Sanesecurity phishing/scam signatures for ClamAV

New website

2013-03-30T19:22:00.000Z

Well, it's been a while since I've updated the blog, so I thought I'd better do so. To start with, the new website is live, on the sanesecurity.com domain at the moment. More new stuff coming shortly....

fake dhl email using pif

2011-05-19T10:13:00.003+01:00

Another round of fake DHL emails... but this time... it's got a PIF attachment, instead of the
normal zipped exe variety.

Here's the email....

Submitted to Threatexpert:
http://www.threatexpert.com/report.aspx?md5=8b7c994f4d5b0b5e35216bd68d87edb3

Submitted to VirusTotal (7/43)
http://www.virustotal.com/file-scan/report.html?id=2936d561853db9119ac2d5e7120f80d4e8ed39fa191365b5d8be83cfa4f95343-1305796256

It seems to be interested in the following banks:
http://eureka.cyber-ta.org/OUTPUT/8b7c994f4d5b0b5e35216bd68d87edb3/dns.txt

Detected as:

Sanesecurity.Rogue.2050 and Sanesecurity.Malware.16418

Cheers,

Steve
Sanesecurity

strange facebook emails

2011-03-30T11:09:00.007+01:00

Received this interesting and very simple email today...

From the source code you can see, that the link doesn't go to facebook...

... It instead, takes you to a forum... which has been hacked (which you can see when you look into the source code)

The forum then re-directs you, via a 302 re-redirect... to another site (seen with httpfox)

The final site you end up with... is a fake anti-virus site, which are generally a pain to remove :(

Checking the actual fake anti-virus site (in bold) with urlvoid.com...

You can see that out of 21 url checkers... they all come up clean....

It's not nice out there.... but Sanesecurity.Malware.15890 and Sanesecurity.Malware.15891 are currently blocking these emails.

Cheers,

Steve
Sanesecurity

birth certificate malware

2010-09-14T14:16:00.003+01:00

Here's a birth certificate email:

Inside the zip... is surprise, surprise... an exe file:

Submitted to VirusTotal:

Added detection as:

Sanesecurity.Rogue.0hr.0914v32427 (rogue.hdb)

Cheers,

Steve
Sanesecurity

New FedEx malware run... Zbot

2010-08-26T11:45:00.004+01:00

Been a while since I've posted to here, so thought it was about time...

A new malware run *just* came in... with a nice jpg and a not-so-nice exe in a zip file...

Submitted the exe to VirusTotal and the detection, isn't great...

Already being detected as: Sanesecurity.Malware.14529.UNOFFICIAL

Cheers,

Steve
Sanesecurity

Fake Facebook Password Reset Confirmation

2009-10-27T08:13:00.003Z

Hi,

Has loads of these hit the inbox this morning....

Virus Total:

Antivirus	Version	Last Update	Result
a-squared	4.5.0.41	2009.10.27	-
AhnLab-V3	5.0.0.2	2009.10.26	-
AntiVir	7.9.1.44	2009.10.26	-
Antiy-AVL	2.0.3.7	2009.10.26	-
Authentium	5.1.2.4	2009.10.27	W32/Bredolab!Generic
Avast	4.8.1351.0	2009.10.26	-
AVG	8.5.0.423	2009.10.26	Win32/Heur
BitDefender	7.2	2009.10.27	Trojan.Downloader.Bredolab.AZ
CAT-QuickHeal	10.00	2009.10.27	-
ClamAV	0.94.1	2009.10.27	-
Comodo	2744	2009.10.27	Heur.Packed.Unknown
DrWeb	5.0.0.12182	2009.10.27	-
eSafe	7.0.17.0	2009.10.25	Suspicious File
eTrust-Vet	35.1.7084	2009.10.26	-
F-Prot	4.5.1.85	2009.10.26	-
F-Secure	9.0.15370.0	2009.10.22	Trojan.Downloader.Bredolab.AZ
Fortinet	3.120.0.0	2009.10.26	-
GData	19	2009.10.27	Trojan.Downloader.Bredolab.AZ
Ikarus	T3.1.1.72.0	2009.10.27	-
Jiangmin	11.0.800	2009.10.26	-
K7AntiVirus	7.10.879	2009.10.24	-
Kaspersky	7.0.0.125	2009.10.27	Packed.Win32.Krap.w
McAfee	5783	2009.10.26	Bredolab.gen.a
McAfee+Artemis	5783	2009.10.26	Bredolab.gen.a
McAfee-GW-Edition	6.8.5	2009.10.27	-
Microsoft	1.5202	2009.10.27	TrojanDownloader:Win32/Bredolab.X
NOD32	4545	2009.10.26	-
Norman	6.03.02	2009.10.26	W32/Obfuscated.D2!genr
nProtect	2009.1.8.0	2009.10.26	-
Panda	10.0.2.2	2009.10.26	-
PCTools	4.4.2.0	2009.10.19	-
Prevx	3.0	2009.10.27	-
Rising	21.53.10.00	2009.10.27	-
Sophos	4.46.0	2009.10.27	Mal/Bredo-A
Sunbelt	3.2.1858.2	2009.10.26	Trojan.Win32.Bredolab.Gen.1 (v)
Symantec	1.4.4.12	2009.10.27	-
TheHacker	6.5.0.2.054	2009.10.26	-
TrendMicro	8.950.0.1094	2009.10.27	TROJ_BREDLAB.SMF
VBA32	3.12.10.11	2009.10.26	-
ViRobot	2009.10.27.2006	2009.10.27	-
VirusBuster	4.6.5.0	2009.10.26	-

