Re: [Declude.Virus] How to disable CommTouch Zerohour (for testing)
On 3/19/2010 11:26 AM, Andy Schmidt wrote: Thanks - downloaded and installed. I'll have to take a look at the integrated Sniffer. I got pulled away and never got back to it. I'll have to take a good luck at the rulebase update - on first glace it seems as if your script is leaving out the crucial SNF2CHECK to make sure that the downloaded rulebase is valid BEFORE replacing it. So I'll have to look at it very carefully. Andy, The script cannot call snf2check for the embedded SNF because that would expose the OEM rulebase. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase so it's ok to leave that out of the update script in OEM integrations of the SNF engine. In fact, the getRulebase.cmd script need not be used at all by an OEM -- they can use their own facility. However in this case I recommended strongly that Declude use a modified getRulebase script so that Declude customers could modify it to perform additional tasks in the way they are used to. Hope this helps, Best, _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Integrated Sniffer
On 3/19/2010 1:46 PM, Andy Schmidt wrote: Hi Pete: Thanks for jumping in. 1. The SNF engine performs the SNF2CHECK task before it accepts a new rulebase I'm a little confused - the script replaces the rulebase - without checking. So what happens if the rulebase is bad. By the time the engine checks the good one is already rename and the bad one is already called .snf If the rulebase does not properly authenticate in the SNF engine then the reload is rejected. Once the guard time expires the update script will be run again (by default after 3 minutes). 2. I assume I can still just update the XML file to move the logfiles, rulebase and workspace to its own subfolders to keep things tidy and for improved maintainability? log path='[PATH]\declude\scanners\SNF\logs\'/ rulebase path='[PATH]\declude\scanners\SNF\rulebase\'/ workspace path='[PATH]\declude\scanners\SNF\work\'/ As far as I know that should be ok -- but you need to check with Declude on that first. They may have certain expectations built into their software and/or their support process. _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Integrated Sniffer
On 3/19/2010 2:48 PM, Andy Schmidt wrote: Thanks If the rulebase does not properly authenticate in the SNF engine then the reload is rejected. Once the guard time expires the update script will be run again (by default after 3 minutes). Which also means, if the corrupt rulebase persists and the server or services happen to be restarted during those times, we have a potential problem because upon restart it won't have a good rulebase to fall back on. So there's definitely a (calculated) risk in NOT checking the rulebase BEFORE renaming it. That's true -- but the risk is very small. _M --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Commtouch/Temp files going back to last year?
On 3/19/2010 5:52 PM, Andy Schmidt wrote: Hi, No I have a little cscript I wrote that iterates through subdirectories and takes parameters like /lastweek /lastmonth etc. If you're looking for something ready-made and don't need anything extra I used to have good luck with delold. Googling for it will get you there. _M ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to imail...@declude.com, andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re[2]: [Declude.Virus] F-PROT 6 vs ClamAV SOSDG
On Monday, June 23, 2008, 2:16:47 PM, Kevin wrote: I have complained about this for a while now. This process of fix the configuration the place in the proc folder only works if you are constantly pouring through your hold folders. We do not do that. We send an email to our users with the message they have in their hold. They then have the option to deliver the message to their inbox, when they click the recover link the message is placed in the spool folder and a copy of the raw email is sent to our admin to then look at the configuration. This process makes the hold folder completely hands off. How about an option to VIRUSSCANONHOLD. This would make everyone happy. My $0.02 - Virus scanning after JM is a way to maximize efficiency by NOT scanning messages that will not be delivered. If you add a feature to scan on hold -- you are essentially defeating AVAFTERJM. What you want is simply a mechanism that does virus scanning before returning the message to spool for delivery. If you've already automated your quarantine recovery mechanism then that should be fairly easy for you to add. If Declude were to add a feature to facilitate this then the best bet would be a folder that accepts quarantine recovery messages and performs virus scanning (perhaps full scanning) on those messages before they are returned to spool for delivery. That facility might then provide special handling for messages in that case so that if a message released from quarantine was found to contain a virus you could perhaps deliver a notification message in it's stead for safety-- or some other option that would be unique to the recovery case. Such a feature would not dilute the AVAFTERJM feature but would provide a recovery mechanism as simple as dropping the recovered message (both files) into a folder -- it just wouldn't be the spool ;-) The feature would also provide a new pathway for handling this special case efficiently. Hope this helps, _M ---This E-mail came from the Declude.Virus mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".The archives can be foundat http://www.mail-archive.com.
