Re: [Declude.JunkMail] Virus?

[Matt]

Title: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters

I see this guy regularly.  It's kind of like phishing.  He moves around from site to site sending out gif.exe's, pretending they are greeting cards.  I don't see much volume, though it is steady and has been for months. Matt Colbeck, Andrew wrote: Richard, you might want to check this thread from the archives.  Goran can clarify, but I'm pretty sure that this is the source of the "Sane Security" detection string.   For what it's worth, Message Sniffer catches the email message body you supplied with the MALWARE category.   The hosting provider, 0catch.com are not bad guys but their express hosting model makes them a frequently used hoster of malware and pharmacy sales/scams.   The link was still active, so I downloaded and ran it through various antivirus engines out of curiousity.  Trend Micro didn't detect it, but F-Prot, McAfee and CLAM-AV all did.   Here are the results from VirusTotal.com :   Results of a file scan This is a report processed by VirusTotal on 04/06/2006 at 19:19:19 (CET) after scanning the file "postcard.gif.exe" file. Antivirus Version Update Result AntiVir 6.34.0.24 04.06.2006 TR/Zapchas.F Avast 4.6.695.0 04.03.2006 Win32:Parite AVG 386 04.06.2006 IRC/BackDoor.Flood Avira 6.34.0.56 04.06.2006 TR/Zapchas.F BitDefender 7.2 04.06.2006 Backdoor.IRC.Zapchast.AY CAT-QuickHeal 8.00 04.06.2006 no virus found ClamAV devel-20060202 04.06.2006 W32.Parite.B DrWeb 4.33 04.06.2006 no virus found eTrust-InoculateIT 23.71.121 04.06.2006 no virus found eTrust-Vet 12.4.2151 04.06.2006 no virus found Ewido 3.5 04.06.2006 no virus found Fortinet 2.71.0.0 04.06.2006 BAT/Zapchast.S-tr F-Prot 3.16c 04.06.2006 security risk or a "backdoor" program Ikarus 0.2.59.0 04.06.2006 no virus found Kaspersky 4.0.2.24 04.06.2006 Backdoor.IRC.Zapchast McAfee 4734 04.05.2006 IRC/Flood.ev NOD32v2 1.1474 04.05.2006 IRC/Zapchast.L Norman 5.90.15 04.06.2006 Smalldrp.IYU Panda 9.0.0.4 04.05.2006 no virus found Sophos 4.04.0 04.06.2006 W32/Parite-B Symantec 8.0 04.06.2006 Trojan.Dropper TheHacker 5.9.7.125 04.05.2006 no virus found UNA 1.83 04.05.2006 no virus found VBA32 3.10.5 04.06.2006 Backdoor.IRC.Zapchast     Andrew 8)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard Farris Sent: Thursday, April 06, 2006 10:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Virus? Which virus scanner do you use? Richard Farris Ethixs Online 1.270.247.5555 Office 1.800.548.3877 Tech Support "Crossroads to a Cleaner Internet" ----- Original Message ----- From: Goran Jovanovic To: Declude.JunkMail@declude.com Sent: Thursday, April 06, 2006 10:47 AM Subject: RE: [Declude.JunkMail] Virus? I had to manually release your message from the virus queue because it got tagged as   Virus:            Html.Phishing.Card.Sanesecurity.06022100     Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard Farris Sent: Thursday, April 06, 2006 9:04 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Virus?   I just received about 10 of these at 7:30 this morning...any ideas what is going on.. Richard Farris Ethixs Online 1.270.247.5555 Office 1.800.548.3877 Tech Support "Crossroads to a Cleaner Internet" Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters From: "Bill Landry" <[EMAIL PROTECTED]> Date: Tue, 21 Feb 2006 22:43:55 -0700 To: <Declude.JunkMail@declude.com> To: <Declude.JunkMail@declude.com> BTW, if you are running ClamAV, and want to take full advantage of it's phish catching capabilities, you might was to take a look at adding the phish signature file that Steve Basford put together (see the attached e-mail for details).  I have been running them for a few weeks, and they are quite awesome.  