As you can see from the link, it's a fake YouTube site, which takes you here:
Current VirusTotal detection for the install_flash_player.exe file:
Email detected as: Email.Malware.Sanesecurity.07111200
Monday, 12 November 2007
Fake YouTube email spammed
Interesting YouTube email has just been spammed:
As you can see from the link, it's a fake YouTube site, which takes you here:
Current VirusTotal detection for the install_flash_player.exe file:
Email detected as: Email.Malware.Sanesecurity.07111200
As you can see from the link, it's a fake YouTube site, which takes you here:
Current VirusTotal detection for the install_flash_player.exe file:
Email detected as: Email.Malware.Sanesecurity.07111200
Friday, 5 October 2007
0hour testing
Well, a new email came in, which looked very odd, here's the headers:
Return-Path:
Received: from 88-139-180-230.adslgp.cegetel.xxx (88-139-180-230.adslgp.cegetel.
by raq0402.keele.netcentral.co.xx (8.9.3/8.9.3) with ESMTP id JAA02419
for; Fri, 5 Oct 2007 09:28:25 +0100
Received: from [88.139.180.230] by mx2.servershost.xxx; Fri, 5 Oct 2007 02:37:20
From: "Shirley Xxxxxxx"
Date: Fri, 5 Oct 2007 02:37:20 +0100
Here's the actual email:
So, I submitted the zip file to VirusTotal to see what the latest detection was like and then repeated the same file, at various times after that, to see roughly when vendors added detection.
Note: it's not exactly scientific, so your mileage may vary etc.
Here's the results:
As you can see, Antivir did well!
ClamAV team did a very quick job on adding this one, still beating the big boys:
F-Secure and F-Prot, now have detection:
Nod32 users now covered:
Kaspersky users now covered:
For the AVG users out there, detection has now been added:
Here's the situation on Monday morning:
Return-Path:
Received: from 88-139-180-230.adslgp.cegetel.xxx (88-139-180-230.adslgp.cegetel.
by raq0402.keele.netcentral.co.xx (8.9.3/8.9.3) with ESMTP id JAA02419
for
Received: from [88.139.180.230] by mx2.servershost.xxx; Fri, 5 Oct 2007 02:37:20
From: "Shirley Xxxxxxx"
Here's the actual email:
So, I submitted the zip file to VirusTotal to see what the latest detection was like and then repeated the same file, at various times after that, to see roughly when vendors added detection.
Note: it's not exactly scientific, so your mileage may vary etc.
Here's the results:
As you can see, Antivir did well!
ClamAV team did a very quick job on adding this one, still beating the big boys:
F-Secure and F-Prot, now have detection:
Nod32 users now covered:
Kaspersky users now covered:
For the AVG users out there, detection has now been added:
Here's the situation on Monday morning:
Wednesday, 19 September 2007
SaneSecurity News: Corrupt Signatures
For a few hours today, one of the mirrors had a corrupt version of phish.ndb.gz.
After being alerted to the fact by a user, I informed the mirror admin about the issue and the problem was then fixed.
The scripts on the SaneSecurity site, check the integrity of the signatures before being moved into the ClamAV database directory for use... and have done for some time.
This is important not only for the SaneSecurity signatures but indeed for any Third-Party signatures, as if you move a corrupt signature file into the ClamAV directory, it's going to stop ClamAV from scanning your emails, until you sort the problem out.
If you're running your own script or have an old version of the SaneSecurity scripts, it might be worth updating them:
http://sanesecurity.co.uk/clamav/usage.htm
I do always check signature integrity before uploading... so they leave here fine... but the end-user must always double-check their download integrity before use.
Apologies for the corrupt file and any problems caused.
Cheers,
Steve
After being alerted to the fact by a user, I informed the mirror admin about the issue and the problem was then fixed.
The scripts on the SaneSecurity site, check the integrity of the signatures before being moved into the ClamAV database directory for use... and have done for some time.
This is important not only for the SaneSecurity signatures but indeed for any Third-Party signatures, as if you move a corrupt signature file into the ClamAV directory, it's going to stop ClamAV from scanning your emails, until you sort the problem out.
If you're running your own script or have an old version of the SaneSecurity scripts, it might be worth updating them:
http://sanesecurity.co.uk/clamav/usage.htm
I do always check signature integrity before uploading... so they leave here fine... but the end-user must always double-check their download integrity before use.
