Monday, 12 November 2007

Fake YouTube email spammed

Interesting YouTube email has just been spammed:

As you can see from the link, it's a fake YouTube site, which takes you here:

Current VirusTotal detection for the install_flash_player.exe file:

Email detected as: Email.Malware.Sanesecurity.07111200

Friday, 5 October 2007

0hour testing

Well, a new email came in, which looked very odd, here's the headers:

Received: from (88-139-180-230.adslgp.cegetel.
by (8.9.3/8.9.3) with ESMTP id JAA02419
for ; Fri, 5 Oct 2007 09:28:25 +0100
Received: from [] by; Fri, 5 Oct 2007 02:37:20
From: "Shirley Xxxxxxx"
Date: Fri, 5 Oct 2007 02:37:20 +0100

Here's the actual email:

So, I submitted the zip file to VirusTotal to see what the latest detection was like and then repeated the same file, at various times after that, to see roughly when vendors added detection.

Note: it's not exactly scientific, so your mileage may vary etc.

Here's the results:

As you can see, Antivir did well!

ClamAV team did a very quick job on adding this one, still beating the big boys:

F-Secure and F-Prot, now have detection:

Nod32 users now covered:

Kaspersky users now covered:

For the AVG users out there, detection has now been added:

Here's the situation on Monday morning:

Wednesday, 19 September 2007

SaneSecurity News: Corrupt Signatures

For a few hours today, one of the mirrors had a corrupt version of phish.ndb.gz.

After being alerted to the fact by a user, I informed the mirror admin about the issue and the problem was then fixed.

The scripts on the SaneSecurity site, check the integrity of the signatures before being moved into the ClamAV database directory for use... and have done for some time.

This is important not only for the SaneSecurity signatures but indeed for any Third-Party signatures, as if you move a corrupt signature file into the ClamAV directory, it's going to stop ClamAV from scanning your emails, until you sort the problem out.

If you're running your own script or have an old version of the SaneSecurity scripts, it might be worth updating them:

I do always check signature integrity before uploading... so they leave here fine... but the end-user must always double-check their download integrity before use.

Apologies for the corrupt file and any problems caused.



Sunday, 16 September 2007

Storm Worm Again: free games

You know the drill by now...

First you get an email, something like this one, with a IP address url:

You are taken to a fake page, asking to download an exe file:

But the exe file, isn't all that it seems. Here's what VirusTotal had to say:

Currently detected as: Email.Malware.Sanesecurity.0709160x (0-3)

Tuesday, 11 September 2007

SaneSecurity news

Firstly, some quite amazing news, on Wednesday, 5th September 9pm, I was lucky enough to have a 30 minute phone chat with Dean Drako, CEO of Barracuda Networks.

Dean confirmed that Barracuda are using my signatures as part of their multi-layer of defence. Dean also confirmed that Barracuda are now a SaneSecurity signature mirror and Sanesecurity even get a mention here too.

Secondly, a new experimental project PhishBar, which you can read more about here, but please read the big red flashing led warning bits before using.

In a nutshell, It's a way of seeing if any of your users have phishing sites stored in their home directories/user space on your servers.

Sunday, 9 September 2007

Storm Worm Again: NFL

New storm worm version just hitting, all about NFL Football (12 am:uk)

Links goes to a very nice looking NFL site, asking to download a tracker exe file:

Submitting the exe file to VirusTotal, shows the following current patchy results:

Detection for the email, currently: Email.Malware.Sanesecurity.070908xx (02-06)

I'm sure there will be more!

Thursday, 6 September 2007

storm worm: all change :)

Heads up, new storm worm incoming... oooooh... the RIAA are after everybody and worryingly
some people might fall for this one:

when you click on the given link, you get taken to this page, asking you to download an exe file:

Current detection is a little patchy:

So far, the following Sanesecurity signatures match the variants seen so far:


Tuesday, 4 September 2007

419 DOC spam

Here's a slightly different 419 spam:

The attached Word document looks like this:

Detection for this is: Email.Scam4.Gen1002.Sanesecurity.07090406.doc

storm work: labor day

Little bit late on this writeup... but no doubt you've seen these various ecards:

If you click on the link, you can a lovely page, like this:

Which asks you to download an exe file. Submitting the exe file to VirusTotal, give the following results:

Detection for these cards are:

Email.Malware.Sanesecurity.070903xx (02-11)

Tuesday, 21 August 2007

storm worm: next generation

Sorry for the late right up on this.. but it was more important to get all the signatures out this morning to cover all these variants then to do a write up.

