[Discussion] Just one question
Seth Hall
hall.692 at osu.edu
Fri Mar 20 10:56:21 UTC 2009
On Mar 20, 2009, at 12:55 AM, Will Metcalf wrote:
> oops, sorry had content-disposition on the brain today. I meant range
> requests, so for example malware x gets installed outside of your
> environment and a user brings it back into your environment. Twice a
> day malware x checks for a new copy of itself but to avoid detection
> by inline AV's and something like the md5hash checks you speak of it
> pulls pieces of itself using range requests so almost like a download
> manager. How/can you deal with content reconstruction across multiple
> tcp sessions. I know inline AV scanners for the most part can't
> properly deal with this, I was just wondering if bro could. Hopefully
> that makes sense, I'm pretty sleepy at this point.... ;-)
Hah, that would be pretty sneaky. Is there any malware that does this?
What's nice about Bro is that you can always modify your script you
account for strange situation like this. I think I might write a
script soon to see how common range requests are. What this scenario
does make difficult is that it makes it harder to even identify that
it's a windows executable, but I suppose they'd have to download the
beginning of the file eventually anyway so you'd see one chunk of it
matching as a windows executable. The easy hack we could do is kick
of a download of the file once we notice a range request for an
executable file. Bro will then have an opportunity to see the full
file.
Thanks for the question, that had never even crossed my mind. :)
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Discussion
mailing list