Apologies for the corrupt file and any problems caused.
Cheers,
Steve
Sunday, 16 September 2007
Storm Worm Again: free games
You know the drill by now...
First you get an email, something like this one, with a IP address url:
You are taken to a fake page, asking to download an exe file:
But the exe file, isn't all that it seems. Here's what VirusTotal had to say:
Currently detected as: Email.Malware.Sanesecurity.0709160x (0-3)
First you get an email, something like this one, with a IP address url:
You are taken to a fake page, asking to download an exe file:
But the exe file, isn't all that it seems. Here's what VirusTotal had to say:
Currently detected as: Email.Malware.Sanesecurity.0709160x (0-3)
Tuesday, 11 September 2007
SaneSecurity news
Firstly, some quite amazing news, on Wednesday, 5th September 9pm, I was lucky enough to have a 30 minute phone chat with Dean Drako, CEO of Barracuda Networks.
Dean confirmed that Barracuda are using my signatures as part of their multi-layer of defence. Dean also confirmed that Barracuda are now a SaneSecurity signature mirror and Sanesecurity even get a mention here too.
Secondly, a new experimental project PhishBar, which you can read more about here, but please read the big red flashing led warning bits before using.
In a nutshell, It's a way of seeing if any of your users have phishing sites stored in their home directories/user space on your servers.
Dean confirmed that Barracuda are using my signatures as part of their multi-layer of defence. Dean also confirmed that Barracuda are now a SaneSecurity signature mirror and Sanesecurity even get a mention here too.
Secondly, a new experimental project PhishBar, which you can read more about here, but please read the big red flashing led warning bits before using.
In a nutshell, It's a way of seeing if any of your users have phishing sites stored in their home directories/user space on your servers.
Sunday, 9 September 2007
Storm Worm Again: NFL
New storm worm version just hitting, all about NFL Football (12 am:uk)
Links goes to a very nice looking NFL site, asking to download a tracker exe file:
Submitting the exe file to VirusTotal, shows the following current patchy results:
Detection for the email, currently: Email.Malware.Sanesecurity.070908xx (02-06)
I'm sure there will be more!
Links goes to a very nice looking NFL site, asking to download a tracker exe file:
Submitting the exe file to VirusTotal, shows the following current patchy results:
Detection for the email, currently: Email.Malware.Sanesecurity.070908xx (02-06)
I'm sure there will be more!
Thursday, 6 September 2007
storm worm: all change :)
Heads up, new storm worm incoming... oooooh... the RIAA are after everybody and worryingly
some people might fall for this one:
when you click on the given link, you get taken to this page, asking you to download an exe file:
Current detection is a little patchy:
So far, the following Sanesecurity signatures match the variants seen so far:
Email.Malware.Sanesecurity.07090600
Email.Malware.Sanesecurity.07090601
Email.Malware.Sanesecurity.07090602
some people might fall for this one:
when you click on the given link, you get taken to this page, asking you to download an exe file:
Current detection is a little patchy:
So far, the following Sanesecurity signatures match the variants seen so far:
Email.Malware.Sanesecurity.07090600
Email.Malware.Sanesecurity.07090601
Email.Malware.Sanesecurity.07090602
Tuesday, 4 September 2007
419 DOC spam
Here's a slightly different 419 spam:
The attached Word document looks like this:
Detection for this is: Email.Scam4.Gen1002.Sanesecurity.07090406.doc
The attached Word document looks like this:
Detection for this is: Email.Scam4.Gen1002.Sanesecurity.07090406.doc
storm work: labor day
Little bit late on this writeup... but no doubt you've seen these various ecards:
If you click on the link, you can a lovely page, like this:
Which asks you to download an exe file. Submitting the exe file to VirusTotal, give the following results:
Detection for these cards are:
Email.Malware.Sanesecurity.070903xx (02-11)
If you click on the link, you can a lovely page, like this:
Which asks you to download an exe file. Submitting the exe file to VirusTotal, give the following results:
Detection for these cards are:
Email.Malware.Sanesecurity.070903xx (02-11)
Tuesday, 21 August 2007
storm worm: next generation
Sorry for the late right up on this.. but it was more important to get all the signatures out this morning to cover all these variants then to do a write up.