Detected as:

Sanesecurity.Malware.12841
Sanesecurity.Malware.12842

Spammer Fail

2009-08-26T15:57:00.006+01:00

A nice big...

to the spammer that sent this...

Firefox says....

I think they meant http:// not htt://

:)

michael jackson virus already :(

2009-06-26T15:39:00.005+01:00

Well, it didn't take long for the "them" to abuse the situation did it? :(

News item, with a picture and "video" to download:

Here's the Anubis report on the "video"

Being detected as : Sanesecurity.Malware.11747.UNOFFICIAL

Update: Other article with translation here

Cheers,

Steve
Sanesecurity

Fake News/Flash Player

2009-03-16T11:30:00.004Z

Interesting email came in just:

I worry about you httx: // ho.bestbreakingfree.com/news.php

Here's the "news page" that you are taken too....

Downloading the fake Player and running it through VirusTotal gives you this:

VirusTotal

As you can see the 0-hour detection rates aren't that good (3/39 scanners) :(

I'm sure we'll see more of this.

A good way to cut down on costs.. or not

2009-02-25T08:21:00.004Z

I received an email today, looks quite safe and perhaps needed in the current climate... cutting costs:

Clicking on the link, you are taken to a nice friendly looking coupon page to save money...

Ah... it's asking to download an exe file... best submit to virus total first....

VirusTotal Results shows it's not exactly going to save us money... but does give us something nasty... for free :(

13.01.09: News

2009-02-13T21:27:00.002Z

Lots of changes have been made recently to the download scripts, so if you haven't
checked out the new versions recently, it might be worth taking a look in the usage page.

In other news, there is now a support forum available here and there is now a searchable mailing list available here

20.01.09: News

2009-01-31T21:41:00.001Z

31.01.09: Update... aka Oops... forgot to update the main blog

20.01.09: News

It's been a while... but the Sanesecurity signatures have returned!

We disappeared for a while due a DDos, a small number of users who overloaded the shared hosting servers by downloading the signatures every second and in reality, an unscalable download system.

The old download system doesn't work any more and won't be coming back, so if you haven't done already, please disable your cron jobs and wget/curls downloads, as a new round-robin rsync based download url is available.

All the changes are detailed here.

There's also a Sanesecurity list, which is recommended that signature users subscribe to, so that any future problems can be reported directly to you:

Subscribe to Sanesecurity list, by sending an email to the address in the below graphic, with a subject of: subscribe

There is an archive, so you can read previous messages here

Finally, thank you for all the support and feedback.

Steve
Sanesecurity

Update 18/01/09

2009-01-18T13:23:00.000Z

Subscribe to Sanesecurity list, by sending an email to the address in the below graphic,
with a subject of: subscribe

Currently there is a great deal of work going on behind the scenes in getting the signatures back. This is the status so far:

* wget/curl etc. will no longer be used to download the signatures, we're moving to rsync. So please disable all downloads for the signatures, as they won't be coming back using the old urls.