Here's one of the many variants of the storm worm "member"/"logon" emails:

If you do click on the link you either get an auto-downloaded exe file or you get to see the following page (note: firefox pops up a warning about the page [red stop sign])

The exe file you are asked to download is re-packed every 30 mins or so, to try and avoid detection by anti-virus software. The sample above was submitted to VirusTotal with the following results:

Detection for all these email variants was added about 09:30am BST as the following:

Email.Malware.Sanesecurity.07082100 to Email.Malware.Sanesecurity.07082107

Friday, 10 August 2007

Stock Spam changes format: FDF

As reported by the F-Secure blog instead of using PDF spam, we now have FDF formatted spam....which stands for format data format, used by various PDF readers.

Update: it appears that all is not what it seems: the first few bytes of the .FDF file are actually %PDF-1.5, which means that all the spammers have done is renamed the extension from .PDF to .FDF. A real .FDF file has the magic-bytes %FDF-1.2. The pdf readers just open it as a PDF because of the magic-bytes. Sneaky

Here's an example email that came in:

And here's it's contents:

Note the random hex number (shown in red) which is used by the spammers to change the Adobe encrypted contents of the file, so it's hard to detect a pattern, ie: you can't use an md5 hash of the file (just like the problems caused by the image spams)

The good news is, that although this was a new technique that the spammers used... it was already 0-hour protected by signature: Email.Stk.Gen606.Sanesecurity.07080101.pdf

Which was nice :)

New E-Card Storm Worm



Tuesday, 31 July 2007

Important: signature location

Well after hitting 25 gig of bandwidth again this month, it's time to force people to move over to the latest round-robin urls. So, if your using an old script then you will no longer be receiving the Sanesecurity signatures, as the phish and scam databases at the old download locations have now been blanked.

use the updated scripts from the usage page;

round-robin urls:

stock spam evolve again... to zip... erm... rar

Well, spammers have again this morning changed tactics again... were now seeing a standard text stock spam... inside what looks like a zip file.

However, looking at the zip file.. it's actually a rar file... another confusing trick.

Detection added as:

Sunday, 22 July 2007

From PDF to XLS to Zipped XLS: Stock spam

Received another variant of the XLS stock spam... this time... the spammers are zipping the XLS stock spreadsheet.

Sample Received date: 22 Jul 2007 15:48:20 +0200

Signature Email.Stk.Gen598.Sanesecurity.07072000.xls from yesterday already detected it :)

Saturday, 21 July 2007

From PDF to XLS: Stock spam

Well well, the spammers change tactics yet again, from the image spam and the pdf spam... to the downright sneeky Excel spreadsheet spam.

As most companies use XLS (and PDF for that matter) the spammers know that companies won't block these extension types, as it'll stop genuine email too.

21st July 2007 timeline

At 16:11 UK time, I received an interesting stock spam sample and started to analyse;
At 17:00 UK time, I was received five more samples.... all XLS spreadsheets.

At 18:05 UK time, the first signature was uploaded to the mirrors:


Here's a screenshot:

Wonder what format is going to be next for the spammers?

Monday, 16 July 2007

Phishers go Green!

It's nice to know that even the phishers care about saving the planet, I mean it looks legit:

... well, apart from with a .hk domain ending:

Thursday, 5 July 2007

Digg Post

Here's a post on Digg from a user, for a bit of useful sounding software:

When you click on the link, you are taken to a download site:

Scanning the download file:

So, is this just a false positive or a different way of getting malware out to the world ??

PayPal phish using a word document

Here's a phish that came in from PayPal which contained a word document.

As the email used an image for the main text body and a word document, the phisher no doubt thought it would bypass filters.

Here's the main email:

Here's the content of the word document:

Tuesday, 26 June 2007

stock spam evolve: new syle pdfs

Spammers have now come up with a new style of stock emails.

First they used just plain text, next they used static image files. Next, they used random image files, all to avoid filtering.

Due to people starting to use FuzzyOcr, the stock spammers, moved into pdfs.

The pdfs contained plain text, which again using the right tools can be filtered.

This morning, the "next generation" appeared; pdf's with random images embedded in the pdf :(

Firstly, here's the email you receive:

Pdf example 1:

Pdf example 2:

Interestingly, both pdfs would not open in a couple of the free pdf readers but they seem to open fine in Adobe Pdf reader.

Initial detection of this varient has been added as: Email.Stk.Gen538.Sanesecurity.07062600.pdf

Update (12:45): more new varients using random pdf filenames now!

Pdf example 3:

Pdf example 4:

Pdf example 5:

Monday, 18 June 2007

Greeting Card: fun.exe

ISC has an interesting article on an Attack involving .hk domains

So, perhaps this is a related attack.

It starts with a greeting card:

If you've not got Javascript enabled, you'll see this screen, where the file it wan't you do download is on a .hk server and the exe is called fun.exe:

Looking deeper at the code, it's doing something iffy:

If you do click on the link, you are served an exe file, which when submitted to VirusTotal gives you this result:

Again, coverage not too hot :(

Currently detected as: Email.Malware.Sanesecurity.07061701