Re: [Clamav-devel] New phishing method...doubts

[Ian Castle]

Robert Allerstorfer wrote:

Hi,



Are there yet any statistics of the amount of false positives caused
by --phish-scan-alldomains?


You can see

http://phishery.internetdefence.net/clamav-test2.html



regards
rob.


___
http://lurker.clamav.net/list/clamav-devel.html


___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] New phishing method...doubts

[Robert Allerstorfer]

Hi,

On Wed, 27 Sep 2006, 22:05 GMT+02 Robert Allerstorfer wrote:

> I have now tested another phishing mail using your new code (with the
> '--phish-scan-alldomains' option) which did not get detected.

It did get detected now with the latest CSV source (devel-20060928)
:-) 

clamscan "C:\path_to\.clamwin\db" --phish-scan-alldomains PHISH_ebay.mbox
D:\Mails\spam\PHISH_ebay.mbox: Phishing.Email FOUND

I think all found "viruses" which names begin with "Phishing.Email"
are detected by the new phishing-scan-urls code, so I can easily
identify them and treat them in a special way (keep them for a while
instead of removing immediately).

Are there yet any statistics of the amount of false positives caused
by --phish-scan-alldomains?

regards
rob.


___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] New phishing method...doubts

[Robert Allerstorfer]

On Wed, 27 Sep 2006, 18:59 GMT+03 Török Edvin wrote:

> On 9/27/06, Robert Allerstorfer wrote:
>> The output of 'clamscan -h' included
>> --no-phishingDisable phishing detection
>> --no-phishing-scan-urls  Disable url-based phishing detection

> --no-phishing means to disable detecting phishing based on signatures
> from main.cvd/daily.cvd
> --no-phishing-scan-urls means to disable the new phishing code (url-based)

yes, thanks, just think the -h output should make that clear, also. Is
it true that all names of found "viruses" by the code that can be
disabled by '--no-phishing' begin with "HTML.Phishing.", while those
found by the new url-based phising code begin with "Phishing.Email."?
I need this for my antivirus-filter where I let delete all positive
mails. Now, I want to add url-based phishing detection using
'--phish-scan-alldomains' but move instead of delete those identified
"infected" mails, to manually check for false positives.

I have now tested another phishing mail using your new code (with the
'--phish-scan-alldomains' option) which did not get detected. The
--debug output showed that the phishing code was not even applied
(since there are no entries beginning with 'PH:' as in the output
where phishing has been found):

[...]
LibClamAV debug: Exported 15276 bytes using enctype 1
LibClamAV debug: fileblobDestroy: mixedtextportion
LibClamAV debug: Now read in part 0
LibClamAV debug: Empty part
LibClamAV debug: The message has 1 parts
LibClamAV debug: Find out the multipart type (alternative)
LibClamAV debug: Multipart alternative handler
LibClamAV debug: Mixed message with 1 parts
LibClamAV debug: Mixed message part 0 is of type 0
LibClamAV debug: No mime headers found in multipart part 0
LibClamAV debug: No plain text alternative
LibClamAV debug: Adding to non mime-part
LibClamAV debug: cli_mbox returning 0
LibClamAV debug: Matched signature for file type HTML data at 330
LibClamAV debug: in cli_scanhtml()
LibClamAV debug: mmap'ed file
D:\Mails\spam\PHISH_ebay.mbox: OK

If I should provide somebody with that file please let me know.

Thanks
rob.



___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] New phishing method...doubts

[Nigel Horne]

Danett song wrote:


1) This module work in windows or linux? or both?


The "debug" version at w32.clamav.net works under Windows (best
to use Windows XP for it).

You'll find the link to the debug version at the bottom of
that page.

-Nigel
___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] New phishing method...doubts

[Török Edvin]

On 9/27/06, Robert Allerstorfer <[EMAIL PROTECTED]> wrote:

The output of 'clamscan -h' included
--no-phishingDisable phishing detection
--no-phishing-scan-urls  Disable url-based phishing detection
--phish-scan-alldomains  Enable phishing detection for all 
domains (might lead to false positives!)