* Signatures will now be signed using GnuPG, ensuring integrity of the signatures. The public key for these signature will be available from here.

For example, here's a good verify:

gpg --verify junk.ndb.sig
gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E
gpg: Good signature from "Sanesecurity (Sanesecurity Signatures)"

Here's a bad verify:

gpg --verify junk.ndb.sig
gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E
gpg: BAD signature from "Sanesecurity (Sanesecurity Signatures)"

* will be using round-robin dns system, to help spread the load over rsync servers.

* three new databases added: spear.ndb, spamimg.hdb and spam.ldb

* donation page, using PayPal will now also accept credit cards and hopefully will be able to provide and invoice for people who want one.

Hopefully, there will be more updates soon... so signup to the Sanesecurity list for more news.

Finally a Huuuuuuge thank you to everyone who has helped and offered help.

14/12/08: Sanesecurity signatures ddos

2008-12-15T19:46:00.000Z

Sanesecurity signatures are no longer being updated or distributed due to extremely high server resource usage, which appears to be from a distributed denial of service attack (DDoS). I've moved server hosts twice (which takes time) and both times have resulted in the site being suspended.

As many of you know, I produce the signatures and run the site, in my spare time and with Christmas approaching I’m finding my spare time is currently limited.

Hopefully this won’t be the end of the signatures and I’m hoping that they may return in the New Year.

May I take this opportunity to thank everyone who has helped this project, either by
providing samples, bandwidth, download scripts or donating.

Thanks and sorry to let you all down.

Steve
Sanesecurity

Fake Auto Identification Card documents

2008-08-14T13:53:00.003+01:00

Just received the following email, with a zip file attached (containing an exe file):

Submitted the file to VirusTotal and the result isn't very good (3/36 scanners):

Submitting the file to ThreatExpert, gives the following result

"Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system."

Added detection as: Email.Malware.Sanesecurity.08081405

Fake Contract Documents

2008-08-14T10:48:00.011+01:00

Received the following email, which looks the same as a version received about a week ago:

Received: from [199.214.241.xxx] (h-199-214-241-xxx.norquest.ca [199.214.241.xxx]
by raq0402.xxxxxxxxxx.co.uk (8.13.1/8.13.1) with ESMTP id m7E5rk9W028214
for ; Thu, 14 Aug 2008 06:53:47 +0100

As you can see, it's got a zip attachment, which submitting to VirusTotal, gives us:

I'd already added a signature to catch the earlier version (11th August) and it also detected this latest version too: Email.Malware.Sanesecurity.08081101 (added 11th August 2008)

Submitting this to ThreatExpert, gives you this worrying result !

Ie: "Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible."

As you can see from the stats, it's still being spammed out:

None of this is a worry, to those admins who are blocking exe's inside zip files though :)

MSNBC StormNews Spam: Update

2008-08-14T07:53:00.002+01:00

Well they've changed the landing page URL yesterday evening... but this change was detected with the generic Email.Malware.Sanesecurity.08081301.StormNews.MSNBCGen signature I'd added yesterday morming

As well as the URL change... they managed to make the make an Msnbc logoed one, instead of the CNN one, we had yesterday :)

There was also a change to the domain, that serves the fake anti-virus software too.

On my servers.... the stats so far...

CNN vs Msnbc:

Email.Malware.Sanesecurity.08081003.StormNews.CnnGen: 9,519
Email.Malware.Sanesecurity.08080606.StormNews.Cnn: 5,138
Email.Malware.Sanesecurity.08080802.StormNews.CnnGen: 3,483
Email.Malware.Sanesecurity.08081002.StormNews.CnnGen: 3,182
Email.Malware.Sanesecurity.08080800.StormNews.Cnn: 1,608
Email.Malware.Sanesecurity.08080902.StormNews.Cnn: 1,032

Email.Malware.Sanesecurity.08081300.StormNews.MSNBC: 2,018
Email.Malware.Sanesecurity.08081302.StormNews.MSNBC: 1,985

MSNBC StormNews Spam

2008-08-13T10:38:00.004+01:00

Following on from the CNN virus spam we all know and love...looks like the spammers have got bored with CNN and moved onto MSNBC:

... but the MSNBC landing page... erm... still shows the CNN logo... ooops:

Exe file info: VirusTotal and ThreatExpert

However, we do now have popups for some free rogue anti-virus scanning software:

Needless to say, don't even try to download this!

