Wednesday, 19 September 2007

SaneSecurity News: Corrupt Signatures

For a few hours today, one of the mirrors had a corrupt version of phish.ndb.gz.

After being alerted to the fact by a user, I informed the mirror admin about the issue and the problem was then fixed.

The scripts on the SaneSecurity site, check the integrity of the signatures before being moved into the ClamAV database directory for use... and have done for some time.

This is important not only for the SaneSecurity signatures but indeed for any Third-Party signatures, as if you move a corrupt signature file into the ClamAV directory, it's going to stop ClamAV from scanning your emails, until you sort the problem out.

If you're running your own script or have an old version of the SaneSecurity scripts, it might be worth updating them:

http://sanesecurity.co.uk/clamav/usage.htm

I do always check signature integrity before uploading... so they leave here fine... but the end-user must always double-check their download integrity before use.

Apologies for the corrupt file and any problems caused.

Cheers,

Steve

Sunday, 16 September 2007

Storm Worm Again: free games

You know the drill by now...

First you get an email, something like this one, with a IP address url:















You are taken to a fake page, asking to download an exe file:















But the exe file, isn't all that it seems. Here's what VirusTotal had to say:















Currently detected as: Email.Malware.Sanesecurity.0709160x (0-3)

Tuesday, 11 September 2007

SaneSecurity news

Firstly, some quite amazing news, on Wednesday, 5th September 9pm, I was lucky enough to have a 30 minute phone chat with Dean Drako, CEO of Barracuda Networks.

Dean confirmed that Barracuda are using my signatures as part of their multi-layer of defence. Dean also confirmed that Barracuda are now a SaneSecurity signature mirror and Sanesecurity even get a mention here too.

Secondly, a new experimental project PhishBar, which you can read more about here, but please read the big red flashing led warning bits before using.

In a nutshell, It's a way of seeing if any of your users have phishing sites stored in their home directories/user space on your servers.

Sunday, 9 September 2007

Storm Worm Again: NFL

New storm worm version just hitting, all about NFL Football (12 am:uk)















Links goes to a very nice looking NFL site, asking to download a tracker exe file:















Submitting the exe file to VirusTotal, shows the following current patchy results:















Detection for the email, currently: Email.Malware.Sanesecurity.070908xx (02-06)

I'm sure there will be more!

Thursday, 6 September 2007

storm worm: all change :)

Heads up, new storm worm incoming... oooooh... the RIAA are after everybody and worryingly
some people might fall for this one:















when you click on the given link, you get taken to this page, asking you to download an exe file:















Current detection is a little patchy:















So far, the following Sanesecurity signatures match the variants seen so far:

Email.Malware.Sanesecurity.07090600
Email.Malware.Sanesecurity.07090601
Email.Malware.Sanesecurity.07090602

Tuesday, 4 September 2007

419 DOC spam

Here's a slightly different 419 spam:














The attached Word document looks like this:















Detection for this is: Email.Scam4.Gen1002.Sanesecurity.07090406.doc

storm work: labor day

Little bit late on this writeup... but no doubt you've seen these various ecards:









If you click on the link, you can a lovely page, like this:















Which asks you to download an exe file. Submitting the exe file to VirusTotal, give the following results:














Detection for these cards are:

Email.Malware.Sanesecurity.070903xx (02-11)