(I'm confused because of the two '--no-phishing' options)



--no-phishing means to disable detecting phishing based on signatures
from main.cvd/daily.cvd
--no-phishing-scan-urls means to disable the new phishing code (url-based)


Edwin
___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] New phishing method...doubts

[Robert Allerstorfer]

On Wed, 27 Sep 2006, 00:05 GMT+02 GiM wrote:

> Danett song in message 'Re: [Clamav-devel] New phishing method...doubts' 
> wrote:
>> I would like to test it, but I only use Windows, is
>> there someone created a installer that have this
>> module included (and with files pre configured) to use
>> in Windows? :)
>>

> Since it's in clamav it'll be probably included in clamwin,
> but I'm not sure, just guessing.

Yes, on Windows you can use the latest ClamWin version (currently
0.88.4) and then replace 'clamscan.exe' and 'libclamav.dll' (will be
installed into the 'bin' sub directory of the ClamWin's program
directory) by Gianluigi Tiesi's latest builds found in
http://oss.netfarm.it/clamav/files/clamav-win32-vc6.7z

Currently, they seem to have the functionality from CVS version
2006-09-16.
"cvs sync, upstream added anti-phishing code (untested)"
(However, currently the RAR 3 code is still broken)

The output of 'clamscan -h' included
--no-phishingDisable phishing detection
--no-phishing-scan-urls  Disable url-based phishing detection
--phish-scan-alldomains  Enable phishing detection for all 
domains (might lead to false positives!)

(I'm confused because of the two '--no-phishing' options)

It works :-)

clamscan "C:\path_to\.clamwin\db" --phish-scan-alldomains PHISH_postcard.mbox
D:\Mails\spam\PHISH_postcard.mbox: Phishing.Email.Cloaked.NumericIP FOUND

regards,
rob.



___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] New phishing method...doubts

[GiM]

Danett song in message 'Re: [Clamav-devel] New phishing method...doubts' wrote:
> 
> --- Török Edvin <[EMAIL PROTECTED]> escreveu:
> 
> > Linux:yes, tested. Windows: should work, but I
> > didn't personally test.
> 
> Without cygwin? 
> 
> I would like to test it, but I only use Windows, is
> there someone created a installer that have this
> module included (and with files pre configured) to use
> in Windows? :)
>

Since it's in clamav it'll be probably included in clamwin,
but I'm not sure, just guessing.

> > That depends if you have a plugin in your mua, that
> > uses/calls clamav.
> 
> Ahhh, so it's a module that is called in the scan
> engine to any data (buffer to be checked if have a
> virus or not?) passed to it? If yes, how the anti
> phishing module detect if it's a HTLM (e-mail content)
> to be checked and not a binary for example (causing
> false positives) ?
> 

Ouch, iirc phishing module scans html files
(they're detected by clamav engine itself).

> 
> > http://someevilurl";>paypal.com
> > http://someevilurl - real url
> > paypal.com - displayed url
> > 
> 
> I taked a look at it. How much false positives this
> modules are generating? Depend on the configuration?
> Someone made a analys of it (maybe Ian Castle)?
> 

This depend on your base.

> > You may also find useful the phishsigs_howto.pdf
> > inside the docs dir (in the cvs version).
> 
> I don't know how to access the cvs with Windows, is
> this CVS viewable via web? :)
> 

There are some cvs tools for windows.

-- 
 main(int a[puts("Michał 'GiM' Spadliński")]){}

___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] New phishing method...doubts

[Danett song]

Hi Török,


--- Török Edvin <[EMAIL PROTECTED]> escreveu:
> Its based on comparing:
> -  the 'real' URL, i.e. the URL that your browser is
> going to load when you click on it
> - the 'displayed' URL, i.e. the text that is
> underlined, tooltips, etc.

Hummm, now I got the idea.

> Linux:yes, tested. Windows: should work, but I
> didn't personally test.

Without cygwin? 

I would like to test it, but I only use Windows, is
there someone created a installer that have this
module included (and with files pre configured) to use
in Windows? :)

> That depends if you have a plugin in your mua, that
> uses/calls clamav.

Ahhh, so it's a module that is called in the scan
engine to any data (buffer to be checked if have a
virus or not?) passed to it? If yes, how the anti
phishing module detect if it's a HTLM (e-mail content)
to be checked and not a binary for example (causing
false positives) ?

