Sponsored by..

Thursday 10 October 2013

Companies House phish

This fake Companies House spam appears to be some sort of phishing attempt:

Date:      Thu, 10 Oct 2013 11:57:31 +0300 [04:57:31 EDT]
From:      Companies House [contact@companieshouse.co.uk]
Subject:      Compulsory Companies House WebFiling Update #90721

Compulsory Companies House WebFiling Update #90721

This is an important notice to inform you as a registered company to update your details.

This will make it easier to update our database and keep records of our company.

Kindly follow the link below to update your information.

CLICK - Start Here
Companies House
Crown Way
Cardiff CF14 3UZ

DX 33050 Cardiff 

The link in the email goes to [phish]www.misspanama.net/respaldo/ukcompany/CompaniesHouse.htm which asks only for a Company Name, email address and password.

Once the credentials have been harvested, the victim is sent to a genuine Companies House webpage at www.companieshouse.gov.uk/forms/introduction.shtml


So, what is being harvested here? There seems to be no malware involved, so perhaps the bad guys are actually trying to hijack company identities for some evil purpose.

It turns out that Companies House have a webpage all about this type of threat and recommend that you forward offending emails to phishing@companieshouse.gov.uk. Just remember.. sometimes phishers are after something a lot less obvious than your bank details!

Wednesday 9 October 2013

"Annual Form - Authorization to Use Privately Owned Vehicle on State Business" spam / warehousesale.com.my

This oddly-themed spam has a malicious attachment:

Date:      Tue, 8 Oct 2013 11:49:49 -0600 [10/08/13 13:49:49 EDT]
From:      Waldo Reeder [Waldo@victimdomain.com]
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached).  The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.

Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file.  Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim. 
The is a ZIP file attached which includes the victim's domain name as part of the filename. Inside is an exectuable file with an icon to make it look like a PDF file, and the date is encoded into the filename.

VirusTotal detections are not bad at 25/48. Automated analysis [1] [2] [3] shows an attempted connection to warehousesale.com.my hosted on 42.1.61.90 (Exa Bytes Network, Malaysia). There are no other sites on that server that I can see and I recommend that you block both the IP and domain as a precaution.

Recommended blocklist:
warehousesale.com.my
42.1.61.90

Tuesday 8 October 2013

An informal anti-virus comparison

I use VirusTotal quite a lot for looking at malware and determining how difficult it is to determine, and over time I've built up a fair amount of data on what performs well with the sort of malware that I throw at it.

This isn't a particularly scientific test, the malware I scan has a strong tendency to arrive by email rather than a being a drive-by download and the product settings in VirusTotal may not match typical settings when deployed.

The small print: Data is taken from the past six months and only products that have been active on VirusTotal for that whole time period are included. The scans are those that I took at the time, and they don't take into account that products would be updatesd probably catch them later (once they have infected your system). It also doesn't take into account that other components would be downloaded, some of which would subsequently be detected (again, once they have infected your system).Your mileage may vary. Other anti-virus comparisons are available.

So, which was best in this test? The full details are below, but the product that was clearly the best with detecting nastiness was Kaspersky with a very impressive 73% of samples detected. McAfee (58%), Malwarebytes (53%) and Emsisoft (50%) were the other products that detected half or more of the 62 samples.

The hall of shame is pretty shocking. ClamAV, ViRobot and Antiy-AVL detected no samples at all. TotalDefense and TheHacker detected just one sample (1.6%). Fifteen products detected 10% or less.

The Kaspersky result was surprisingly good, but McAfee's showing indicates that this product has improved a lot over recent years, leaving arch-rivals Symantec lagging with 58% detected compared to 34%. SUPERAntiSpyware has a surprisingly low detection rate of 3.2%, considering that this is a product I often use for difficult task. F-Secure, Sophos, Trend and Norman all had disappointing results. But the results for TotalDefense were shocking as this product is widely used within corporate customers, and is the endpoint security business spun out of CA.. for a paid product it seems to be essentially worthless.

The chart below shows the staggering difference in detection rates between the best and worst vendors.


Or if you prefer a table..

 
Product
Detection rate
Type
72.58%
Paid
58.06%
Paid
53.23%
Free / Paid
50.00%
Free / Paid
48.39%
Paid
48.39%
Corporate
43.55%
Paid
41.94%
Corporate
38.71%
Corporate
38.71%
Corporate
37.10%
Free / Paid
33.87%
Paid
32.26%
Free / Paid
32.26%
Paid
32.26%
Paid
29.03%
Paid
27.42%
Paid
27.42%
Paid
25.81%
Paid
24.19%
Free / Paid
24.19%
Free
19.35%
Paid
19.35%
Paid
17.74%
Free /Paid
14.52%
Free
12.90%
Free / Paid
11.29%
Free
11.29%
Paid
11.29%
Paid
9.68%
Corporate
6.45%
Paid
6.45%
Paid
6.45%
Paid
4.84%
Paid
3.23%
Paid
3.23%
Paid
3.23%
Free
3.23%
Corporate
3.23%
Free / Paid
1.61%
Paid
1.61%
Paid
0.00%
Corporate
0.00%
Free
0.00%
Paid


In my opinion, your anti-virus product should always be the very last line of defence. But that last line should at least be effective and it may well be time to switch if your vendor is sitting near the bottom of this list.