Steve periodically updates the phish signatures, as well, so check regularly for an updated file. Bill ----- Original Message ----- From: "Scott Fisher" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Tuesday, February 21, 2006 10:14 AM Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters > Aaarrgg. > Good catch Bill. > > ----- Original Message ----- > From: "Bill Landry" <[EMAIL PROTECTED]> > To: <Declude.JunkMail@declude.com> > Sent: Tuesday, February 21, 2006 12:03 PM > Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters > > >> ----- Original Message ----- >> From: "Scott Fisher" <[EMAIL PROTECTED]> >> >>> You do need the Pro version to run more than one scanner. >>> It's the best thing about Virus Pro... >>> Also nice if you get a set of bad definitions or a scanner stops >>> working, the other scanners will cover. >>> >>> With PRESCAN ON, Mcafee Virusscan catches some phish. >>> Clamav catches most phish. >> >> Actually, you would need to have "PRESCAN OFF" in order to catch most >> phish e-mails with Declude.  Otherwise, Declude Virus PRESCANs all >> messages and finds that most phish messages contain nothing worth >> scanning and thus bypasses the virus scanners. >> >> Bill >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.JunkMail mailing list.  To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail".  The archives can be found >> at http://www.mail-archive.com. >> > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list.  To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail".  The archives can be found > at http://www.mail-archive.com. > Subject: Re: [Clamav-users] Phishing detection From: "Steve Basford" <[EMAIL PROTECTED]> Date: Thu, 16 Feb 2006 14:07:57 -0700 To: "ClamAV users ML" <clamav-users@lists.clamav.net> To: "ClamAV users ML" <clamav-users@lists.clamav.net> > Can someone please tell me how ClamAV goes about phishing detection? I presume it has something to do with libcurl going out to a web site and some checks being performed on whatever is returned. >   Not normally... most fishing detection is done by matching text/html that is common, looks odd or bad spelling in the email. > We have had several phishes get through -- most appear to be Google, About, or Ebay redirects, such as: >       href=""http://www.google.com/url?sa=U&q=http://81.196.204.130:82/webscr/index.php">http://www.google.com/url?sa=U&q=http://81.196.204.130:82/webscr/index.php" (A PayPal phish.) >   Well, the above is just using Google to re-direct to the phishing site.  I think they could on the people hovering the mouse over the link, seeing Google and then trusting the site, which you normally wouldn't do. > Sites were hot at the time the messages were received, so either my concept of how ClamAV blocks phishing is wrong or the detection method is not as generic as I would have thought. > >   Generic fishing signature can be done... but... they are very difficult to get right, without any false positives. > Also, I would add that I have submitted a few of these phishes to ClamAV's virus submission and they all seem to get discarded without comment. >   Basically, ClamAV is there to project you from viruses, Trojans and then fishing attempts (roughly in that order).   Signature makers are very busy doing virus signatures... after all, I'd much prefer to have a virus stopped than a fishing attempt. Having said that, I've come up with my own un-official signatures, designed to catch fishing attempts that ClamAV official signatures let through.  Not everyone will want to use them... after all, do you trust me to do signatures? (Just in case this helps... I've been part of the Windows SpamPal Anti-Spam support team for the last two or three years, see: http://www.spampal.org/credits.html) Anyway, to grab the un-official signatures, go the the site here and download the phish.ndb file and place in the same directory as your daily.cvd file:   http://www.sanesecurity.com/clamav/ There's also a pdf file there, showing how I put a signature together.  For what it's worth, I would certainly still submit your fishing emails to the ClamAV team and I would also suggest submitting the emails to this "fishing tracker" site: http://www.dslreports.com/phishtrack Cheers, Steve _______________________________________________ http://lurker.clamav.net/list/clamav-users.html