Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Symantec decomposer rar bypass allowed malicious content.

Published: 2008-04-22
Last Updated: 2008-04-24 16:33:34 UTC
by donald smith (Version: 3)
0 comment(s)

ScottT of Blue Cross Blue Shield submitted the following information and a
rar file that bypassed his Symantec decomposer on his SMTP gateway.

“We received over 30 of these emails containing infected rar files.
Symantec detected them, but somehow these emails evaded our email
gateway and spam filter. The body text contained blocked words so it should
have been dumped by the spam filter. Our email gateway strips rar and scr
attachments, so the attachments should have been stripped.

We sent test emails with the offensive body text and the spam filter dumped
them. We also sent test emails with rar files attached, and the emails
arrived with the attachment stripped.

This has us stumped. It seems our systems are functioning properly, but
these emails are beating them.”


This was in the message headers of the email he forwarded to us.
“This message has been processed by Symantec AntiVirus.
screen.scr is still infected with the malicious virus Downloader because the
Symantec decomposer cannot modify its container.“

The subject line of this email was "Hot news".

The text of the message implies you will see Paris Hilton undress if you open the attachment.


VirusTotal recognized screen.rar as a trojan downloader.
http://www.virustotal.com/analisis/67258db1006d464e1d5ff4248db306dd

Sending screen.scr to cwsandbox.org produced a good analysis.
Short version is it is a version of SDBOT.
Nitty-Gritty details available here:
https://cwsandbox.org/?page=details&id=215016&password=ftkxv

Symantec has suggested some changes to Scott's SMTP gateway configuration that may prevent further bypasses. The version of zip I have under cygwin also reported this rar as "damaged or invalid".

UPDATE:

The change recommended by Symantec was to change the rule on the detection of an infected attachment from attempting to clean the attachment to just deleting the entire email. If your currently running Symantec's SMTP AV gateway and have this rule set to clean you may want to change it to delete.

0 comment(s)

Maximus root kit downloads via MySpace social engineering trick.

Published: 2008-04-22
Last Updated: 2008-04-23 17:56:24 UTC
by donald smith (Version: 3)
0 comment(s)

A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.

“Clicking anywhere on the page (on large css layer on top) and your
browser initiates a download session from an ftp at
microsofpsupports.cn and you are asked to download and/or run (no!)
the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image.
http://img404.imageshared.cn/img/20048/removaltool6gx87.gif “
This appears to be a new version of Maximus

Virustotal results here:
http://www.virustotal.com/analisis/3a29d07603a0430a74e8aa77bc81e6bb

UPDATE

Thanks to Ned who pointed out that

"!Maximus" is the name of the  heuristic detection engine for F-Prot (and hence Authentium) rather than the name of the rootkit."

0 comment(s)

Spam to your calendar via Google agenda?

Published: 2008-04-22
Last Updated: 2008-04-22 13:07:31 UTC
by donald smith (Version: 1)
0 comment(s)

Every once in a while I see a new spamming method.
This one came from google agenda and came in as a meeting invite.
I deleted the email but due to my preferences in exchange it appeared in my calendar anyways.

So I only have to send them $150 non-resident tax to get $1.2 M.
What a deal:) I think I will pass.

I have never had to analysis an ics (calendar file) before so I saved it.
Next I used a text processor to pull elements of the header.
Here is what the header looks like. I removed the email addresses:)

"BEGIN:VCALENDAR
PRODID:-//Google Inc//Google Calendar 70.9054//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:REQUEST
BEGIN:VEVENT
DTSTART:20080406T063000Z
DTEND:20080406T073000Z
DTSTAMP:20080405T191500Z
ORGANIZER;CN=Senders Name:MAILTO:sendersaddress@gmail.com
UID:0scrnh2u3gtf72q776ojru7ioc@gmail.com
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP=
 TRUE;CN=victimsname;X-NUM-GUESTS=0:MAILTO:victimsname@Ymail.com
CLASS:PRIVATE
CREATED:20080405T191359Z


