RE: [Declude.Virus] Windows Update!
Title: Message Hi Goran: We have a set of Whitelist filters. As a matter of format: [Whitelist.Vendor.Microsoft] [Whitelist.List.Something] Then I have a combo filter that simply does: TESTSFAILED WHITELIST CONTAINS [Whitelist. This way I can do combo tests depending on the category and sub-category and do other things if needed. Hope that helps. Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Sunday, April 10, 2005 8:03 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! Kami, What do you do in Global.cfg when an e-mail fails the MS Filter? Subtract a bunch of points? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Sunday, April 10, 2005 6:41 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! Hi Andrew: We have Microsoft in our spam domains- but the problem is Microsoft sends email from so many different reverse DNS. ISV, MSDN, MSN, Office Newsletter-- all are sent from different providers. For example: Here is our MS filter: MINWEIGHTTOFAIL 2 MAILFROM1ENDSWITH@microsoft.comMAILFROM1ENDSWITH.microsoft.comMAILFROM1ENDSWITH.arvatousa.net REVDNS1ENDSWITH.microsoft.comREVDNS1ENDSWITH.zomax.com But I have seen them send from other reverse dns. So it is not that easy- at least I don't think it is. These emails are being held at 30+ weight in our system. All these emails will go to a spam folder for the user (under weight 50) and are deleted at 50. I am afraid they can think it is a valid email in their spam folder.. who knows. I think we should track this one closely. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Sunday, April 10, 2005 6:03 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! No, that email address is not valid. Those emails have been easily held over on my system. You can certainly block that bogus MAILFROM but since the bad guys will continue to change it as they hatch new spoofs, why not split out your SPAMDOMAINS into groups that are likely to be abused, and weight those high enough to meet your HOLD weight? Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Sunday, April 10, 2005 12:38 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Windows Update! Hi; In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update. As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments. The link is an IP address. I think ClamAV detects such behavior but it is not catching it yet and I just checked the update. I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked. This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address. Anyone knows if this is a valid address? May be it is worthwhile to block it for now. This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system. Regards, Kami image001.gif
Re: [Declude.Virus] Windows Update!
Here's some background info on this pest (from another list). Greg Little Original Message Subject: [AVS] (Fwd) 'Update your windows machine' fraudulent email Date: Fri, 08 Apr 2005 09:27:43 -0700 From: Angus Scott-Fleming [EMAIL PROTECTED] Reply-To: Network Security Managers List [EMAIL PROTECTED] Organization: GeoApps To: [EMAIL PROTECTED] --- Forwarded message follows --- From: [EMAIL PROTECTED] Date sent: Fri, 8 Apr 2005 02:28:14 UT To: [EMAIL PROTECTED] Subject: [NATIONAL-ALERTS] (AUSCERT AL-2005.007) 'Update your windows machine' fraudulent email Send reply to: [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 === A U S C E R T A L E R T AL-2005.007 -- AUSCERT ALERT 'Update your windows machine' fraudulent email 8 April 2005 === OVERVIEW AusCERT would like to advise that a fraudulent email with a subject line of 'Update your windows machine' is currently circulating, with a claimed sender of [EMAIL PROTECTED]. This email links to a site which fraudulently presents itself as the Microsoft Windows Update web site. When clicking on links on the site claiming to apply an 'Express Install' or 'Custom Install', a malicious executable will attempt to run on the user's machine. This executable will attempt to connect to an IRC chat server, allowing a malicious user to take control of the user's machine and potentially involve it in other malicious activity. VULNERABILITY The web site involved in this instance does not exploit any software vulnerabilities. Instead, it uses a social engineering trick to entice a user to run malicious code. MITIGATION This exploit requires user interaction - deleting these emails as they arrive and not clicking on any links they contain is a safe mitigation strategy. Users should, as ever, remain aware of the danger of clicking on links in unsolicited emails. EXPLOIT DETAILS The current email used to entice people to visit the malicious site looks like: --- Subject: Update your windows machine From: Windows Update [EMAIL PROTECTED] To: Auscert [EMAIL PROTECTED] Welcome to Windows Update Get the latest updates available for your computer's operating system, software, and hardware. Windows Update scans your computer and provides you with a selection of updates tailored just for you. Express Install : High Priority Updates for Your Computer This includes links to go to one of the following IP addresses: 64.71.77.76 221.151.249.236 Other IP addresses or domain names may be used in future variants of this email. If the malicious code is downloaded and run, the malware will install itself on the user's system as MFC42.exe, and will configure itself to run on startup. It will then attempt to connect to an IRC chat server, which allows an attacker to execute commands on infected hosts. This may include involving infected hosts in Distributed Denial of Service (DDOS) attacks on other Internet hosts. This collection of attacker-controlled machines is also known as a 'botnet'. This is detected by the following anti-virus products as: Kapersky: Backdoor.Win32.DSNX.05.a Panda:Bck/DSNX.05 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 === Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: [EMAIL PROTECTED] Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for
RE: [Declude.Virus] Windows Update!
