Sponsored by..

Showing posts with label Postini. Show all posts
Showing posts with label Postini. Show all posts

Wednesday 8 August 2007

"Comcast Automated Systems" Trojan

A trojan embedded in a ZIP file this time. It's attempting to use a filename of statement.pdf[lots of spaces].exe


Subject: Important Notice-July 2007 Statement 0000000


PLEASE DO NOT REPLY TO THIS E-MAIL. THIS E-MAIL ADDRESS IS USED BY
COMCAST AUTOMATED SYSTEMS AND IS NOT MONITORED.

Your August 07, 2007 Bank billing statement is ready for viewing. To
view your bill download attached Adobe Acrobat PDF file.

If you would like to discontinue receiving a hard copy billing
statement in the mail, you may do so by selecting the UPDATE STATEMENT METHOD
link once you have logged into your account. From there, simply select
the option for Electronic Statement Only.

You received this e-mail because you enrolled Account feature.
If you no longer wish to receive these e-mails, you will
need to cancel your enrollment. To cancel your enrollment, please log
in to your account and from the Update Profile screen, select the cancel
link from the bottom of the page.

As far as we can tell, the filename enclosed in the ZIP file won't extract properly because there are too many spaces and the filename it too long, but the spammers will probably figure it out eventually.

If you're using Postini, then the attachment manager can be easily configured to block all .exe files, and this also applied to .exe-in-.zip files.

Detections are patchy with some AV products picking up the executable packer. When the .exe files run it will attempt to install other malware, some of which will be picked up by AV products. According to VirusTotal:


File statement.pdf____________________ received on 08.08.2007 17:44:19 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32007.8.3.02007.08.08-
AntiVir7.4.0.572007.08.08TR/Crypt.XPACK.Gen
Authentium4.93.82007.08.08-
Avast4.7.1029.02007.08.07-
AVG7.5.0.4762007.08.07-
BitDefender7.22007.08.08-
CAT-QuickHeal9.002007.08.08(Suspicious) - DNAScan
ClamAV0.912007.08.08-
DrWeb4.332007.08.08-
eSafe7.0.15.02007.07.31suspicious Trojan/Worm
eTrust-Vet31.1.50432007.08.08-
Ewido4.02007.08.08Downloader.Agent.bhl
FileAdvisor12007.08.08-
Fortinet2.91.0.02007.08.08-
F-Prot4.3.2.482007.08.08-
F-Secure6.70.13030.02007.08.08Trojan-Downloader.
Win32.Small.ehe
IkarusT3.1.1.122007.08.08-
Kaspersky4.0.2.242007.08.08Trojan-Downloader.
Win32.Small.ehe
McAfee50922007.08.07-
Microsoft1.27042007.08.08VirTool:Win32/Obfuscator.C
NOD32v224442007.08.08a variant of Win32/Spy.Nuklus
Norman5.80.022007.08.08-
Panda9.0.0.42007.08.08Suspicious file
Prevx1V22007.08.08-
Rising19.35.22.002007.08.08-
Sophos4.19.02007.08.01-
Sunbelt2.2.907.02007.08.07Infostealer.Nuklus
Symantec102007.08.08-
TheHacker6.1.7.1642007.08.08-
VBA323.12.2.22007.08.07Trojan-Spy.Win32.Small.gv
VirusBuster4.3.26:92007.08.08Trojan.DL.Small.Gen!Pac25
Webwasher-Gateway6.0.12007.08.08Trojan.Crypt.XPACK.Gen

Additional information
File size: 13824 bytes
MD5: 38ac63f8b7ef22d9a07138ba73de7178
SHA1: 6337e3178eba2859fd0e2e1188eab8b528696933
packers: UPack


-----

Monday 9 July 2007

Google to acquire Postini for $625m

Big business, this spam thing. Google has just announced a $625m plan to buy Postini (more here). The deal is an outright cash purchase to be completed by end Q3 2007.

Postini is best know for its corporate spam filtering solution, but it is also active in the areas of instant messaging, compliance and mail archiving. These neatly complement Google's application rangen (especially for products like Gmail/Google Mail). It will also mean that Google will acquire some large Blue Chip corporations that have so far been outside its reach.

Monday 26 March 2007

Fake "BlueMountains Greetings" message with a trojan


Fake greetings cards are a common way of spreading trojans, and this latest Fake Bluemountain.com Email is a case in point.

The message looks similar to the following one:

From:
BlueMountains Greetings <greetings@BlueMountain.com>
Subject:
You just received an Electronic Greeting.

Hello,
you just received an electronic greeting from a
friend !

To view your eCard, please click
on the following link :

http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999

(Your postcard will be available for 60 days.)

If you
have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999

Thanks
for using BlueMountain.com.


In fact, the links actually lead to bluemountains.kokocards.com (do not visit this site). A more detailed writeup can be found here.

There's very little need to accept this type of "greetings card" into corporate environments, and this seems to be a common vector for malware attacks.

If you use Postini, you can create a custom content filter:
  • Select Match Any
  • Sender | contains | bluemountain.com
  • Body | contains | kokocards.com
  • Body | contains | bluemountain.com
  • Set message disposition to Quarantine Redirect
  • Don't forget to copy it to sub-orgs if you need to!

Wednesday 17 January 2007

Travelocity Template Spam


A couple of days ago, we saw a pump and dump spam using an Incredimail template to bypass spam filters. We pointed out that Incredimail messages could be scored as being somewhat spammy.

With a new twist, spammers are now using a Travelocity template [click image on right to enlarge] with an embedded image in the middle. Businesses are more likely to allow Travelocity mail than ones with Incredimail templates.

Clever.. but these messages don't come from a Travelocity email address, nor a Travelocity IP (whatever that might be). So, if you roll your own filters you can look for elements of the Travelocity template in messages that don't originate from Travelocity.

If you use Postini, add an inbound filter something like:
  • Select "Match All"
  • Body | contains | 1-888-709-5983
  • Sender | does not contain | travelocity
  • Set Message Disposition to "User Quarantine"

What's clear is that the spammers have found a new technique here and there's probably (sadly) quite a bit of mileage in it. Expect to see more variants of this soon.

Monday 15 January 2007

"Incredimail" spam


A novel twist to the CBFE pump and dump spam that's been doing the rounds is a large scale run of spam messages using an Incredimail template to fool spam filters. [Click the image to enlarge]

The trick here is that Incredimail uses a lot of embedded images, as does the recent batch of P&D messages.. so if a filter has been "detuned" to let these templates through, then the spam can slip through on the back of it.

In this particular case, the CBFE spam is encoded with the Windows-1251 Cyrillic character set which makes it distinctive, although that will probably change.

If you roll your own filters, look for X-Mailer: IncrediMail in the headers, and charset="windows-1251" on each MIME boundary.

If you use Postini, you could create an inbound filter of Header | contains | X-Mailer: IncrediMail and set Message Disposition to "User Quarantine".

There's probably no harm for most people in scoring messages with Incredimail templates higher for spam as very little of it will be business related.