Sanesecurity phishing/scam signatures for ClamAV

fake dhl email using pif

2011-05-19T10:13:00.003+01:00

Another round of fake DHL emails... but this time... it's got a PIF attachment, instead of the
normal zipped exe variety.

Here's the email....

Submitted to Threatexpert:
http://www.threatexpert.com/report.aspx?md5=8b7c994f4d5b0b5e35216bd68d87edb3

Submitted to VirusTotal (7/43)
http://www.virustotal.com/file-scan/report.html?id=2936d561853db9119ac2d5e7120f80d4e8ed39fa191365b5d8be83cfa4f95343-1305796256

It seems to be interested in the following banks:
http://eureka.cyber-ta.org/OUTPUT/8b7c994f4d5b0b5e35216bd68d87edb3/dns.txt

Detected as:

Sanesecurity.Rogue.2050 and Sanesecurity.Malware.16418

Cheers,

Steve
Sanesecurity

strange facebook emails

2011-03-30T11:09:00.007+01:00

Received this interesting and very simple email today...

From the source code you can see, that the link doesn't go to facebook...

... It instead, takes you to a forum... which has been hacked (which you can see when you look into the source code)

The forum then re-directs you, via a 302 re-redirect... to another site (seen with httpfox)

The final site you end up with... is a fake anti-virus site, which are generally a pain to remove :(

Checking the actual fake anti-virus site (in bold) with urlvoid.com...

You can see that out of 21 url checkers... they all come up clean....

It's not nice out there.... but Sanesecurity.Malware.15890 and Sanesecurity.Malware.15891 are currently blocking these emails.

Cheers,

Steve
Sanesecurity

birth certificate malware

2010-09-14T14:16:00.003+01:00

Here's a birth certificate email:

Inside the zip... is surprise, surprise... an exe file:

Submitted to VirusTotal:

Added detection as:

Sanesecurity.Rogue.0hr.0914v32427 (rogue.hdb)

Cheers,

Steve
Sanesecurity

New FedEx malware run... Zbot

2010-08-26T11:45:00.004+01:00

Been a while since I've posted to here, so thought it was about time...

A new malware run *just* came in... with a nice jpg and a not-so-nice exe in a zip file...

Submitted the exe to VirusTotal and the detection, isn't great...

Already being detected as: Sanesecurity.Malware.14529.UNOFFICIAL

Cheers,

Steve
Sanesecurity

Fake Facebook Password Reset Confirmation

2009-10-27T08:13:00.003Z

Hi,

Has loads of these hit the inbox this morning....

Virus Total:

Antivirus	Version	Last Update	Result
a-squared	4.5.0.41	2009.10.27	-
AhnLab-V3	5.0.0.2	2009.10.26	-
AntiVir	7.9.1.44	2009.10.26	-
Antiy-AVL	2.0.3.7	2009.10.26	-
Authentium	5.1.2.4	2009.10.27	W32/Bredolab!Generic
Avast	4.8.1351.0	2009.10.26	-
AVG	8.5.0.423	2009.10.26	Win32/Heur
BitDefender	7.2	2009.10.27	Trojan.Downloader.Bredolab.AZ
CAT-QuickHeal	10.00	2009.10.27	-
ClamAV	0.94.1	2009.10.27	-
Comodo	2744	2009.10.27	Heur.Packed.Unknown
DrWeb	5.0.0.12182	2009.10.27	-
eSafe	7.0.17.0	2009.10.25	Suspicious File
eTrust-Vet	35.1.7084	2009.10.26	-
F-Prot	4.5.1.85	2009.10.26	-
F-Secure	9.0.15370.0	2009.10.22	Trojan.Downloader.Bredolab.AZ
Fortinet	3.120.0.0	2009.10.26	-
GData	19	2009.10.27	Trojan.Downloader.Bredolab.AZ
Ikarus	T3.1.1.72.0	2009.10.27	-
Jiangmin	11.0.800	2009.10.26	-
K7AntiVirus	7.10.879	2009.10.24	-
Kaspersky	7.0.0.125	2009.10.27	Packed.Win32.Krap.w
McAfee	5783	2009.10.26	Bredolab.gen.a
McAfee+Artemis	5783	2009.10.26	Bredolab.gen.a
McAfee-GW-Edition	6.8.5	2009.10.27	-
Microsoft	1.5202	2009.10.27	TrojanDownloader:Win32/Bredolab.X
NOD32	4545	2009.10.26	-
Norman	6.03.02	2009.10.26	W32/Obfuscated.D2!genr
nProtect	2009.1.8.0	2009.10.26	-
Panda	10.0.2.2	2009.10.26	-
PCTools	4.4.2.0	2009.10.19	-
Prevx	3.0	2009.10.27	-
Rising	21.53.10.00	2009.10.27	-
Sophos	4.46.0	2009.10.27	Mal/Bredo-A
Sunbelt	3.2.1858.2	2009.10.26	Trojan.Win32.Bredolab.Gen.1 (v)
Symantec	1.4.4.12	2009.10.27	-
TheHacker	6.5.0.2.054	2009.10.26	-
TrendMicro	8.950.0.1094	2009.10.27	TROJ_BREDLAB.SMF
VBA32	3.12.10.11	2009.10.26	-
ViRobot	2009.10.27.2006	2009.10.27	-
VirusBuster	4.6.5.0	2009.10.26	-

Detected as:

Sanesecurity.Malware.12841
Sanesecurity.Malware.12842

Spammer Fail

2009-08-26T15:57:00.006+01:00

A nice big...

to the spammer that sent this...

Firefox says....