Title: Message Hi Andrew: We have Microsoft in our spam domains- but the problem is Microsoft sends email from so many different reverse DNS. ISV, MSDN, MSN, Office Newsletter-- all are sent from different providers. For example: Here is our MS filter: MINWEIGHTTOFAIL 2 MAILFROM1ENDSWITH@microsoft.comMAILFROM1ENDSWITH.microsoft.comMAILFROM1ENDSWITH.arvatousa.net REVDNS1ENDSWITH.microsoft.comREVDNS1ENDSWITH.zomax.com But I have seen them send from other reverse dns. So it is not that easy- at least I don't think it is. These emails are being held at 30+ weight in our system. All these emails will go to a spam folder for the user (under weight 50) and are deleted at 50. I am afraid they can think it is a valid email in their spam folder.. who knows. I think we should track this one closely. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Sunday, April 10, 2005 6:03 PMTo: Declude.Virus@declude.comSubject: RE: [Declude.Virus] Windows Update! No, that email address is not valid. Those emails have been easily held over on my system. You can certainly block that bogus MAILFROM but since the bad guys will continue to change it as they hatch new spoofs, why not split out your SPAMDOMAINS into groups that are likely to be abused, and weight those high enough to meet your HOLD weight? Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Sunday, April 10, 2005 12:38 PMTo: Declude.Virus@declude.comSubject: [Declude.Virus] Windows Update! Hi; In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update. As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments. The link is an IP address. I think ClamAV detects such behavior but it is not catching it yet and I just checked the update. I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked. This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address. Anyone knows if this is a valid address? May be it is worthwhile to block it for now. This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system. Regards, Kami
RE: [Declude.Virus] Windows Update!
Title: Message Kami, What do you do in Global.cfg when an e-mail fails the MS Filter? Subtract a bunch of points? Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Sunday, April 10, 2005 6:41 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Windows Update! Hi Andrew: We have Microsoft in our spam domains- but the problem is Microsoft sends email from so many different reverse DNS. ISV, MSDN, MSN, Office Newsletter-- all are sent from different providers. For example: Here is our MS filter: MINWEIGHTTOFAIL 2 MAILFROM1ENDSWITH@microsoft.com MAILFROM1ENDSWITH.microsoft.com MAILFROM1ENDSWITH.arvatousa.net REVDNS1ENDSWITH.microsoft.com REVDNS1ENDSWITH.zomax.com But I have seen them send from other reverse dns. So it is not that easy- at least I don't think it is. These emails are being held at 30+ weight in our system. All these emails will go to a spam folder for the user (under weight 50) and are deleted at 50. I am afraid they can think it is a valid email in their spam folder.. who knows. I think we should track this one closely. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Sunday, April 10, 2005 6:03 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Windows Update! No, that email address is not valid. Those emails have been easily held over on my system. You can certainly block that bogus MAILFROM but since the bad guys will continue to change it as they hatch new spoofs, why not split out your SPAMDOMAINS into groups that are likely to be abused, and weight those high enough to meet your HOLD weight? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Sunday, April 10, 2005 12:38 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Windows Update! Hi; In the past hour I have seen several emails caught as spam but the weight still not high enough to be deleted with subject: Urgent Windows Update. As everyone (?) knows this is the recent attempt to install a worm on the visitor's computer- there is a link to the Express install and no attachments. The link is an IP address. I think ClamAV detects such behavior but it is not catching it yet and I just checked the update. I think for now I created a filter that if the email is from Microsoft and there is an IP address in the body for the email to be blocked. This one email came from [EMAIL PROTECTED] - I really don't think that is a valid MS address. Anyone knows if this is a valid address? May be it is worthwhile to block it for now. This week MS will be releasing some major updates and from what I read this scam was about to be released today.. so it is starting at least one our system. Regards, Kami image001.gif