Here's one of the many variants of the storm worm "member"/"logon" emails:
If you do click on the link you either get an auto-downloaded exe file or you get to see the following page (note: firefox pops up a warning about the page [red stop sign])
The exe file you are asked to download is re-packed every 30 mins or so, to try and avoid detection by anti-virus software. The sample above was submitted to VirusTotal with the following results:
Detection for all these email variants was added about 09:30am BST as the following:
Email.Malware.Sanesecurity.07082100 to Email.Malware.Sanesecurity.07082107
Here's one of the many variants of the storm worm "member"/"logon" emails:
If you do click on the link you either get an auto-downloaded exe file or you get to see the following page (note: firefox pops up a warning about the page [red stop sign])
The exe file you are asked to download is re-packed every 30 mins or so, to try and avoid detection by anti-virus software. The sample above was submitted to VirusTotal with the following results:
Detection for all these email variants was added about 09:30am BST as the following:
Email.Malware.Sanesecurity.07082100 to Email.Malware.Sanesecurity.07082107
Friday, 10 August 2007
Stock Spam changes format: FDF
As reported by the F-Secure blog instead of using PDF spam, we now have FDF formatted spam....which stands for format data format, used by various PDF readers.
Update: it appears that all is not what it seems: the first few bytes of the .FDF file are actually %PDF-1.5, which means that all the spammers have done is renamed the extension from .PDF to .FDF. A real .FDF file has the magic-bytes %FDF-1.2. The pdf readers just open it as a PDF because of the magic-bytes. Sneaky
Here's an example email that came in:
And here's it's contents:
Note the random hex number (shown in red) which is used by the spammers to change the Adobe encrypted contents of the file, so it's hard to detect a pattern, ie: you can't use an md5 hash of the file (just like the problems caused by the image spams)
The good news is, that although this was a new technique that the spammers used... it was already 0-hour protected by signature: Email.Stk.Gen606.Sanesecurity.07080101.pdf
Which was nice :)
Update: it appears that all is not what it seems: the first few bytes of the .FDF file are actually %PDF-1.5, which means that all the spammers have done is renamed the extension from .PDF to .FDF. A real .FDF file has the magic-bytes %FDF-1.2. The pdf readers just open it as a PDF because of the magic-bytes. Sneaky
Here's an example email that came in:
And here's it's contents:
Note the random hex number (shown in red) which is used by the spammers to change the Adobe encrypted contents of the file, so it's hard to detect a pattern, ie: you can't use an md5 hash of the file (just like the problems caused by the image spams)
The good news is, that although this was a new technique that the spammers used... it was already 0-hour protected by signature: Email.Stk.Gen606.Sanesecurity.07080101.pdf
Which was nice :)
Tuesday, 31 July 2007
Important: signature location
Well after hitting 25 gig of bandwidth again this month, it's time to force people to move over to the latest round-robin urls. So, if your using an old script then you will no longer be receiving the Sanesecurity signatures, as the phish and scam databases at the old download locations have now been blanked.
use the updated scripts from the usage page;
round-robin urls:
http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz
use the updated scripts from the usage page;
round-robin urls:
http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz
stock spam evolve again... to zip... erm... rar
Well, spammers have again this morning changed tactics again... were now seeing a standard text stock spam... inside what looks like a zip file.
However, looking at the zip file.. it's actually a rar file... another confusing trick.
Detection added as: Email.Stk.Gen603.Sanesecurity.07073100.zip
However, looking at the zip file.. it's actually a rar file... another confusing trick.
Detection added as: Email.Stk.Gen603.Sanesecurity.07073100.zip
Sunday, 22 July 2007
From PDF to XLS to Zipped XLS: Stock spam
Received another variant of the XLS stock spam... this time... the spammers are zipping the XLS stock spreadsheet.
Sample Received date: 22 Jul 2007 15:48:20 +0200
Signature Email.Stk.Gen598.Sanesecurity.07072000.xls from yesterday already detected it :)
Sample Received date: 22 Jul 2007 15:48:20 +0200
Signature Email.Stk.Gen598.Sanesecurity.07072000.xls from yesterday already detected it :)
Saturday, 21 July 2007
From PDF to XLS: Stock spam
Well well, the spammers change tactics yet again, from the image spam and the pdf spam... to the downright sneeky Excel spreadsheet spam.
As most companies use XLS (and PDF for that matter) the spammers know that companies won't block these extension types, as it'll stop genuine email too.
21st July 2007 timeline
At 16:11 UK time, I received an interesting stock spam sample and started to analyse;
At 17:00 UK time, I was received five more samples.... all XLS spreadsheets.