Re[2]: [Declude.Virus] Windows Update!
Note, I found and filtered a few of these today that used ordinary links rather than numbered ones. I'm guessing the variants are already out. _M On Monday, April 11, 2005, 6:01:24 PM, Greg wrote: GL Here's some background info on this pest (from another list). GL Greg Little GL Original Message Subject: [AVS] GL (Fwd) 'Update your windows machine' fraudulent email Date: GL Fri, 08 Apr 2005 09:27:43 -0700 From: Angus Scott-Fleming GL [EMAIL PROTECTED] Reply-To: Network Security Managers GL List [EMAIL PROTECTED] Organization: GeoApps To: GL [EMAIL PROTECTED] GL --- Forwarded message follows --- GL From:[EMAIL PROTECTED] sent: Fri, 8 Apr 2005 02:28:14 UT GL To:[EMAIL PROTECTED]: GL [NATIONAL-ALERTS] (AUSCERT AL-2005.007) 'Update your windows GL machine' fraudulent email GL Send reply to:[EMAIL PROTECTED] PGP SIGNED MESSAGE- GL Hash: SHA1 GL === A GL U S C E R T A L E R T GLAL-2005.007 -- AUSCERT ALERT GL 'Update your windows machine' fraudulent email GL8 April 2005 GL === GL OVERVIEW GL AusCERT would like to advise that a fraudulent email with a subject line of GL 'Update your windows machine' is currently circulating, with a claimed sender GL of [EMAIL PROTECTED] This email links to a site which fraudulently GL presents itself as the Microsoft Windows Update web site. When clicking on GL links on the site claiming to apply an 'Express Install' or 'Custom GL Install', a malicious executable will attempt to run on the user's machine. GL This executable will attempt to connect to an IRC chat server, allowing a GL malicious user to take control of the user's machine and potentially involve GL it in other malicious activity. GL VULNERABILITY GL The web site involved in this instance does not exploit any software GL vulnerabilities. Instead, it uses a social engineering trick to entice a GL user to run malicious code. GL MITIGATION GL This exploit requires user interaction - deleting these emails as they GL arrive and not clicking on any links they contain is a safe mitigation GL strategy. GL Users should, as ever, remain aware of the danger of clicking on links in GL unsolicited emails. GL EXPLOIT DETAILS GL The current email used to entice people to visit the malicious site looks GL like: GL --- GL Subject: Update your windows machine GL From: Windows Update [EMAIL PROTECTED]To: Auscert GL [EMAIL PROTECTED]Welcome to Windows Update GL Get the latest updates available for your computer's operating system, GL software, and hardware. GL Windows Update scans your computer and provides you with a GL selection of updates tailored just for you. GL Express Install : High Priority Updates for Your Computer GL GL This includes links to go to one of the following IP addresses: GL 64.71.77.76 GL 221.151.249.236 GL Other IP addresses or domain names may be used in future variants of this GL email. GL If the malicious code is downloaded and run, the malware will install itself GL on the user's system as MFC42.exe, and will configure itself to run on GL startup. It will then attempt to connect to an IRC chat server, which GL allows an attacker to execute commands on infected hosts. This may include GL involving infected hosts in Distributed Denial of Service (DDOS) attacks on GL other Internet hosts. This collection of GL attacker-controlled machines is GL also known as a 'botnet'. GL This is detected by the following anti-virus products as: GL Kapersky: Backdoor.Win32.DSNX.05.a GL Panda:Bck/DSNX.05 GL AusCERT has made every effort to ensure that the information contained GL in this document is accurate. However, the decision to use the information GL described is the responsibility of each user or organisation. The decision to GL follow or act on information or advice contained in this security bulletin is GL the responsibility of each user or organisation, and should be considered in GL accordance with your organisation's site policies and procedures. AusCERT GL takes no responsibility for consequences which may arise from following or GL acting on information or advice contained in this security bulletin. GL If you believe that your computer system has been compromised or attacked in GL any way, we encourage you to let us know by completing the secure National IT GL Incident Reporting Form at: GL http://www.auscert.org.au/render.html?it=3192=== GL Australian Computer Emergency Response Team The University of Queensland GL
Re: [Declude.Virus] Opteron Server spec??
