Monday, 15 December 2008

14/12/08: Sanesecurity signatures ddos


Sanesecurity signatures are no longer being updated or distributed due to extremely high server resource usage, which appears to be from a distributed denial of service attack (DDoS). I've moved server hosts twice (which takes time) and both times have resulted in the site being suspended.

As many of you know, I produce the signatures and run the site, in my spare time and with Christmas approaching I’m finding my spare time is currently limited.

Hopefully this won’t be the end of the signatures and I’m hoping that they may return in the New Year.

May I take this opportunity to thank everyone who has helped this project, either by
providing samples, bandwidth, download scripts or donating.

Thanks and sorry to let you all down.

Steve
Sanesecurity

Thursday, 14 August 2008

Fake Auto Identification Card documents

Just received the following email, with a zip file attached (containing an exe file):




















Submitted the file to VirusTotal and the result isn't very good (3/36 scanners):
















Submitting the file to ThreatExpert, gives the following result

"Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system."

Added detection as: Email.Malware.Sanesecurity.08081405

Fake Contract Documents

Received the following email, which looks the same as a version received about a week ago:











Received: from [199.214.241.xxx] (h-199-214-241-xxx.norquest.ca [199.214.241.xxx]
by raq0402.xxxxxxxxxx.co.uk (8.13.1/8.13.1) with ESMTP id m7E5rk9W028214
for
; Thu, 14 Aug 2008 06:53:47 +0100

As you can see, it's got a zip attachment, which submitting to VirusTotal, gives us:
















I'd already added a signature to catch the earlier version (11th August) and it also detected this latest version too: Email.Malware.Sanesecurity.08081101 (added 11th August 2008)

Submitting this to ThreatExpert, gives you this worrying result !

Ie: "
Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible."

As you can see from the stats, it's still being spammed out:









None of this is a worry, to those admins who are blocking exe's inside zip files though :)

MSNBC StormNews Spam: Update

Well they've changed the landing page URL yesterday evening... but this change was detected with the generic Email.Malware.Sanesecurity.08081301.StormNews.MSNBCGen signature I'd added yesterday morming

As well as the URL change... they managed to make the make an Msnbc logoed one, instead of the CNN one, we had yesterday :)















There was also a change to the domain, that serves the fake anti-virus software too.

On my servers.... the stats so far...

CNN vs Msnbc:

Email.Malware.Sanesecurity.08081003.StormNews.CnnGen: 9,519
Email.Malware.Sanesecurity.08080606.StormNews.Cnn: 5,138
Email.Malware.Sanesecurity.08080802.StormNews.CnnGen: 3,483
Email.Malware.Sanesecurity.08081002.StormNews.CnnGen: 3,182
Email.Malware.Sanesecurity.08080800.StormNews.Cnn: 1,608
Email.Malware.Sanesecurity.08080902.StormNews.Cnn: 1,032

Email.Malware.Sanesecurity.08081300.StormNews.MSNBC: 2,018
Email.Malware.Sanesecurity.08081302.StormNews.MSNBC: 1,985

Wednesday, 13 August 2008

MSNBC StormNews Spam

Following on from the CNN virus spam we all know and love...looks like the spammers have got bored with CNN and moved onto MSNBC:




















... but the MSNBC landing page... erm... still shows the CNN logo... ooops:















Exe file info: VirusTotal and ThreatExpert

However, we do now have popups for some free rogue anti-virus scanning software:
















Needless to say, don't even try to download this!

Detection added as: Email.Malware.Sanesecurity.08081300.StormNews.MSNBC

Friday, 8 August 2008

New Fake CNN email

Looks like a new round of CNN News emails are coming in:















Here's the fake landing page:












Virus Total Report

Detection added as: Email.Malware.Sanesecurity.08080800.StormNews.Cnn

Note: if you are using Firefox and the Noscript plugin, won't see the above page

Tuesday, 5 August 2008

0 hour UPS Invoice

There was another spam run of the fake UPS invoice yesterday, this time with a different version of the malware, in the zip attachment:








What was interesting, was that the signatures I'd added to catch the last one, detected the new varient too:









As you can see from the above stats graph, Email_Malware_Sanesecurity_08072227
(in yellow) was being blocked from around 5.30pm to 7pm. ClamAV started detecting the attched file at 7pm (Trojan_Zbot_1737).

What does the exe file do? (contained in the zip)... well, here's what ThreatExpert said

Thursday, 3 July 2008

ClamAV Third-Party Signature names

Just a heads up really, that the next version of ClamAV will automatically add an ".UNOFFICIAL" suffix to ALL 3rd party signatures.

Example 1:

Email.Phishing.Bank.Gen2559.Sanesecurity.08070201 would become Email.Phishing.Bank.Gen2559.Sanesecurity.08070201.UNOFFICIAL

Example 2:

MSRBL-SPAM.Feed.Blaster.2759 would become
MSRBL-SPAM.Feed.Blaster.2759.UNOFFICIAL

Tuesday, 20 May 2008

SQL Injection: example blocked

There's still a huge amount of SQL injected sites still out there (list of serving sites)

For example:











Looking at the html for the site, you can see the .js file, added inside the TITLE html code:






If you are using clarkconnect (or other ClamAV based web-filtering) the latest update to the SaneSecurity signatures should help block the current sites:













Signature(s):

Email.Malware.Sanesecurity.08051902.SQLInj (generic)
Email.Malware.Sanesecurity.08052000.SQLInj (generic)
Email.Malware.Sanesecurity.08052001.SQLInj (generic)
Email.Malware.Sanesecurity.08052002.SQLInj (generic)
Email.Malware.Sanesecurity.08052003.SQLInj (generic)
Email.Malware.Sanesecurity.Url.SQLInj_xx

Wednesday, 7 May 2008

Rogue MP3 Trojan streaks across P2P networks

Hopefully people have seen this.. but it's worth posting:


Hundreds of thousands of examples of a new Trojan that poses as a media file have flooded onto P2P networks.

Since Friday 2 May more than half a million instances of the Trojan have been detected on consumer PCs, according to net security firm McAfee. The anti-virus firm reports the spread of the Downloader-UA.h Trojan as the most significant malware outbreak in the last three years.

Source: TheRegister
Source: Mcafee

What's interesting about this, is that I came across this "new" idea from a post by ISS (dated 29th April), which you can see here

While the above post talked about .ASF files, all the bad-guys have done is rename the .asf files to .mp3... Windows Media Player just reads Metadata in the header and runs the script :(

SaneSecurity ClamAV Generic detection was added on 30th April 2008 for this new idea and so I was interested to find that these "new" mp3s McAfee are talking about, are found using the same generic signature :)

Eg: eview-T-3545425-turbanlporno.mp3: Email.Malware.Sanesecurity.08043001.WmaScript FOUND

Note: You must be using ClamAV v0.93 to be able to detect this