Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ
  procmailÀ» ÀÌ¿ëÇؼ­ ³Ý½ºÄ«ÀÌ ¿ú(NetSky Worm) ÇÊÅ͸µ ÀÛ¼ºÀÏ : 2004/08/12 19:49
 
  • ±Û¾´ÀÌ : ÁÁÀºÁøÈ£ ( http://coffeenix.net/ )
  • Á¶È¸¼ö : 6845
     
    Á¦  ¸ñ : procmailÀ» ÀÌ¿ëÇؼ­ ³Ý½ºÄ«ÀÌ ¿ú(NetSky Worm) ÇÊÅ͸µ
    ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
    ÀÛ¼ºÀÏ : 2004.08.12

    ¿©·¯Á¾ÀÇ ³Ý½ºÄ«ÀÌ ¿ú(NetSky Worm)ÀÌ ±â½ÂÀ» ºÎ¸®°í Àִµ¥, ÇÊÅ͸µ¿¡ ´ëÇÑ ±ÛÀ» ã¾Æº¸±â Èûµé¾î Á¦°¡
    »ç¿ëÇÏ°í ÀÖ´Â ÇÊÅ͸µ ·êÀ» ¼Ò°³ÇÕ´Ï´Ù. ¿ö³« º¯Á¾µéÀÌ ¸¹°í, Á¦¸ñ À¯Çüµµ ´Ù¾çÇÏ´Ù º¸´Ï ¸¹ÀÌ °É¸®´Â
    ÁÖ¿ä º¯Á¾À» Á¦¿ÜÇÏ°í´Â ±×³É ÁÖ~¿í ³ª¿­ÇÏ¿´½À´Ï´Ù.

    1. ÇÊÅ͸µ

    procmailÀ» ÅëÇØ °£´ÜÈ÷ ¸·´Â ¹æ¹ýÀ» ¾Ë¾Æº¾½Ã´Ù.
    /etc/procmailrc ¿¡ ´ÙÀ½À» Ãß°¡Çؼ­ ¼ö½Å ¹ÞÀº ¿úÀ» º°µµ ÆÄÀÏ·Î ÀúÀåÇϰųª »èÁ¦ÇÒ ¼ö ÀÖ½À´Ï´Ù.

     
    WORM_LOG= "/data/WORM.log"

    # -------------------------
    # Win32/Netsky.worm.28008 ¿ú (º¯Á¾ Q)
    # http://info.ahnlab.com/smart2u/virus_detail_1358.html
    # http://www.symantec.com/region/kr/techsupp/avcenter/venc/data/kr-w32.netsky.q@mm.html
    # Á¦¸ñ : 'Mail Delivery (failure ¸ÞÀÏÁÖ¼Ò)'
    :0D
    * ^Subject:.*Mail Delivery.*failure
    $WORM_LOG

    :0D
    * ^Subject:.*(Deliver(y|ed)*|Error|Fail(ed|ure)|Mail System|Status|Unknown Exception|ReturnMail).*\(.*@.*\)
    $WORM_LOG

    # -------------------------
    # Netsky.worm.29568 ¿ú
    # http://info.ahnlab.com/smart2u/virus_detail_1351.html
    :0D
    * ^Subject:.(Re: )*(Administration|Bad Request|Delivery (Protection|Server)|Encrypted Mail|(Message )*Error|Extended Mail( System)*|Failure|Mail (Authentification|Server)|Notify|Protected Mail (Delivery|Request|System)|SMTP Server|Secure (SMTP Message|delivery)|Status|Test|Thank you for delivery)$
    $WORM_LOG

    # -------------------------
    # Netsky.worm.16896.B ¿ú
    # http://info.ahnlab.com/smart2u/virus_detail_1342.html
    :0D
    * ^Subject:.*Re: *<.*>.*(Approved|Improved|Details|(My|Your) details|Document|(My|Your|Requested) document|Information|My information|(My|Requested) file)$
    $WORM_LOG

    # -------------------------
    # Netsky.worm.17424 (º¯Á¾ D) ¶Ç´Â Netsky.worm.27648 (º¯Á¾ G)
    # µÎ º¯Á¾ ¿úÀÇ ¸ÞÀÏ Á¦¸ñÀº µ¿ÀÏÇÔ
    # http://info.ahnlab.com/smart2u/virus_detail_1330.html
    # http://info.ahnlab.com/smart2u/virus_detail_1336.html
    :0D
    * ^Subject:.(Re: )*([Aa]pproved|[Dd]etails|Document|(Excel|Word) file|[Hh]ello|[Hh]i|here|My datails|Message|[Tt]hanks!)$
    $WORM_LOG

    :0D
    * ^Subject: *Re: *Your [a-z][a-z][a-z]+$
    $WORM_LOG

    # -------------------------
    # Netsky.worm º¯Á¾ ¹× ±âŸ ¿ú º¯Á¾
    # http://www.krcert.org/detail/2004/Win32_Netsky.html
    :0D
    * ^Subject:.(Re: )*(improved|(Approved |word |Your )*document|Info|hey|read it immediately|(important )*[i|I]nformation|something for you|Hello.*congratulations!|screensaver|Wow|test|important|[Tt]ext|website|(Error in|Stolen) document|Correction)$
    $WORM_LOG

    :0D
    * ^Subject:.(Re: )*(Is that your (document|password)\?|Here is the document|Does it matter\?)$
    $WORM_LOG

     

    * ´Ù¿î·Îµå http://coffeenix.net/truefeel/files/worm_filter.rc.txt

    ¸ÞÀÏ ³»¿ëÀº $WORM_LOG ·Î ¸ðµÎ ÀúÀå. ÇÊ¿ä¾øÀ¸¸é /dev/null ·Î Çϼ¼¿ä.

    - ¸ðµÎ Á¦¸ñÀ» ÅëÇؼ­¸¸ ÇÕ´Ï´Ù.
    - Re: Re: Hi ¿Í °°ÀÌ 'Re:' °¡ ¿©·¯ °³ µé¾î°¡µµ ÇÊÅ͸µÀ» ÇÕ´Ï´Ù.
    - ´ë¼Ò¹®ÀÚ¸¦ ±¸ÇÕ´Ï´Ù. (D ¿É¼Ç »ç¿ëÇÔ)

    2. Âü°í±Û

    * Netsky.worm.29568 ¿ú
      http://info.ahnlab.com/smart2u/virus_detail_1351.html
    * Netsky.worm.16896.B ¿ú
      http://info.ahnlab.com/smart2u/virus_detail_1342.html
    * Netsky ¿úÀÇ º¯Á¾¿¡ ´ëÇØ Á¤¸®µÈ ±Û
      http://www.krcert.org/detail/2004/Win32_Netsky.html


    Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ / URL : http://coffeenix.net/board_view.php?bd_code=452