Monday, 30 April 2007

new users suspened temporarily

Well, for the moment I've had to suspend any new users from downloading sigs/scripts.
I've only got 20 gig hosting currently and this month, I've hit over 15 gig... so playing it safe, new users are suspened until I sort something out.

Please could everyone check that their scripts are downloading using the HEAD command i.e. only grabbing the downloads when they have changed.

Some users have been downloading the sigs regardless of changes and it's not really helping, while only users have made mistakes and are trying to download every minute :(

Sunday, 29 April 2007

Greeting Card

Here's a slightly odd greeting card currently detected as: Email.Malware.Sanesecurity.07030201

It doesn't look anything special to look at... but wait... what's this.... oh look, it's a username/password ftp link to download a normally nasty .pif file:















So, it loads the Zapchast trojan, as can be seen from some VirusTotal results:













Now, let's look at the live FTP site, you can see from the screen grab, the .pif file containing the trojan. Hmmm.... there seems to be other folders there too:










Hang on... that's an Italian Bank name!












Let's see what it looks like in FireFox (with NoScript plugin enabled).

Yup, I'ts a Posteitaliane bank fraud page, just waiting to capture your details:

Saturday, 28 April 2007

Would you like any spam with your spam?

Is anyone going to bother?

I know the spammers have to hide from SURBL's etc so, they'vedecided to do this:

Look www.2211122. And add COM after dot at the end

Is anyone that receives a spam like this really going to bother, adding a .com to the
end of www.2211122. ????

It's detected as:
Email.Spam.Gen398.Sanesecurity.07042502

Sanesecurity Blog

Yup, I thought it was about time I started a blog, which might make things a little bit easier for news items... well, that's the plan anyway.