On Friday, October 15, 2004, 11:31:38 PM, Greg wrote: GH I am running a dual 2.4HT 533 xeon with 1gig 2100 and 73 gig GH 10k sata drives. We process about 200k messages a day and I am GH starting to get complaints about slow delivery. As well we are GH running around 85% to 100% CPU util across the board now on GH Win2003. GH I am running 1.81 pro vir and pro junk GH I am curious to know how what some of you would recommend GH high end hardware config to takle this problem and also be able to GH consume the growth of another 1500 domains and the wonderful crap GH that comes with them that is now forcing my hand once again to GH spend more $$ to fight SPAM. I don't think the 64bit hardware will help. The software you are using is not up to taking advantage, and you are processing lots of small (relatively) messages and data streams. 64 bit hardware is best used on large monolithic data sets (video, databases, media streams etc). Until the software catches up it is my opinion 64 bit hardware will not help you with email. As for loading, I am processing a significant volume of messages (mostly spam from spamtraps) using a P2/450 w/ 256K Ram a pair of standard IDE hard drives (4G) mirrored in software raid. Win NT4, IMail 6.x, Declude Pro JM Virus, F-Prot, Message Sniffer 2-3.0i6. My most recent analysis showed as follows for the past 12 hours. This data is typical for this system: | MDLP - V0.988 (TEST!) Build: Oct 9 2004 16:53:52 | Data from: 2004-10-15 00:00:19 thru: 2004-10-16 00:00:12 | Messages: 35123, Spam: 27851 (79.2956 %), Ham: 7272 (20.7044 %), Threshold: 100 This suggests to me that your best route would be to purchase a pair of mid grade servers, each with a pair of mid-grade xeon processors, SATA raid 1 with fast spindles, 4G Ram should probably do it. Split the load between the two and both should be able to handle their load and some growth with ease... plus this will save you some dollars. Pay careful attention to tuning. Additional load can be handled with additional similar boxes. I like the multiple, generic box methodology because it provides for fluid expansion, rapid recovery possibly fail-over, and represents a smaller cash outlay. Also, using multiple, smaller servers helps to divide network traffic across the network devices and increases the number of _real_ cpu's available for handling traffic and responses. As a result I find that these systems tend to stand up to heavy traffic more easily without showing the strain to the users in the guise of slowing or chunky responses. All of this just my humble opinion. Best, _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] anybody still here?