I think they meant http:// not htt://

:)

michael jackson virus already :(

2009-06-26T15:39:00.005+01:00

Well, it didn't take long for the "them" to abuse the situation did it? :(

News item, with a picture and "video" to download:

Here's the Anubis report on the "video"

Being detected as : Sanesecurity.Malware.11747.UNOFFICIAL

Update: Other article with translation here

Cheers,

Steve
Sanesecurity

Fake News/Flash Player

2009-03-16T11:30:00.004Z

Interesting email came in just:

I worry about you httx: // ho.bestbreakingfree.com/news.php

Here's the "news page" that you are taken too....

Downloading the fake Player and running it through VirusTotal gives you this:

VirusTotal

As you can see the 0-hour detection rates aren't that good (3/39 scanners) :(

I'm sure we'll see more of this.

A good way to cut down on costs.. or not

2009-02-25T08:21:00.004Z

I received an email today, looks quite safe and perhaps needed in the current climate... cutting costs:

Clicking on the link, you are taken to a nice friendly looking coupon page to save money...

Ah... it's asking to download an exe file... best submit to virus total first....

VirusTotal Results shows it's not exactly going to save us money... but does give us something nasty... for free :(

13.01.09: News

2009-02-13T21:27:00.002Z

Lots of changes have been made recently to the download scripts, so if you haven't
checked out the new versions recently, it might be worth taking a look in the usage page.

In other news, there is now a support forum available here and there is now a searchable mailing list available here

20.01.09: News

2009-01-31T21:41:00.001Z

31.01.09: Update... aka Oops... forgot to update the main blog

20.01.09: News

It's been a while... but the Sanesecurity signatures have returned!

We disappeared for a while due a DDos, a small number of users who overloaded the shared hosting servers by downloading the signatures every second and in reality, an unscalable download system.

The old download system doesn't work any more and won't be coming back, so if you haven't done already, please disable your cron jobs and wget/curls downloads, as a new round-robin rsync based download url is available.

All the changes are detailed here.

There's also a Sanesecurity list, which is recommended that signature users subscribe to, so that any future problems can be reported directly to you:

Subscribe to Sanesecurity list, by sending an email to the address in the below graphic, with a subject of: subscribe

There is an archive, so you can read previous messages here

Finally, thank you for all the support and feedback.

Steve
Sanesecurity

Update 18/01/09

2009-01-18T13:23:00.000Z

Subscribe to Sanesecurity list, by sending an email to the address in the below graphic,
with a subject of: subscribe

Currently there is a great deal of work going on behind the scenes in getting the signatures back. This is the status so far:

* wget/curl etc. will no longer be used to download the signatures, we're moving to rsync. So please disable all downloads for the signatures, as they won't be coming back using the old urls.

* Signatures will now be signed using GnuPG, ensuring integrity of the signatures. The public key for these signature will be available from here.

For example, here's a good verify:

gpg --verify junk.ndb.sig
gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E
gpg: Good signature from "Sanesecurity (Sanesecurity Signatures)"

Here's a bad verify:

gpg --verify junk.ndb.sig
gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E
gpg: BAD signature from "Sanesecurity (Sanesecurity Signatures)"

* will be using round-robin dns system, to help spread the load over rsync servers.

* three new databases added: spear.ndb, spamimg.hdb and spam.ldb

* donation page, using PayPal will now also accept credit cards and hopefully will be able to provide and invoice for people who want one.

Hopefully, there will be more updates soon... so signup to the Sanesecurity list for more news.

Finally a Huuuuuuge thank you to everyone who has helped and offered help.

14/12/08: Sanesecurity signatures ddos

2008-12-15T19:46:00.000Z

Sanesecurity signatures are no longer being updated or distributed due to extremely high server resource usage, which appears to be from a distributed denial of service attack (DDoS). I've moved server hosts twice (which takes time) and both times have resulted in the site being suspended.

As many of you know, I produce the signatures and run the site, in my spare time and with Christmas approaching I’m finding my spare time is currently limited.

Hopefully this won’t be the end of the signatures and I’m hoping that they may return in the New Year.

May I take this opportunity to thank everyone who has helped this project, either by
providing samples, bandwidth, download scripts or donating.

Thanks and sorry to let you all down.

Steve
Sanesecurity

Fake Auto Identification Card documents

2008-08-14T13:53:00.003+01:00

Just received the following email, with a zip file attached (containing an exe file):

Submitted the file to VirusTotal and the result isn't very good (3/36 scanners):

Submitting the file to ThreatExpert, gives the following result

"Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system."

Added detection as: Email.Malware.Sanesecurity.08081405

Fake Contract Documents

2008-08-14T10:48:00.011+01:00

Received the following email, which looks the same as a version received about a week ago:

Received: from [199.214.241.xxx] (h-199-214-241-xxx.norquest.ca [199.214.241.xxx]
by raq0402.xxxxxxxxxx.co.uk (8.13.1/8.13.1) with ESMTP id m7E5rk9W028214
for ; Thu, 14 Aug 2008 06:53:47 +0100

As you can see, it's got a zip attachment, which submitting to VirusTotal, gives us:

I'd already added a signature to catch the earlier version (11th August) and it also detected this latest version too: Email.Malware.Sanesecurity.08081101 (added 11th August 2008)

Submitting this to ThreatExpert, gives you this worrying result !

Ie: "Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible."

As you can see from the stats, it's still being spammed out:

None of this is a worry, to those admins who are blocking exe's inside zip files though :)

MSNBC StormNews Spam: Update

2008-08-14T07:53:00.002+01:00

Well they've changed the landing page URL yesterday evening... but this change was detected with the generic Email.Malware.Sanesecurity.08081301.StormNews.MSNBCGen signature I'd added yesterday morming

As well as the URL change... they managed to make the make an Msnbc logoed one, instead of the CNN one, we had yesterday :)

There was also a change to the domain, that serves the fake anti-virus software too.