Actual content viewable via outlook calendar.
"Google Agenda
donald smith, vous êtes invité(e) à participer à
Your pending transfers respond prompt.
sam. 5 avr. 20:30 – 21:30
(Fuseau horaire : Hawaï)
Agenda : donald smith
Compliments and Greetings,
This is an official notification of the availability of your full
entitlement valid 1.2 million which has not been affected due to official
negligence. This transfer has been held pending and its original account
suspended pending when the benefactor provided the TAX clearance
document .but the impostors who are operating in syndicates all over the
world today are misled and misguided you about the position of your fund
with the sole aim of exporting money from you that explain why you have
not receive the payment up-to-date.

However, you are advised to immediately reconfirm your telephone and
currant contact/ payment receiving details to this e-mail address (
richtransferoffice@yahoo.co.in) .You will receive your payment by: (1)
By wire transfer direct to your nominated bank account. (2). Issuing
you ATM CARD 3) or by drawing a cashiers cheque payable in your name,
with strict procedures of the International funds transfer rules and
regulations in avoidance of unhealthy intents and unnecessary delay.

So, let us know which of option you like to receive your monies .But
before we proceed, you are required to make a payment of the Non-resident
tax of $150 only as the authorities demand which is described as
selective payment to enable us effect maximum clearance on
your file and automate your full information on the transfer script
text to ensure that the payment reach your hand on time through a legal
secure way from the exact time frame we initiate our service if you
accurately furnished us with our requirement as instructed.

Note that we have no legal right to deduct or add to the value of your
funds because your payment has already been keyed into the system for
final transfer, thus the compliance with this condition this payment
will reach you within 48 banking hour or less.

Yours faithfully,
Johnson Mark
International Clearing House West Africa- BENIN
Affiliate to the World Association of Debt Management.
Plus d’infos sur l'événement»

Participerez-vous ?
Oui |Non |Peut-être
 http://www.google.com/calendar/images/envelope.gif
 
Vous recevez ce message à l'adresse victim'sname@Ymail.com, car vous participez à cet événement.

Pour ne plus recevoir de notifications pour cet événement à l'avenir, refusez cet événement. Vous avez également la possibilité de créer un compte Google Agenda sur la page http://www.google.com/calendar/ et de définir vous-même les paramètres de notification pour l'intégralité de votre agenda.
<<invite.ics>>"

Keywords: calendar spam
0 comment(s)

Published: 2008-04-22
Last Updated: 2008-04-22 00:39:28 UTC
by donald smith (Version: 1)
0 comment(s)

James notified us that “Apocalyptic NEWS Usama Ben Laden” is being
SPAMMED out with malicious links in it. This is an attempt to get people to
load a version of Zlob. The links at the following blog site are malicious.
DO NOT VISIT THEM. Here is the VirusTotal report on the malware I
found there http://www.virustotal.com/analisis/a914b92b454eff25407a61fa52af9d67 .
This site collects spams and many of the links there will be dangerous.
From:
http://spamrecorder.blogspot.com/2008/04/special-issue-of-news-from-
bloomberg.html
SPAM Recorder
“This blog is started as a web experiment to record spam emails. This
web experiment, SPAM Recoder , auto-records mail spams resulting
from an email-id, left un-masked to a few social book-marking sites.”

Keywords:
0 comment(s)

XP SP3 RC2 Available

Published: 2008-04-22
Last Updated: 2008-04-22 00:23:14 UTC
by donald smith (Version: 1)
0 comment(s)

“Microsoft Windows XP Service Pack 3 is a rollup that includes all previously released updates for Windows XP, including security updates, out-of-band releases, and hotfixes. It contains a small number of new updates, but should not significantly change the Windows XP experience.”

http://technet.microsoft.com/en-us/windowsxp/0a5b9b10-17e3-40d9-8d3c-0077c953a761.aspx
Thanks Robert.

Keywords: XP SP3 RC2
0 comment(s)
Diary Archives