As you can see from the link, it's a fake YouTube site, which takes you here:
Current VirusTotal detection for the install_flash_player.exe file:
Email detected as: Email.Malware.Sanesecurity.07111200
Monday, 12 November 2007
Fake YouTube email spammed
Interesting YouTube email has just been spammed:
As you can see from the link, it's a fake YouTube site, which takes you here:
Current VirusTotal detection for the install_flash_player.exe file:
Email detected as: Email.Malware.Sanesecurity.07111200
As you can see from the link, it's a fake YouTube site, which takes you here:
Current VirusTotal detection for the install_flash_player.exe file:
Email detected as: Email.Malware.Sanesecurity.07111200
Friday, 5 October 2007
0hour testing
Well, a new email came in, which looked very odd, here's the headers:
Return-Path:
Received: from 88-139-180-230.adslgp.cegetel.xxx (88-139-180-230.adslgp.cegetel.
by raq0402.keele.netcentral.co.xx (8.9.3/8.9.3) with ESMTP id JAA02419
for; Fri, 5 Oct 2007 09:28:25 +0100
Received: from [88.139.180.230] by mx2.servershost.xxx; Fri, 5 Oct 2007 02:37:20
From: "Shirley Xxxxxxx"
Date: Fri, 5 Oct 2007 02:37:20 +0100
Here's the actual email:
So, I submitted the zip file to VirusTotal to see what the latest detection was like and then repeated the same file, at various times after that, to see roughly when vendors added detection.
Note: it's not exactly scientific, so your mileage may vary etc.
Here's the results:
As you can see, Antivir did well!
ClamAV team did a very quick job on adding this one, still beating the big boys:
F-Secure and F-Prot, now have detection:
Nod32 users now covered:
Kaspersky users now covered:
For the AVG users out there, detection has now been added:
Here's the situation on Monday morning:
Return-Path:
Received: from 88-139-180-230.adslgp.cegetel.xxx (88-139-180-230.adslgp.cegetel.
by raq0402.keele.netcentral.co.xx (8.9.3/8.9.3) with ESMTP id JAA02419
for
Received: from [88.139.180.230] by mx2.servershost.xxx; Fri, 5 Oct 2007 02:37:20
From: "Shirley Xxxxxxx"
Here's the actual email:
So, I submitted the zip file to VirusTotal to see what the latest detection was like and then repeated the same file, at various times after that, to see roughly when vendors added detection.
Note: it's not exactly scientific, so your mileage may vary etc.
Here's the results:
As you can see, Antivir did well!
ClamAV team did a very quick job on adding this one, still beating the big boys:
F-Secure and F-Prot, now have detection:
Nod32 users now covered:
Kaspersky users now covered:
For the AVG users out there, detection has now been added:
Here's the situation on Monday morning:
Wednesday, 19 September 2007
SaneSecurity News: Corrupt Signatures
For a few hours today, one of the mirrors had a corrupt version of phish.ndb.gz.
After being alerted to the fact by a user, I informed the mirror admin about the issue and the problem was then fixed.
The scripts on the SaneSecurity site, check the integrity of the signatures before being moved into the ClamAV database directory for use... and have done for some time.
This is important not only for the SaneSecurity signatures but indeed for any Third-Party signatures, as if you move a corrupt signature file into the ClamAV directory, it's going to stop ClamAV from scanning your emails, until you sort the problem out.
If you're running your own script or have an old version of the SaneSecurity scripts, it might be worth updating them:
http://sanesecurity.co.uk/clamav/usage.htm
I do always check signature integrity before uploading... so they leave here fine... but the end-user must always double-check their download integrity before use.
Apologies for the corrupt file and any problems caused.
Cheers,
Steve
After being alerted to the fact by a user, I informed the mirror admin about the issue and the problem was then fixed.
The scripts on the SaneSecurity site, check the integrity of the signatures before being moved into the ClamAV database directory for use... and have done for some time.
This is important not only for the SaneSecurity signatures but indeed for any Third-Party signatures, as if you move a corrupt signature file into the ClamAV directory, it's going to stop ClamAV from scanning your emails, until you sort the problem out.
If you're running your own script or have an old version of the SaneSecurity scripts, it might be worth updating them:
http://sanesecurity.co.uk/clamav/usage.htm
I do always check signature integrity before uploading... so they leave here fine... but the end-user must always double-check their download integrity before use.
Apologies for the corrupt file and any problems caused.
Cheers,
Steve
Sunday, 16 September 2007
Storm Worm Again: free games
You know the drill by now...
First you get an email, something like this one, with a IP address url:
You are taken to a fake page, asking to download an exe file:
But the exe file, isn't all that it seems. Here's what VirusTotal had to say:
Currently detected as: Email.Malware.Sanesecurity.0709160x (0-3)
First you get an email, something like this one, with a IP address url:
You are taken to a fake page, asking to download an exe file:
But the exe file, isn't all that it seems. Here's what VirusTotal had to say:
Currently detected as: Email.Malware.Sanesecurity.0709160x (0-3)
Tuesday, 11 September 2007
SaneSecurity news
Firstly, some quite amazing news, on Wednesday, 5th September 9pm, I was lucky enough to have a 30 minute phone chat with Dean Drako, CEO of Barracuda Networks.
Dean confirmed that Barracuda are using my signatures as part of their multi-layer of defence. Dean also confirmed that Barracuda are now a SaneSecurity signature mirror and Sanesecurity even get a mention here too.
Secondly, a new experimental project PhishBar, which you can read more about here, but please read the big red flashing led warning bits before using.
In a nutshell, It's a way of seeing if any of your users have phishing sites stored in their home directories/user space on your servers.
Dean confirmed that Barracuda are using my signatures as part of their multi-layer of defence. Dean also confirmed that Barracuda are now a SaneSecurity signature mirror and Sanesecurity even get a mention here too.
Secondly, a new experimental project PhishBar, which you can read more about here, but please read the big red flashing led warning bits before using.
In a nutshell, It's a way of seeing if any of your users have phishing sites stored in their home directories/user space on your servers.
Subscribe to:
Posts (Atom)