Detection added as: Email.Malware.Sanesecurity.08081300.StormNews.MSNBC

New Fake CNN email

2008-08-08T08:48:00.004+01:00

Looks like a new round of CNN News emails are coming in:

Here's the fake landing page:

Virus Total Report

Detection added as: Email.Malware.Sanesecurity.08080800.StormNews.Cnn

Note: if you are using Firefox and the Noscript plugin, won't see the above page

0 hour UPS Invoice

2008-08-05T08:27:00.004+01:00

There was another spam run of the fake UPS invoice yesterday, this time with a different version of the malware, in the zip attachment:

What was interesting, was that the signatures I'd added to catch the last one, detected the new varient too:

As you can see from the above stats graph, Email_Malware_Sanesecurity_08072227
(in yellow) was being blocked from around 5.30pm to 7pm. ClamAV started detecting the attched file at 7pm (Trojan_Zbot_1737).

What does the exe file do? (contained in the zip)... well, here's what ThreatExpert said

Signature update notices via Twitter

2008-07-30T12:35:00.003+01:00

Signature update notices via Twitter

ClamAV Third-Party Signature names

2008-07-03T20:26:00.002+01:00

Just a heads up really, that the next version of ClamAV will automatically add an ".UNOFFICIAL" suffix to ALL 3rd party signatures.

Example 1:

Email.Phishing.Bank.Gen2559.Sanesecurity.08070201 would become Email.Phishing.Bank.Gen2559.Sanesecurity.08070201.UNOFFICIAL

Example 2:

MSRBL-SPAM.Feed.Blaster.2759 would become
MSRBL-SPAM.Feed.Blaster.2759.UNOFFICIAL

SQL Injection: example blocked

2008-05-20T15:41:00.002+01:00

There's still a huge amount of SQL injected sites still out there (list of serving sites)

For example:

Looking at the html for the site, you can see the .js file, added inside the TITLE html code:

If you are using clarkconnect (or other ClamAV based web-filtering) the latest update to the SaneSecurity signatures should help block the current sites:

Signature(s):

Email.Malware.Sanesecurity.08051902.SQLInj (generic)
Email.Malware.Sanesecurity.08052000.SQLInj (generic)
Email.Malware.Sanesecurity.08052001.SQLInj (generic)
Email.Malware.Sanesecurity.08052002.SQLInj (generic)
Email.Malware.Sanesecurity.08052003.SQLInj (generic)
Email.Malware.Sanesecurity.Url.SQLInj_xx

Rogue MP3 Trojan streaks across P2P networks

2008-05-07T14:53:00.002+01:00

Hopefully people have seen this.. but it's worth posting:

Hundreds of thousands of examples of a new Trojan that poses as a media file have flooded onto P2P networks.

Since Friday 2 May more than half a million instances of the Trojan have been detected on consumer PCs, according to net security firm McAfee. The anti-virus firm reports the spread of the Downloader-UA.h Trojan as the most significant malware outbreak in the last three years.

Source: TheRegister
Source: Mcafee

What's interesting about this, is that I came across this "new" idea from a post by ISS (dated 29th April), which you can see here

While the above post talked about .ASF files, all the bad-guys have done is rename the .asf files to .mp3... Windows Media Player just reads Metadata in the header and runs the script :(

SaneSecurity ClamAV Generic detection was added on 30th April 2008 for this new idea and so I was interested to find that these "new" mp3s McAfee are talking about, are found using the same generic signature :)

Eg: eview-T-3545425-turbanlporno.mp3: Email.Malware.Sanesecurity.08043001.WmaScript FOUND

Note: You must be using ClamAV v0.93 to be able to detect this

Fake YouTube email spammed

2007-11-12T10:58:00.000Z

Interesting YouTube email has just been spammed:

As you can see from the link, it's a fake YouTube site, which takes you here:

Current VirusTotal detection for the install_flash_player.exe file:

Email detected as: Email.Malware.Sanesecurity.07111200