S. You'll frighten them and they will swim to the other end of the tank. %^b On Wednesday, August 4, 2004, 9:59:18 AM, Bruce wrote: BL I have not seen anything since Monday am? Is it just this slow? BL Bruce BL --- BL [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] BL --- BL This E-mail came from the Declude.Virus mailing list. To BL unsubscribe, just send an E-mail to [EMAIL PROTECTED], and BL type unsubscribe Declude.Virus.The archives can be found BL at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Stop When a scanner finds a virus
I agree with the sudden death scenario. With Virus scanners it would be helpful to stop after the first found virus. If the first scanner is significantly more efficient than the others (such as FProt) then the savings would be amplified quite a bit. Since virus scanners are almost always dumb and don't learn anything from the messages they process there is no good reason I can think of to run a second or third scanner if the first has detected a virus. _M On Monday, August 2, 2004, 4:40:27 PM, Markus wrote: When running multiple scanners is their a way to prevent the other configured virus scanners from scanning the message if the first virus scanner finds a virus? No, there is not. Given that all non-virus E-mails will be sent through all scanners, the extra time used is minimal unless a high percentage of your traffic is viruses. We are considering an option to let you stop scanning after the first virus is detected. MG Looking at the last 4 months 17% of the processed messages on our server are MG virus infected. 50% are Spam = without file attachments MG If we assume that from the resting 33% of legit messages one quarter has a MG file attachment, we have the following percentages for messages with file MG attachments and so calling virus scanners: MG ~ 17% infected messages MG ~ 8% legit messages MG If every message triggers two virus engines stopping after the first MG detection of a virus would significantly reduce virus checks by 34% MG Running 3 virus engines it would cut down engine calls by over 45% = with the same resources you can run a third scan engine MG Markus MG --- MG [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] MG --- MG This E-mail came from the Declude.Virus mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.Virus.The archives can be found MG at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] OT: Hello?
On Thursday, July 29, 2004, 1:36:45 PM, Marc wrote: MC Hi Sharyn. MC MC I haven't seen anything today either, maybe everyone in the MC north-east is out looking at that strange yellow object in the sky MC (the sun) and trying to dry out. That's not the sun. It's a hologram projected overhead by ILM and the sound crew that faked the Apollo missions to prevent us from freaking while the government negotiates with the aliens who scooped us up while we were sleeping... you'll see... %^b (sorry, couldn't resist) _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Feature request
On Tuesday, July 27, 2004, 4:38:49 PM, Dan wrote: What about BNAZIPn where n is some number of levels or greater. That is BANZIP3 instead of BANZIPZIPZIP, and in case someone wants to allow 3 levels of depth (if it comes to that) BANZIP4... _M DG I would like to request BANZIPINZIPINZIP. DG - Original Message - DG From: Scott Fisher [EMAIL PROTECTED] DG To: [EMAIL PROTECTED] DG Sent: Tuesday, July 27, 2004 10:30 AM DG Subject: [Declude.Virus] Feature request DG Now that zip files containing .zip files are a known virus threat, will DG there be a Declude update to block this virus vulnerability? I think we can DG certainly expect to see more of these in the future. I'd also like to see DG this as a high priority from Declude. DG As a corporate customer a BANZIPINZIP option would certainly be acceptable. DG It would be more questionable for ISP customers. It's probably the easiest DG quick fix. DG Making BANZIPEXTS recursive is another option. BANZIPEXTS doesn't check .ZIP files within .ZIP files. DG As a Declude Virus Pro user running three anti-virus scanners and having DG tons of extensions blocked, I see .zip files containing .zip files to be the DG most viable way to get a virus into my e-mail system. DG Scott Fisher DG Director of IT DG Farm Progress Companies DG --- DG [This E-mail was scanned for viruses by Declude Virus DG (http://www.declude.com)] DG --- DG This E-mail came from the Declude.Virus mailing list. To DG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DG type unsubscribe Declude.Virus.The archives can be found DG at http://www.mail-archive.com. DG --- DG Sign up for virus-free and spam-free e-mail with Nexus Technology Group DG http://www.nexustechgroup.com/mailscan DG --- DG Sign up for virus-free and spam-free e-mail with Nexus Technology Group DG http://www.nexustechgroup.com/mailscan DG --- DG [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] DG --- DG This E-mail came from the Declude.Virus mailing list. To DG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DG type unsubscribe Declude.Virus.The archives can be found DG at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.Virus] Bitdefender claims terror ties to virus
