|
helo, just a couple of thoughts about all of this.
It would seem like detection would be preferable to processing every file.
The gif file that I got had an invalid header but it's probably safe to say that most do have valid headers.
The gif licensing is pretty restrictive so processing every file may not even be an option. At a company I used to work for we decided not to compress gifs after we spoke to unisys about the licensing costs. Decompressing gifs is ok, compressing with unisys algorithms is not without a license.
Couldn't the files be identified by establishing a 'normal' ratio of bytes/pixel for each file type and testing the abnormal bytes/pixel ratios of these warez files against this normal? So far it looks like the jpeg headers contain the height and width of the valid image data with the rest of the crap tagged on to the end.
Let's that the r=b/(h*w) where r is our ratio, b is the number of bytes and h & w is the height and width reported in the header.
I grabbed 5 of the files posted earlier:
AGF2nd811.jpg 146618/(100 x 118) = 12.4252542372881
AGF2nd812.jpg 163365/(200 x 160) = 5.10515625
AGF2nd813.jpg 161336/(126 x 176) = 7.27525252525253
AGF2nd814.jpg 104842/(116 x 150) = 6.02540229885058
AGF2nd815.jpg 121379/(93 x 160) = 8.15719086021505
Compared with 5 (non warez) files reasonably compressed:
minnkim-035.jpg 34981/(600 x 457) = 0.127574762946754
minnkim-036.jpg 35846/(600 x 457) = 0.13072939460248
minnkim-037.jpg 30728/(600 x 457) = 0.112064186725018
minnkim-138.jpg 46571/(457 x 600) = 0.169843180160467
The ratios of bytes/pixel are severely out of whack with these warez files.
It would seem as though some c or asm code could read the headers of all new files on the system (either through hooking into ftp events or cron jobs on log files, doesn't really matter), compute the ratio of bytes per pixel, compare that against the normal and flag any abnormal ratios for delete or human examination.
any thoughts or comments on this?
cheers
|