don't recognize all executable content. (like .bat files?) (or encoded data as mentioned in the advisrory) One other thing, outlook/oe will sometimes give an attachment that has no name a name, depending on the content-type, mostly all non-dangerous types, ie if you have a wav attachment, but it has no filename (in the MIME headers) but it has a content-type: audio/x-wav it will name it ATT00xxx.wav This will work with .hta files if you don't name them and give them content-type=application/hta
This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 08:05:46 PST