> the phishing module is not meant for scanning
> websites, it is meant for scanning emails.

Understood.

> real means the url that your browser takes you when
> you click on it.
> For example:
> http://someevilurl";>paypal.com
> http://someevilurl - real url
> paypal.com - displayed url
> 
> For a step-by-step description of the algorithm see:
> http://wiki.clamav.net/index.php/phishing_design

I taked a look at it. How much false positives this
modules are generating? Depend on the configuration?
Someone made a analys of it (maybe Ian Castle)?

> You may also find useful the phishsigs_howto.pdf
> inside the docs dir (in the cvs version).

I don't know how to access the cvs with Windows, is
this CVS viewable via web? :)

> Best regards,
> Edwin

Thank you again and congratulations for intersting job







___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] New phishing method...doubts

[tBB]

Török_Edvin wrote:

> Linux:yes, tested. Windows: should work, but I didn't personally test.

Win32/Cygwin: Works as well.

Best regards,

Nico

-- 
+--+

 Q: Because it reverses the logical flow of conversation.
 A: Why is putting a reply at the top of the message frowned upon?
___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] New phishing method...doubts

[Török Edvin]

On 9/26/06, Danett song <[EMAIL PROTECTED]> wrote:

This module to detect Phishing attacks are basic based
in normalization of url's correct?


Its based on comparing:
-  the 'real' URL, i.e. the URL that your browser is going to load
when you click on it
- the 'displayed' URL, i.e. the text that is underlined, tooltips, etc.



1) This module work in windows or linux? or both?


Linux:yes, tested. Windows: should work, but I didn't personally test.



2) This module analyze the thread when they are
received in the mua (firebird, outlook, etc) or


That depends if you have a plugin in your mua, that uses/calls clamav.
If you do, _and_ you are using the latest cvs version of clamav, then
yes your mua will report phishing.
See more below


browser (Firefox, IE, etc)?


the phishing module is not meant for scanning websites, it is meant
for scanning emails.



3) If in mua, what are supported? Firebird? Outlook
express?


As long as you are currently able to use clamav from your mua, then
phishing detection will work too. See
http://www.clamav.net/3rdparty.html for more info.



4) If in browser, what are supported? Firefox? IE?


neither.



5) In some parts of document are used the words
"realurl" and "displayurl", what do you want mean with
that?


See explanation at beginning of this mail.


What kind of discrepanced are compared to find a
real or displayed (fake) url?


real means the url that your browser takes you when you click on it.
For example:
http://someevilurl";>paypal.com
http://someevilurl - real url
paypal.com - displayed url

For a step-by-step description of the algorithm see:
http://wiki.clamav.net/index.php/phishing_design



Thank you and sorry for dumb questions,


You may also find useful the phishsigs_howto.pdf inside the docs dir
(in the cvs version).



OBS: Török Edvin the idea of a anti phishing is very
good, and the tests made by Ian Castle are very
intersting too.


thanks

Best regards,
Edwin
___
http://lurker.clamav.net/list/clamav-devel.html

[Clamav-devel] New phishing method...doubts

[Danett song]

Hello,

I by accident entered in the archive of clamav-devel
and found a message called "New phishing detection
algorithm in cvs version of clamav" which I thinked it
much intersting, so I solved to subscribe to this
mail-list to solve some doubts, if you can clear if
for me. :)

This module to detect Phishing attacks are basic based
in normalization of url's correct?

1) This module work in windows or linux? or both?

2) This module analyze the thread when they are
received in the mua (firebird, outlook, etc) or
browser (Firefox, IE, etc)?

3) If in mua, what are supported? Firebird? Outlook
express?

4) If in browser, what are supported? Firefox? IE?

5) In some parts of document are used the words
"realurl" and "displayurl", what do you want mean with
that? What kind of discrepanced are compared to find a
real or displayed (fake) url?

Thank you and sorry for dumb questions,

OBS: Török Edvin the idea of a anti phishing is very
good, and the tests made by Ian Castle are very
intersting too.

Cheers



___ 
O Yahoo! está de cara nova. Venha conferir! 
http://br.yahoo.com
___
http://lurker.clamav.net/list/clamav-devel.html