On my servers.... the stats so far...

CNN vs Msnbc:

Email.Malware.Sanesecurity.08081003.StormNews.CnnGen: 9,519
Email.Malware.Sanesecurity.08080606.StormNews.Cnn: 5,138
Email.Malware.Sanesecurity.08080802.StormNews.CnnGen: 3,483
Email.Malware.Sanesecurity.08081002.StormNews.CnnGen: 3,182
Email.Malware.Sanesecurity.08080800.StormNews.Cnn: 1,608
Email.Malware.Sanesecurity.08080902.StormNews.Cnn: 1,032

Email.Malware.Sanesecurity.08081300.StormNews.MSNBC: 2,018
Email.Malware.Sanesecurity.08081302.StormNews.MSNBC: 1,985

MSNBC StormNews Spam

2008-08-13T10:38:00.004+01:00

Following on from the CNN virus spam we all know and love...looks like the spammers have got bored with CNN and moved onto MSNBC:

... but the MSNBC landing page... erm... still shows the CNN logo... ooops:

Exe file info: VirusTotal and ThreatExpert

However, we do now have popups for some free rogue anti-virus scanning software:

Needless to say, don't even try to download this!

Detection added as: Email.Malware.Sanesecurity.08081300.StormNews.MSNBC

New Fake CNN email

2008-08-08T08:48:00.004+01:00

Looks like a new round of CNN News emails are coming in:

Here's the fake landing page:

Virus Total Report

Detection added as: Email.Malware.Sanesecurity.08080800.StormNews.Cnn

Note: if you are using Firefox and the Noscript plugin, won't see the above page

0 hour UPS Invoice

2008-08-05T08:27:00.004+01:00

There was another spam run of the fake UPS invoice yesterday, this time with a different version of the malware, in the zip attachment:

What was interesting, was that the signatures I'd added to catch the last one, detected the new varient too:

As you can see from the above stats graph, Email_Malware_Sanesecurity_08072227
(in yellow) was being blocked from around 5.30pm to 7pm. ClamAV started detecting the attched file at 7pm (Trojan_Zbot_1737).

What does the exe file do? (contained in the zip)... well, here's what ThreatExpert said

Signature update notices via Twitter

2008-07-30T12:35:00.003+01:00

Signature update notices via Twitter

ClamAV Third-Party Signature names

2008-07-03T20:26:00.002+01:00

Just a heads up really, that the next version of ClamAV will automatically add an ".UNOFFICIAL" suffix to ALL 3rd party signatures.

Example 1:

Email.Phishing.Bank.Gen2559.Sanesecurity.08070201 would become Email.Phishing.Bank.Gen2559.Sanesecurity.08070201.UNOFFICIAL

Example 2:

MSRBL-SPAM.Feed.Blaster.2759 would become
MSRBL-SPAM.Feed.Blaster.2759.UNOFFICIAL

SQL Injection: example blocked

2008-05-20T15:41:00.002+01:00

There's still a huge amount of SQL injected sites still out there (list of serving sites)

For example:

Looking at the html for the site, you can see the .js file, added inside the TITLE html code:

If you are using clarkconnect (or other ClamAV based web-filtering) the latest update to the SaneSecurity signatures should help block the current sites:

Signature(s):

Email.Malware.Sanesecurity.08051902.SQLInj (generic)
Email.Malware.Sanesecurity.08052000.SQLInj (generic)
Email.Malware.Sanesecurity.08052001.SQLInj (generic)
Email.Malware.Sanesecurity.08052002.SQLInj (generic)
Email.Malware.Sanesecurity.08052003.SQLInj (generic)
Email.Malware.Sanesecurity.Url.SQLInj_xx

Rogue MP3 Trojan streaks across P2P networks

2008-05-07T14:53:00.002+01:00

Hopefully people have seen this.. but it's worth posting:

Hundreds of thousands of examples of a new Trojan that poses as a media file have flooded onto P2P networks.

Since Friday 2 May more than half a million instances of the Trojan have been detected on consumer PCs, according to net security firm McAfee. The anti-virus firm reports the spread of the Downloader-UA.h Trojan as the most significant malware outbreak in the last three years.

Source: TheRegister
Source: Mcafee

What's interesting about this, is that I came across this "new" idea from a post by ISS (dated 29th April), which you can see here

While the above post talked about .ASF files, all the bad-guys have done is rename the .asf files to .mp3... Windows Media Player just reads Metadata in the header and runs the script :(

SaneSecurity ClamAV Generic detection was added on 30th April 2008 for this new idea and so I was interested to find that these "new" mp3s McAfee are talking about, are found using the same generic signature :)

Eg: eview-T-3545425-turbanlporno.mp3: Email.Malware.Sanesecurity.08043001.WmaScript FOUND

Note: You must be using ClamAV v0.93 to be able to detect this

Fake YouTube email spammed

2007-11-12T10:58:00.000Z

Interesting YouTube email has just been spammed:

As you can see from the link, it's a fake YouTube site, which takes you here:

Current VirusTotal detection for the install_flash_player.exe file:

Email detected as: Email.Malware.Sanesecurity.07111200

0hour testing

2007-10-05T09:48:00.000+01:00

Well, a new email came in, which looked very odd, here's the headers:

Return-Path:
Received: from 88-139-180-230.adslgp.cegetel.xxx (88-139-180-230.adslgp.cegetel.
by raq0402.keele.netcentral.co.xx (8.9.3/8.9.3) with ESMTP id JAA02419
for ; Fri, 5 Oct 2007 09:28:25 +0100
Received: from [88.139.180.230] by mx2.servershost.xxx; Fri, 5 Oct 2007 02:37:20
From: "Shirley Xxxxxxx"
Date: Fri, 5 Oct 2007 02:37:20 +0100

Here's the actual email:

So, I submitted the zip file to VirusTotal to see what the latest detection was like and then repeated the same file, at various times after that, to see roughly when vendors added detection.