At 18:05 UK time, the first signature was uploaded to the mirrors:
Email.Stk.Gen598.Sanesecurity.07072000.xls
Here's a screenshot:
Wonder what format is going to be next for the spammers?
As most companies use XLS (and PDF for that matter) the spammers know that companies won't block these extension types, as it'll stop genuine email too.
21st July 2007 timeline
At 16:11 UK time, I received an interesting stock spam sample and started to analyse;
At 17:00 UK time, I was received five more samples.... all XLS spreadsheets.
At 18:05 UK time, the first signature was uploaded to the mirrors:
Email.Stk.Gen598.Sanesecurity.07072000.xls
Here's a screenshot:
Wonder what format is going to be next for the spammers?
Monday, 16 July 2007
Phishers go Green!
It's nice to know that even the phishers care about saving the planet, I mean it looks legit:
... well, apart from hsbc.co.uk with a .hk domain ending:
... well, apart from hsbc.co.uk with a .hk domain ending:
Thursday, 5 July 2007
Digg Post
Here's a post on Digg from a user, for a bit of useful sounding software:
When you click on the link, you are taken to a download site:
Scanning the download file:
So, is this just a false positive or a different way of getting malware out to the world ??
When you click on the link, you are taken to a download site:
Scanning the download file:
So, is this just a false positive or a different way of getting malware out to the world ??
PayPal phish using a word document
Here's a phish that came in from PayPal which contained a word document.
As the email used an image for the main text body and a word document, the phisher no doubt thought it would bypass filters.
Here's the main email:
Here's the content of the word document:
As the email used an image for the main text body and a word document, the phisher no doubt thought it would bypass filters.
Here's the main email:
Here's the content of the word document:
Tuesday, 26 June 2007
stock spam evolve: new syle pdfs
Spammers have now come up with a new style of stock emails.
First they used just plain text, next they used static image files. Next, they used random image files, all to avoid filtering.
Due to people starting to use FuzzyOcr, the stock spammers, moved into pdfs.
The pdfs contained plain text, which again using the right tools can be filtered.
This morning, the "next generation" appeared; pdf's with random images embedded in the pdf :(
Firstly, here's the email you receive:
Pdf example 1:
Pdf example 2:
Interestingly, both pdfs would not open in a couple of the free pdf readers but they seem to open fine in Adobe Pdf reader.
Initial detection of this varient has been added as: Email.Stk.Gen538.Sanesecurity.07062600.pdf
Update (12:45): more new varients using random pdf filenames now!
Pdf example 3:
Pdf example 4:
Pdf example 5:
First they used just plain text, next they used static image files. Next, they used random image files, all to avoid filtering.
Due to people starting to use FuzzyOcr, the stock spammers, moved into pdfs.
The pdfs contained plain text, which again using the right tools can be filtered.
This morning, the "next generation" appeared; pdf's with random images embedded in the pdf :(
Firstly, here's the email you receive:
Pdf example 1:
Pdf example 2:
Interestingly, both pdfs would not open in a couple of the free pdf readers but they seem to open fine in Adobe Pdf reader.
Initial detection of this varient has been added as: Email.Stk.Gen538.Sanesecurity.07062600.pdf
Update (12:45): more new varients using random pdf filenames now!
Pdf example 3:
Pdf example 4:
Pdf example 5:
Monday, 18 June 2007
Greeting Card: fun.exe
ISC has an interesting article on an Attack involving .hk domains
So, perhaps this is a related attack.
It starts with a greeting card:
If you've not got Javascript enabled, you'll see this screen, where the file it wan't you do download is on a .hk server and the exe is called fun.exe:
Looking deeper at the code, it's doing something iffy:
If you do click on the link, you are served an exe file, which when submitted to VirusTotal gives you this result:
Again, coverage not too hot :(
Currently detected as: Email.Malware.Sanesecurity.07061701
So, perhaps this is a related attack.
It starts with a greeting card:
If you've not got Javascript enabled, you'll see this screen, where the file it wan't you do download is on a .hk server and the exe is called fun.exe:
Looking deeper at the code, it's doing something iffy:
If you do click on the link, you are served an exe file, which when submitted to VirusTotal gives you this result:
Again, coverage not too hot :(
Currently detected as: Email.Malware.Sanesecurity.07061701
Subscribe to:
Posts (Atom)