On Thursday, July 22, 2004, 12:04:19 PM, Markus wrote: Right now there IS a vast network of zombies being used to send spam. If the virus writers sell or give access to spammers, they could be giving access to anyone and these compromised computers could be used just as easily to launch DDOS attack on infrastructure as they can to send spam. MG This is why I really really hope that someone write a Sasser-like worm with MG the only intention to activate something very nerve-racking on the infected MG machine. (5-minute popups or automaticaly deactivated hardware devices like MG mouse, printer, floppy, cdrom...) insanity Hey - what about a DNSBL that is fed by a worm? The worm goes out and infects as many machines as it can with as many methods possible - then it reports back the IP to a central server and the server puts the IP in a DNSBL - then the worm goes to sleep to see if it can infect again another day What about worms that exploit holes in worms to kill the worms and then... no wait, that's been done... /insanity Stuff like this comes up in brainstorming sessions here all the time - that doesn't make it a good idea. Putting on the black hat once in a while and looking for holes is a cornerstone of bulletproofing RD... I know I'm glad I'm not working for the dark side... I can't even say some of the things I've thought of - it just wouldn't be worth the risk of getting it out there - no telling who's listening. Suffice to say, unsecured equipment is a bad thing and it needs to go away. Any way we can do that, without turning to the dark side, is a good thing. Since no amount of cleanup will ever be perfect or complete, the other thing we will always need to do is strengthen the network against exploits... There are lots of ways to do this that just haven't been done... and politically may never be done... but I hope those things happen before we start writing white worms. _M I'm reminded of a Star Trek episode... Miri I think it was. They came across a handful of children - all that was left of an industrialized society that had attempted to cure mortality by releasing a series of viruses to alter their DNA and boost their immune systems. In the end, the viruses mutated so that anyone reaching puberty became very scary and died. Sure, it's sci-fi - but if you can dream it, it can happen - so be careful what you wish for. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Watch out for this...
I just got this thing - it looks like big trouble. Don't follow the link. (I broke it up with spaces) Just got this from CNN Osama Bin Laden has just been captured! A video and some pictures have been released. Goto the link below for pictures, I will update the page with the video as soon as I can: http:// 220 . 95 . 231 . 54/pics/ God Bless America! The target appears to be an encrypted html using the object data exploit. Note that this one was carefully targeted - the to: addresses were very specific. Your users will probably follow this link if they are not prepared. You may want to block the IP at your border routers. Hope this helps, _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] How do we block the next Bagle?
To clarify, group 62 is experimental. Malware is in group 55. _M At 05:20 PM 3/19/2004, you wrote: I'm a big fan of deeper categorization. I believe these are listed in the Experimental category presently, but due to some of the patterns in that rule base, I actually score it lower than the others. This change in particular though wouldn't likely affect us since Scott has been up on the issues and working around them as they appear. Matt Scott Fisher wrote: Perhaps Pete from Sniffer could assign a new Message Sniffer Result Code just for these heuristics. We could then assign a hold based on this specific result code. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 03/19/04 03:42PM Heuristics! This was a novel, but lame attempt at exploiting a download vulnerability. This would have been 1,000 times worse if the virus dynamically provided a list of IP's from known infected computers. This can be done, and eventually it will be done. The kid writing Bagle has shown that he has some talent for coming up with new tricks, and so far he has come up with the best human engineering attempt, and new exploits for password protected files and hiding the payload outside of the E-mail. It's clear to me that a person that knows this stuff has some experience with E-mail systems and he almost definitely works for spammers. If he was to mix some human engineering with remotely hosted code, the result could be disastrous. This attempt was lame because the exploit was old, long-past patched, easily detectable, and it relied on hard coded IP's. Pete from Sniffer has been coding up new rules for this stuff (not all of his clients use Declude Virus), and if you have JunkMail Pro, it's easy to write a filter to block something that is IP linked to port 81. In the future, there will likely be little difference between what is necessary to block spam and viruses, and I could see when it might make sense to merge functionality between Declude Virus and Declude JunkMail to achieve a higher level of heuristics. Full MIME parsing in JunkMail may very well give us many useful capabilities. For now, I don't see the need as being urgent, but I've thought that such a thing as you described was possible for some time, and I've been wondering why it didn't happen. Maybe the AV scanner companies will come out with command line functionality that includes content heuristics some time in the future. FYI, I've found Declude JunkMail on my system tends to catch most all of the undetected variants that slip through in normal ZIP files early on. Matt Greg Little wrote: How will we block a virus like Bagle.Q that does not use an auto run vulnerability? There's still no attachment to hand off to the mail server's virus scanner(s). If the body was VERY standard, it could be pattern matched by Declude. Add a little random action to the body (and the port used) and here we go again. The latest batch of Bagle's (Q,R,S,T) can be blocked because, while not a virus, it breaks the rules. (Auto run using a hole in MS outlook) The next version may be the same, except the user has to run it by hand. Just a 1 K e-mail with a link to a recently compromised PC. When will it end?? (or at least slow down) PS Scott, Thanks for the recently added Vulnerability blocking. (for Q R S T) -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.Virus] Something interesting..