Note: it's not exactly scientific, so your mileage may vary etc.

Here's the results:

As you can see, Antivir did well!

ClamAV team did a very quick job on adding this one, still beating the big boys:

F-Secure and F-Prot, now have detection:

Nod32 users now covered:

Kaspersky users now covered:

For the AVG users out there, detection has now been added:

Here's the situation on Monday morning:

SaneSecurity News: Corrupt Signatures

2007-09-19T16:26:00.000+01:00

For a few hours today, one of the mirrors had a corrupt version of phish.ndb.gz.

After being alerted to the fact by a user, I informed the mirror admin about the issue and the problem was then fixed.

The scripts on the SaneSecurity site, check the integrity of the signatures before being moved into the ClamAV database directory for use... and have done for some time.

This is important not only for the SaneSecurity signatures but indeed for any Third-Party signatures, as if you move a corrupt signature file into the ClamAV directory, it's going to stop ClamAV from scanning your emails, until you sort the problem out.

If you're running your own script or have an old version of the SaneSecurity scripts, it might be worth updating them:

http://sanesecurity.co.uk/clamav/usage.htm

I do always check signature integrity before uploading... so they leave here fine... but the end-user must always double-check their download integrity before use.

Apologies for the corrupt file and any problems caused.

Cheers,

Steve

Storm Worm Again: free games

2007-09-16T12:27:00.000+01:00

You know the drill by now...

First you get an email, something like this one, with a IP address url:

You are taken to a fake page, asking to download an exe file:

But the exe file, isn't all that it seems. Here's what VirusTotal had to say:

Currently detected as: Email.Malware.Sanesecurity.0709160x (0-3)

SaneSecurity news

2007-09-11T08:12:00.000+01:00

Firstly, some quite amazing news, on Wednesday, 5th September 9pm, I was lucky enough to have a 30 minute phone chat with Dean Drako, CEO of Barracuda Networks.

Dean confirmed that Barracuda are using my signatures as part of their multi-layer of defence. Dean also confirmed that Barracuda are now a SaneSecurity signature mirror and Sanesecurity even get a mention here too.

Secondly, a new experimental project PhishBar, which you can read more about here, but please read the big red flashing led warning bits before using.

In a nutshell, It's a way of seeing if any of your users have phishing sites stored in their home directories/user space on your servers.

Storm Worm Again: NFL

2007-09-09T00:14:00.000+01:00

New storm worm version just hitting, all about NFL Football (12 am:uk)

Links goes to a very nice looking NFL site, asking to download a tracker exe file:

Submitting the exe file to VirusTotal, shows the following current patchy results:

Detection for the email, currently: Email.Malware.Sanesecurity.070908xx (02-06)

I'm sure there will be more!

storm worm: all change :)

2007-09-06T19:52:00.000+01:00

Heads up, new storm worm incoming... oooooh... the RIAA are after everybody and worryingly
some people might fall for this one:

when you click on the given link, you get taken to this page, asking you to download an exe file:

Current detection is a little patchy:

So far, the following Sanesecurity signatures match the variants seen so far:

Email.Malware.Sanesecurity.07090600
Email.Malware.Sanesecurity.07090601
Email.Malware.Sanesecurity.07090602

419 DOC spam

2007-09-04T14:27:00.000+01:00

Here's a slightly different 419 spam:

The attached Word document looks like this:

Detection for this is: Email.Scam4.Gen1002.Sanesecurity.07090406.doc

storm work: labor day

2007-09-04T14:19:00.001+01:00

Little bit late on this writeup... but no doubt you've seen these various ecards:

If you click on the link, you can a lovely page, like this:

Which asks you to download an exe file. Submitting the exe file to VirusTotal, give the following results:

Detection for these cards are:

Email.Malware.Sanesecurity.070903xx (02-11)

storm worm: next generation

2007-08-21T19:46:00.000+01:00

Sorry for the late right up on this.. but it was more important to get all the signatures out this morning to cover all these variants then to do a write up.

Here's one of the many variants of the storm worm "member"/"logon" emails:

If you do click on the link you either get an auto-downloaded exe file or you get to see the following page (note: firefox pops up a warning about the page [red stop sign])

The exe file you are asked to download is re-packed every 30 mins or so, to try and avoid detection by anti-virus software. The sample above was submitted to VirusTotal with the following results:

Detection for all these email variants was added about 09:30am BST as the following:

Email.Malware.Sanesecurity.07082100 to Email.Malware.Sanesecurity.07082107

Stock Spam changes format: FDF

2007-08-10T17:52:00.000+01:00

As reported by the F-Secure blog instead of using PDF spam, we now have FDF formatted spam....which stands for format data format, used by various PDF readers.

Update: it appears that all is not what it seems: the first few bytes of the .FDF file are actually %PDF-1.5, which means that all the spammers have done is renamed the extension from .PDF to .FDF. A real .FDF file has the magic-bytes %FDF-1.2. The pdf readers just open it as a PDF because of the magic-bytes. Sneaky

Here's an example email that came in:

And here's it's contents:

Note the random hex number (shown in red) which is used by the spammers to change the Adobe encrypted contents of the file, so it's hard to detect a pattern, ie: you can't use an md5 hash of the file (just like the problems caused by the image spams)

The good news is, that although this was a new technique that the spammers used... it was already 0-hour protected by signature: Email.Stk.Gen606.Sanesecurity.07080101.pdf

Which was nice :)

New E-Card Storm Worm

2007-08-10T07:33:00.001+01:00

Incoming....

