On 01/11/2012 08:31 AM, [email protected] wrote:
I won't post it, because I'm not sure who would be vulnerable, but I just
received this great email virus.
It basically uses google code javascript decryption to deploy the package
sent as an encrypted text stream. Nice.
How will the mail filters deal with this? Can they? The decrypt is written
in javascript and comes from the google code url, so it is probably viewed
by filters as safe. The text stream looks merely like random text with no
obvious patterns also, your javascript stream gets blacklisted? Change the
encrypt key, done.
I make it a habit to turn off javascript in anything that doesn't need
it (a list 'according to me'; pdf viewers, mail clients, etc).
Javascript is a cesspool of vulnerabilities (nearly every adobe acrobat
exploit over the last few years has been javascript related, most
web-browser vulnerabilities are js related...).
I even turn js off on my android web browser, but I periodically have to
turn it back on (e.g., wikipedia's mobile version is great, except that
it needs javascript to be useful).
That said, signature based detection could still nail it, unless they
encrypt it differently for each recipient (less likely in the general
phishing case because the computational requirements are too high, but
very likely in a spear-phishing attempt).
I've seen a perhaps slightly different kind of spam where it's just a
single link to google docs (presumably to a doc that has malicious
javascript). That would be very hard for the email signature-based
stuff to detect, because creating a bunch of unique urls puts load on
google's infrastructure, not the spam-bot-net.
Interesting aside: you know what they call spear-phishing for C-level
executives? Whaling. (can't remember where I heard that from;
apologies if it was from this list)
Matt
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
