This actually scored fairly low in SA because it didn't do anything "spammy" [no opt-out links, embedded tags, onerous HTML, etc.] but then, SA "doesn't do" viruses :) so I'm not all that surprised.
Are there existing rules to detect various flavors of attachments? I agree that SA is best suited for tagging spam, but it would be interesting to have some for metas etc., if for no other reason that to let SA continue to do all the 'flagging & tagging'.
[...] In any case, it is one to watch for [or rather, to watch for your friends running "that rather susceptible system"] If it weren't
so insidious, it would be pure beauty...
It comes with the subject: "RE: Submit a virus sample" and purports to be FROM symantec. Ok, fair enough -- this might be a response you
would get if you submitted something via an automated e-mail address
and/or web form; doesn't raise any suspicion [other than the fact I've never in my life knowingly "submitted a sample" to an anti-virus
site...] [...]
Can't say I've seen one that clever yet, but it's not too surprising. I guess viruswriters and spammers can code too (at least on occasion). They're not necessarily a pack of idiots... or at least they're capable of hiring some who aren't!
I'm currently testing three anti-virus scanners that run in-line before SA (f-prot, bitdefender and clamav), and each has varying degrees of accuracy. I've set up wrapper scripts that put common headers into the message that can be used for pattern matching etc. This is fine for my setup, but I can see the new threats emerging hourly becoming a real problem even for the most conscientious admins.
A policy-based defang/quarantine/drop approach to attachments is
probably a good idea for organizations dealing with these on a large
scale. Rather than try to match every variant in SA, or even count on
anti-virus software to catch Day 0 attacks, removing or at least
defanging such content might be a good policy. Back it up with a fist-of-god policy making it the USER'S responsibility
to validate the source of a file before opening it, along with whatever
proactive measures (i.e. scan on quarantine) are available.
What is interesting is watching bayes -- sometimes -- catch new variants before the anti-virus scanners do.
- Bob