Wdialupd / Porndial - http://www.f-secure.com/v-descs/wdialupd.shtml Probably a variant. _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Jeff |Maze - Hostmaster |Sent: Friday, November 07, 2003 2:47 PM |To: [EMAIL PROTECTED] |Subject: RE: [Declude.Virus] Something interesting.. | | |I'm debating backing up all my info and running the exe just |to see if anything happens. I have my laptop ghosted and will |be back up and running in about 30 minutes.. Plus, the |software firewall I run would let me know if anything tries to |connect to anything.. | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette |Sent: Friday, November 07, 2003 1:54 PM |To: [EMAIL PROTECTED] |Subject: RE: [Declude.Virus] Something interesting.. | | |Yet another compelling reason to block zip files. | |-Original Message- |From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] |Sent: Friday, November 07, 2003 10:36 AM |To: [EMAIL PROTECTED] |Subject: [Declude.Virus] Something interesting.. | | |I just got two e-mails in our spam account. Heres their info: | |From: [EMAIL PROTECTED] |Subject: Hi |Hi again. I am very sorry i took so long to respond. I was |away for a = couple of days with my friend emmy. We took a |little tour around the b= eautiful city of ours, i have |visited lots of nice places, and seen lo= ts of nice ppl. Well |anyways, here is the free attachment that i promi= sed. its |mostly about me. just download it, unzip and run. easy as 1,2= |,3... Enjoy.=20 | | |It also came with a MyMovie.zip file that was neither picked |up by Norton, nor F-Prot on the server. Any ideas? Within |the zip file is a file called My-Private-H0t-Movies.exe. | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Sobig- The Morning After
At 11:45 AM 8/23/2003 -0500, you wrote: THIS IS AN INCREDIBLE GROUP ! DECLUDE IS AN INCREDIBLE PRODUCT !!! KUDUS to you Scott. Grateful THANKS to all the members who contributed yesterday ! Agreed! My users were protected even before receiving the updated DAT's due to banning the .pif's. HERE HERE! Thanks in large part to Declude we have had NO incursions of Sobig in the networks we manage! Hats Off! Blocking the port kept a PC somewhere in our network from doing any damage. It made over 1200 attempts to contact a server outside our network in the first hour. We will hunt it down and make sure it gets cleaned up. I've had only one user that attempted to make a request on UDP 8998. They were contacted immediately and taken care of. Interestingly enough, this user utilized the mail services of a different, and obviously unprotected system. But now, one must wonder... what's next? For a long time now we've had a Black First policy on all of our networks, further reinforced yesterday when we temporarily restricted outbound traffic to ONLY port 80 443 for all workstations (no IM, no music, nada - you can imagine the moaning that resulted from that). We've got a lot of fire power invested in detecting and rejecting trouble from the wild wired world... but nobody can completely cure a DoS, or worse - something completely new... Sobig is definitely a scary customer... not as bad as it could be (I dare not speak of the full blown CCA type attacks we've simulated in our RD)... but this one sure has us _AWAKE_ ... _M (CCA = Coordinated Cellular Automata. We develop self-supporting distributed systems so we have to play white-hat/black-hat games to ensure the designs are as secure as we can make them... This issue of Sobig is only a few critical pieces shy of being apocalyptically scary.) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.