Email.Malware.Sanesecurity.070810xx

Important: signature location

2007-07-31T19:48:00.000+01:00

Well after hitting 25 gig of bandwidth again this month, it's time to force people to move over to the latest round-robin urls. So, if your using an old script then you will no longer be receiving the Sanesecurity signatures, as the phish and scam databases at the old download locations have now been blanked.

use the updated scripts from the usage page;

round-robin urls:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

stock spam evolve again... to zip... erm... rar

2007-07-31T08:29:00.000+01:00

Well, spammers have again this morning changed tactics again... were now seeing a standard text stock spam... inside what looks like a zip file.

However, looking at the zip file.. it's actually a rar file... another confusing trick.

Detection added as: Email.Stk.Gen603.Sanesecurity.07073100.zip

From PDF to XLS to Zipped XLS: Stock spam

2007-07-22T23:07:00.000+01:00

Received another variant of the XLS stock spam... this time... the spammers are zipping the XLS stock spreadsheet.

Sample Received date: 22 Jul 2007 15:48:20 +0200

Signature Email.Stk.Gen598.Sanesecurity.07072000.xls from yesterday already detected it :)

From PDF to XLS: Stock spam

2007-07-21T21:49:00.000+01:00

Well well, the spammers change tactics yet again, from the image spam and the pdf spam... to the downright sneeky Excel spreadsheet spam.

As most companies use XLS (and PDF for that matter) the spammers know that companies won't block these extension types, as it'll stop genuine email too.

21st July 2007 timeline

At 16:11 UK time, I received an interesting stock spam sample and started to analyse;
At 17:00 UK time, I was received five more samples.... all XLS spreadsheets.

At 18:05 UK time, the first signature was uploaded to the mirrors:

Email.Stk.Gen598.Sanesecurity.07072000.xls

Here's a screenshot:

Wonder what format is going to be next for the spammers?

Phishers go Green!

2007-07-16T15:19:00.000+01:00

It's nice to know that even the phishers care about saving the planet, I mean it looks legit:

... well, apart from hsbc.co.uk with a .hk domain ending:

Digg Post

2007-07-05T16:01:00.000+01:00

Here's a post on Digg from a user, for a bit of useful sounding software:

When you click on the link, you are taken to a download site:

Scanning the download file:

So, is this just a false positive or a different way of getting malware out to the world ??

PayPal phish using a word document

2007-07-05T15:55:00.001+01:00

Here's a phish that came in from PayPal which contained a word document.

As the email used an image for the main text body and a word document, the phisher no doubt thought it would bypass filters.

Here's the main email:

Here's the content of the word document:

stock spam evolve: new syle pdfs

2007-06-26T08:26:00.000+01:00

Spammers have now come up with a new style of stock emails.

First they used just plain text, next they used static image files. Next, they used random image files, all to avoid filtering.

Due to people starting to use FuzzyOcr, the stock spammers, moved into pdfs.

The pdfs contained plain text, which again using the right tools can be filtered.

This morning, the "next generation" appeared; pdf's with random images embedded in the pdf :(

Firstly, here's the email you receive:

Pdf example 1:

Pdf example 2:

Interestingly, both pdfs would not open in a couple of the free pdf readers but they seem to open fine in Adobe Pdf reader.

Initial detection of this varient has been added as: Email.Stk.Gen538.Sanesecurity.07062600.pdf

Update (12:45): more new varients using random pdf filenames now!

Pdf example 3:

Pdf example 4:

Pdf example 5:

Greeting Card: fun.exe

2007-06-18T10:51:00.000+01:00

ISC has an interesting article on an Attack involving .hk domains

So, perhaps this is a related attack.

It starts with a greeting card:

If you've not got Javascript enabled, you'll see this screen, where the file it wan't you do download is on a .hk server and the exe is called fun.exe:

Looking deeper at the code, it's doing something iffy:

If you do click on the link, you are served an exe file, which when submitted to VirusTotal gives you this result:

Again, coverage not too hot :(

Currently detected as: Email.Malware.Sanesecurity.07061701

Greeting card

2007-06-18T10:45:00.000+01:00

Received a whole load of these "greeting cards" this morning:

The fake site you visit has some "re-direct" code:

If you do actually go to the site, it'll look something like this, followed by an auto-download of
the "flash-player" needed:

Submitting the exe file to VirusTotal reveals, surprise surprise... it's not a flash-player:

The email is currently being detected as: Email.Malware.Sanesecurity.07061801

Free Video malware

2007-06-18T09:51:00.001+01:00

Received a few copies of this email this morning, which as you can see, is asking to click on a link to download an exe file:

As you can see from the source code, they've tried to hide the contents by encoding the email with base64:

Submitting the exe file to VirusTotal, gives us this worrying picture:

Hopefully, now it's been submitted to VirusTotal, more AV's will add detection.

rtf malware spam

2007-05-26T07:48:00.000+01:00

This seems to be a new formatted malware spam going around, along the same lines as the "Better Business Bureau targeted malware spam" that SANS reported today.

Here's a screenshot from the new style spam:

If you go to the top level directory of the domain that's hosting the file, you can see an open directory:

What's interesting is the date of the actual "bad" RTF file, 9th May 2007... so as it's been there a while now, let see how the Anti-Virus scanners coped:

Complete scanning result of "superpages.rtf", received in VirusTotal at 05.26.2007, 08:23:20 (CET).

AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 Possibly a new variant of W32/CrazyCrunch-based!Maximus
Avast 4.7.997.0 05.25.2007 no virus found
AVG 7.5.0.467 05.25.2007 no virus found
BitDefender 7.2 05.26.2007 Trojan.Spy.Agent.NDQ
CAT-QuickHeal 9.00 05.25.2007 no virus found
ClamAV devel-20070416 05.25.2007 no virus found
DrWeb 4.33 05.25.2007 no virus found
eSafe 7.0.15.0 05.24.2007 no virus found
eTrust-Vet 30.7.3665 05.26.2007 no virus found
Ewido 4.0 05.25.2007 no virus found
FileAdvisor 1 05.26.2007 no virus found
Fortinet 2.85.0.0 05.26.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 W32/CrazyCrunch-based!Maximus
Ikarus T3.1.1.8 05.26.2007 no virus found
Kaspersky 4.0.2.24 05.26.2007 Trojan-Spy.Win32.Delf.jq
McAfee 5039 05.25.2007 no virus found
Microsoft 1.2503 05.26.2007 TrojanSpy:Win32/Logsnif.gen
NOD32v2 2292 05.25.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 9.0.0.4 05.25.2007 Trj/Passtealer.DE
Prevx1 V2 05.26.2007 no virus found
Sophos 4.18.0 05.25.2007 Troj/Agent-FPG
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.26.2007 no virus found
TheHacker 6.1.6.123 05.25.2007 no virus found
VBA32 3.12.0 05.26.2007 suspected of Malware.Delf.43
VirusBuster 4.3.23:9 05.25.2007 no virus found
Webwasher-Gateway 6.0.1 05.26.2007 Trojan.Spy.Delf.JQ.112 (suspicious)

Aditional Information
File size: 157686 bytes
MD5: d948f4b41be0aee7b3bd292e33082313
SHA1: 5e4f9655effbcb7ff8f03f05a6a4f778bf9a54f6
packers: UPX
packers: UPX, BINARYRES, UPX
packers: UPX

Hopefully this will improve now that VirusTotal have the file. Until then... I've added a simple detection for this new type: Html.Malware.Sanesecurity.07052600

OpenDNS

2007-05-24T12:49:00.000+01:00

OpenDNS.... maybe you've heard of it... but it's so easy to setup... and free... try it :)

OpenDNS replaces your ISP's dns servers... but with one important improvement... OpenDNS will warn you if a site or link you have just clicked on... is a known phishing site!

Use it as a backup to the normal FireFox/IE phishing toolbar plugins.

More info here

Another mailto eBay phish

2007-05-24T11:48:00.000+01:00

Here's a genuine looking eBay phishing attempt that came in today. As you can see all the links point back to the genuine eBay site:

It's only when you view the source code that you notice that something doesn't seem right with this email. You can see that if you did try and login to eBay directly from this email, your eBay login details would be kindly sent to seflab...@yahoo.com via the mailto server mailhost.dglnet.com.br:

So, lets take a look at mailhost.dglnet.com.br. Well, looks like they are running squirrelmail but let's checkout the version number.... hmmm... v1.4.4:

Let's go to the main squirrelmail site and see what version is the current one. Well, the latest one is:

SquirrelMail 1.4.10a Released
May 09, 2007 by Thijs Kinkhorst

The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.10a.

The 1.4.10 release contains multiple fixes for cross site scripting issues triggered by viewing HTML mail. Besides that it contains bug fixes and stability enhancements

The version before that looks something like this changelog wise:

Are the any problems with running older versions... yep... just a few!

So, looks like keeping webmail software up to date is a must.

News Update

2007-05-22T19:59:00.000+01:00

Just a quick news update:

Thanks to Internet Solutions we now have another mirror, live from South Africa
Thanks to FreeForm Technologies we now have another mirror
Thanks to Geekeffect there is now another download mirror

So, just a reminder, the new download urls are:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

Quote of the day: Isn't smooth peanut butter for the timid and the weak? (happyslip.com)

Signatures added in May...

2007-05-21T20:00:00.000+01:00

I knew this month... things seem to have jumped in the number of new phishing/scam emails. So I thought I'd just have a very quick look at how many sigs I'd actually done in May (so far) and compare with how many I'd done in the while of April:

May (so far):

phish.ndb.gz: 296 new sigs
scam.ndb.gz: 539 new sigs

April:

phish.ndb.gz: 139 new sigs
scam.ndb.gz: 377 new sigs

No wonder my fingers ache :(

New type of Fake BlueMountain eCard

2007-05-18T10:07:00.000+01:00

Here's a new type of fake eCard. Normally you can spot them a mile away, as they have links to exe/scr/pif files. when you hover your mouse of the link.

This one however, this one doesn't have any of the above type... just a genuine looking attach dll filename, which would make sense as it's an attachment:

However, if you do click on the link, you are asked to download a file called FlashPlayer_eCard.exe, which again you might think it okay... as the above email does suggest that you might have to use Macromedia Flash Plug-in.

But submitting the file to VirusTotal, well... not good:

Bancos family malware are usually password-stealing Trojans which can also downloads code.

example phish hosted by home user?

2007-05-17T13:31:00.000+01:00

Here's the fake screen that you get when you click on one particular phishing email:

What's interesting is that static address, which indicates a possible broadband hosted, static ip address website. Visiting the top level, you get a nice "hello world" type website. As you can see it's using PHPTriad which is an installer of Apache, MySQL and PHP for Windows.

So, did this user knowingly host a phishing site using PHPTriad... or was this software installed using a trojan, without the users knowledge?

