20.01.09: News

31.01.09: Update... aka Oops... forgot to update the main blog

20.01.09: News

It's been a while... but the Sanesecurity signatures have returned!

We disappeared for a while due a DDos, a small number of users who overloaded the shared hosting servers by downloading the signatures every second and in reality, an unscalable download system.

The old download system doesn't work any more and won't be coming back, so if you haven't done already, please disable your cron jobs and wget/curls downloads, as a new round-robin rsync based download url is available.

All the changes are detailed here.

There's also a Sanesecurity list, which is recommended that signature users subscribe to, so that any future problems can be reported directly to you:

Subscribe to Sanesecurity list, by sending an email to the address in the below graphic, with a subject of: subscribe

There is an archive, so you can read previous messages here

Finally, thank you for all the support and feedback.

Steve
Sanesecurity

Update 18/01/09

Subscribe to Sanesecurity list, by sending an email to the address in the below graphic,
with a subject of: subscribe

Currently there is a great deal of work going on behind the scenes in getting the signatures back. This is the status so far:

* wget/curl etc. will no longer be used to download the signatures, we're moving to rsync. So please disable all downloads for the signatures, as they won't be coming back using the old urls.

* Signatures will now be signed using GnuPG, ensuring integrity of the signatures. The public key for these signature will be available from here.

For example, here's a good verify:

gpg --verify junk.ndb.sig
gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E
gpg: Good signature from "Sanesecurity (Sanesecurity Signatures)"

Here's a bad verify:

gpg --verify junk.ndb.sig
gpg: Signature made 01/09/09 09:55:48 using DSA key ID 31EA4D9E
gpg: BAD signature from "Sanesecurity (Sanesecurity Signatures)"

* will be using round-robin dns system, to help spread the load over rsync servers.

* three new databases added: spear.ndb, spamimg.hdb and spam.ldb

* donation page, using PayPal will now also accept credit cards and hopefully will be able to provide and invoice for people who want one.

Hopefully, there will be more updates soon... so signup to the Sanesecurity list for more news.

Finally a Huuuuuuge thank you to everyone who has helped and offered help.

14/12/08: Sanesecurity signatures ddos

Sanesecurity signatures are no longer being updated or distributed due to extremely high server resource usage, which appears to be from a distributed denial of service attack (DDoS). I've moved server hosts twice (which takes time) and both times have resulted in the site being suspended.

As many of you know, I produce the signatures and run the site, in my spare time and with Christmas approaching I’m finding my spare time is currently limited.

Hopefully this won’t be the end of the signatures and I’m hoping that they may return in the New Year.

May I take this opportunity to thank everyone who has helped this project, either by
providing samples, bandwidth, download scripts or donating.

Thanks and sorry to let you all down.

Steve
Sanesecurity

Fake Auto Identification Card documents

Just received the following email, with a zip file attached (containing an exe file):




















Submitted the file to VirusTotal and the result isn't very good (3/36 scanners):
















Submitting the file to ThreatExpert, gives the following result

"Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system."

Added detection as: Email.Malware.Sanesecurity.08081405

Fake Contract Documents

Received the following email, which looks the same as a version received about a week ago:











Received: from [199.214.241.xxx] (h-199-214-241-xxx.norquest.ca [199.214.241.xxx]
by raq0402.xxxxxxxxxx.co.uk (8.13.1/8.13.1) with ESMTP id m7E5rk9W028214
for ; Thu, 14 Aug 2008 06:53:47 +0100

As you can see, it's got a zip attachment, which submitting to VirusTotal, gives us:
















I'd already added a signature to catch the earlier version (11th August) and it also detected this latest version too: Email.Malware.Sanesecurity.08081101 (added 11th August 2008)

Submitting this to ThreatExpert, gives you this worrying result !

Ie: "Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible."

As you can see from the stats, it's still being spammed out:









None of this is a worry, to those admins who are blocking exe's inside zip files though :)