Aycan Irican(aycanat_private)@Sat, Jun 23, 2001 at 10:50:14AM +0300: > > > On Thu, 21 Jun 2001, Robert Davidson Security wrote: > > > On Tue, Jun 19, 2001 at 08:53:54PM +0200, Michel Arboi wrote: > > > --- Markus 'FvD' Weber <fvdat_private> a écrit : > > > > There is 42.zip out there, 42K total size, which consists of > > > > nested zip's and at the end a 4GB file (IIRC 6 levels deep, > > > > each level 17 'wide') ... kills most email virus checker. > > > > > > I did not know it existed. Altavista found this on > > > http://www.hanau.net/fgk/downloads/42.zip > > > > > > Why is this kind of attack not more common? I suspect that most filters > > > are vulnerable and yet, they are not listed as such (e.g. on > > > securityfocus). And companies continue to use them. > > > > This used to be really common with BBS's back in their day. The idea > > back then was to get a 1Gb file full of null charactors, compress it > > and upload it to the BBS, that way when the BBS's virus scanner (which > > also uncompressed the file) attempted to check the archive for viruses, > > it would either 1) consume all disk space, 2) keep the system busy for > > ages (some people ran 386's and 486's back then). The normal thing a > > user would do is upload the file and then hang up, which also leaves > > that dial-up line off-line while the virus scanner is checking the > > contents of the archive. > > > > -- > > Regards, > > Robert Davidson. > > > > oh yes, the old days ...I used pcboard on my BBS and the pfed file > integrity checker can run any batch job when a line starts with '@'. > It's an old vulnerability i know. > > Maybe we should put disk quota for the user that runs virus scannner > thingy. > There's a thought. Why not just use proc/mem limits to keep it from overrunning the box? Sure, email delivery time goes to hell, but it could fork off other jobs, do the massive compress thing slowly.
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 08:12:25 PDT