Posteitaliane Phish: under the hood

2007-05-16T15:44:00.000+01:00

Here's an example phish that arrived today:

The clickable link, wants to go to a formlogin.txt, as you can see below, yep... that's a dot txt extension !

Here's the interesting bit of the formlogin.txt file, yep... if you'd typed in your banking details, you'd be now sending them to the nice phisher, who seems to like his 007 yahoo address:

Here's the timestamps when all the fake files were created, as you can see, if you look back at the time/date of the original phishing email, the emails were sent out to people very quickly :(

And finally... here's the web gateway that was used to send the banking details to the yahoo email adress:

Ebay phish in different email clients

2007-05-16T09:01:00.000+01:00

I've been asked why an Ebay phish was detected, even though it doesn't seem to re-direct to a fake site. This reason for this could be a false positive... but having looked at the example, it's not a false positive... but a difference in email clients.

Here's the Ebay phishing attempt:

Outlook Express:

Thunderbird:

You can see already a slight difference between the clients. If you look at the link bar at the bottom, one seems to go to ebay.com and the other to signin.ebay.com

If you click on the link in Outlook Express, you are taken to the fake page (which FireFox knows is a fake). You can see in the browser url that the site is fake, i.e.: h-sohbi.com

If you click on the link in Thunderbird, you get taken to the genuine Ebay page:

Huh? Taking a closer look at the phishing code, you can see the phisher has kindly labeled the ID as SPOOF:

So, looks like this code renders differently between Outlook Express and Thunderbird, so that's why you get taken to two different sites depending on which email client you are using.

Strike one up for Thunderbird :)

New download urls.... Go

2007-05-15T21:12:00.000+01:00

It's been a busy couple of weeks, not only does there seem to have been a huge increase in the number of new phishing emails but also an increase in the number of problem scams.

It's been hard to keep up at times!

The main news is the new download urls, which are:

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

The above two links will now re-direct, round-robin style, to the new mirrors that people have "donated" in order to help the project.

A huge thanks to the mirror providers, Christopher X. Candreva for the .htaccess code/idea and tbb (Nico) for pointing me torward the round-robin script...in order to make this all work.

Thanks guys!

More image spam... sort of...

2007-05-15T21:07:00.000+01:00

We also got hit this morning with another slight varient of the German stock spam. This time, there isn't any image in the email. I'm guessing this is to avoid programs like FuzzyOCR, which are helping to detect the images in the email.

This simple "trick" is to use the free picture gallery sites to host their images.

The email you receive is a bit like this:

If you do actually click on the link, you get this standard "scrambled" image:

The question is... how do the spammers setup soo many random accounts on these free hosting servers before their spam runs and what can the picture hosting companies do about it?

Image Stock Spam...arrrggghh

2007-05-15T21:04:00.000+01:00

Wow... we got hit hard this morning with a new type of German Image stock spam.

Here's a picture for those people who were luckly enough to miss this:

Fake Halifax Bank

2007-05-13T20:08:00.000+01:00

Here's a pretty convincing Halifax Bank phish... in fact, it's just a copy/paste job from a geninue Halifax email, with just the target url changed to point to the phishers site:

Look at the bottom link... see the .co.kr (Korea)

Fake Google webmaster tool

2007-05-13T20:03:00.000+01:00

Bit late with this post... but seems Google's name is being as a ploy to download sometype of malware:

Yep, it's a fake!

new rockfish type?

2007-05-13T19:57:00.000+01:00

Hi All,

Not quite sure if this is a new type of phish using a new template... or the rockfish toolkit has been updated, here's an example:

These will be detected as a new type: Phishing.Bank.Rockv2Gen

Marks and Spencer laptop theft

2007-05-05T23:32:00.000+01:00

It doesn't seem like they've heard of TrueCrypt or perhaps they should start using Seagate drives like this:

"More than 20,000 staff at Marks & Spencer have been told they may be at risk of identity crime after a laptop computer was stolen, it has been reported.

The retailer has written to 26,000 present employees in its final salary pension scheme warning they are at risk if the data is accessed by criminals.

BBC Radio 4 said salary details, addresses, dates of birth, national insurance and phone numbers were on the machine, which was stolen from a printing firm."

Source: http://www.channel4.com/news/articles/uk/laptop+theft+risk+to+ms+staff+ids/499687#fold

Sanesecurity Sigs: Important News

2007-05-05T21:04:00.000+01:00

Due to me nearly running out of bandwidth last month (17gb out of a 20gb host package), some urgent changes were needed to the signature hosting,otherwise I'd start getting charged for the extra bandwidth  :( 

So, to keep this short, here's a to-do list  ;) 

One: Mirrors

Three new mirrors are now available, in preferred order:

Mirror 1: A huge thanks to http://dotsrc.org/ (formerly known as SunSITE.dk) as they are now a mirror for my signatures, hourly updating from the main site.

Mirror 2: Thanks to http://tiscali.nl, as they seem to be a mirror for my signatures,  hourly updating from the main site

Mirror 3: Thanks to a special offer deal from Surpass Hosting, I setup a sanesecurity.co.uk domain, to try and ease the load from the main sanesecurity.com site.

So, please could you all change your download scripts to download from the above mirrors, not only will this help avoid me getting hit with hosting charges but you benefit as you should be able to increase the frequency you check for download changes.

The new download Links have been updated on the download page and so have the scripts:

http://sanesecurity.co.uk/clamav/downloads.htm
http://sanesecurity.co.uk/clamav/usage.htm

Two: check your download scripts

Please could everyone check that their scripts are only grabbing the signatures when they have changed.   Some users have been downloading the sigs regardless of any changes and it's not really helping.  While other users have made mistakes with their scripts/cron jobs and are trying to download every minute  :(

That's it and thanks for everyone's understanding!

Cheers,

Steve

Fake IE7 update

2007-05-05T12:45:00.000+01:00

Well, it looks like a new spam run of the fake IE7 beta is now going around again, this is currently being detected as: Email.Malware.Sanesecurity.07050500

As you can see there's a link to an exe file, when you hovver your mouse over the picture:

The exe in question is another Trojan: TR/Proxy/Agent.CL

Trust No One: MS Needs Your Credit Card Details

2007-05-04T19:48:00.000+01:00

Trojan.Kardphisher creates a genuine looking Microsoft Activation screen, the next time your pc re-boots... it asks you for your credit card details as part of the fake Activation!

Very crafty...

"This Trojan teaches us all a good lesson - Trust No One. This is the slogan from the TV show The X-Files, and very much applies when it comes to protecting your personal information. Sometimes the creators of Trojans attempt to impersonate Microsoft, a bank, or even a government organization. Whatever the warning or message says, we must make very sure it is genuine before giving up any personal details, financial or otherwise. It's far better to doubt a genuine request until proper verification is provided, than it is to blindly place your trust in a communique simply because it appears to have come from a trusted source.

Sad though it may be, the days of leaving your front door unlocked are over. In these times we not only need a lock on the door, we need a security guard watching the front door, the back door, and everywhere in between."

Source:
http://www.symantec.com/enterprise/security_response/weblog/2007/05/ms_needs_your_credit_card_deta.html

Hackers target wi-fi hotspots in new phishing attack

2007-05-04T19:04:00.000+01:00

Anyone who uses "free"/"open"/un-encrypted wi-fi access, should read this:

"Computer users have been warned of the dangers of using wi-fi hotspots after it emerged that cyber-criminals are targeting the networks in café chains including Starbucks.

Times Online has uncovered evidence that criminals are using a technique known as an 'evil twin attack', where victims think that they are logging on to the genuine network in a café but are in fact being diverted to a 'rogue' connection.

Once logged on to the twin network, the victim's every keystroke is captured by the fraudster, who controls the connection from a nearby laptop and uses it to extract information for the purpose of committing identity fraud."

Surce: http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article1728634.ece

new phishing idea...

2007-05-04T16:37:00.000+01:00

Here's a slightly new idea... instead of asking you to type in any of your bank details, the phishers are asking you to scan in your important details and then email the details instead.

I'm guessing they don't really care what format you send the infomation in, eg: pdf/tiff etc. as long as it contains all your details... needless to say... dont!

Another post card

2007-05-04T16:31:00.000+01:00

Seems postcards are still being sent out to people... here's another example:

And here's what you get... if you did decide to click on the link:

Watch those url spellings...

2007-05-03T20:57:00.000+01:00

Hi,

I've seen various PayPal phishing emails today, all the same... except that the phisher decided to change the url after each "phishing run".

So, here's the first part of the url for each of the three "types":

http://paymant-response
http://peyment-resposse
http://payment-resspons

Obviously they are trying to fool your brain into thinking http://payment-responce but in reality the spelling is wrong.

boclean saves the day

2007-05-01T17:41:00.000+01:00

While seaching for a free ftp client, as for some reason I'd forgotten about FileZilla, I came across this nice looking site (don't try and download the filename in this picture):

I scanned the exe file with AVG and, as I was in a rush,
ran the exe file to install the free ftp client.

This is what happened next:

That's right... AVG missed it... but BoClean popped up saying that it had detected a nasty in the file... just before it started to do really horrible stuff to my system!

Hurrah for this once commercial but now free malware program!

Out of interest, I scanned the free ftp with once of the multi-av scanning sites, with the following results:

Yep... as you can see, not many of the AV's detected it... so mega full marks to BoClean

Update: ISC also did a write up of the information I sent to them!

new users suspened temporarily

2007-04-30T18:34:00.000+01:00

Well, for the moment I've had to suspend any new users from downloading sigs/scripts.
I've only got 20 gig hosting currently and this month, I've hit over 15 gig... so playing it safe, new users are suspened until I sort something out.

Please could everyone check that their scripts are downloading using the HEAD command i.e. only grabbing the downloads when they have changed.

Some users have been downloading the sigs regardless of changes and it's not really helping, while only users have made mistakes and are trying to download every minute :(

Greeting Card

2007-04-29T19:47:00.001+01:00

Here's a slightly odd greeting card currently detected as: Email.Malware.Sanesecurity.07030201

It doesn't look anything special to look at... but wait... what's this.... oh look, it's a username/password ftp link to download a normally nasty .pif file:

So, it loads the Zapchast trojan, as can be seen from some VirusTotal results:

Now, let's look at the live FTP site, you can see from the screen grab, the .pif file containing the trojan. Hmmm.... there seems to be other folders there too:

Hang on... that's an Italian Bank name!

Let's see what it looks like in FireFox (with NoScript plugin enabled).

Yup, I'ts a Posteitaliane bank fraud page, just waiting to capture your details:

Would you like any spam with your spam?

2007-04-28T14:58:00.000+01:00

Is anyone going to bother?

2007-04-28T14:37:00.000+01:00

I know the spammers have to hide from SURBL's etc so, they'vedecided to do this:

Look www.2211122. And add COM after dot at the end

Is anyone that receives a spam like this really going to bother, adding a .com to the
end of www.2211122. ????

It's detected as:
Email.Spam.Gen398.Sanesecurity.07042502

Sanesecurity Blog

2007-04-28T14:29:00.000+01:00

Yup, I thought it was about time I started a blog, which might make things a little bit easier for news items... well, that's the plan anyway.