|
Re: malware email
|
espr-@e-scape.net
|
Oct 22, 2003 12:10 PDT
|
At 05:56 -0400 2003/10/22, jsampson+indexes wrote:
| | I am wondering if there is a common feature on these blankety-blank 'return
to sender' emails bearing the Sobig-F virus whereby they can be caught with
a filter. This virus is obviously here to stay.
|
Not really -- each version of Sobig has had a built-in expiry date,
after which it stops sending itself out. Of course, as one version
expires, a new strain is released to take its place and evade the
previous virus definition. Sobig-F expired September 10th.
As for filtering it out yourself...
1) The "From:" address is spoofed and the real sender and routing
will be different for each copy so you can't filter on message
headers except for the "adm-@internet.com" address it sometimes
uses.
2) The possible "Subject:" lines are
€ Re: Details
€ Re: Approved
€ Re: Re: My details
€ Re: Thank you!
€ Re: That movie
€ Re: Wicked screensaver
€ Re: Your application
€ Thank you!
€ Your details
so you can filter those if none of your legitimate mail is likely
to use them.
3) The body may contain "See the attached file for details" or
"Please see the attached file for details" but I'd hesitate to
filter on those since they're likely to occur in real messages
from clients, too.
4) The name of the attachment will vary: your_document.pif,
document_all.pif, thank_you.pif, etc. There is a common theme,
though -- Sobig-F's infections all arrive as ".pif" or ".scr"
files. Since there's no earthly reason why anyone should send
you one of these unasked, you could create a filter to send
them to the trash unopened ... but note that if you had such
a filter, you wouldn't be reading this message!
Anyway, it looks as if the creators of Sobig have been forced
to change tactics:
http://marketwatch-cnet.com.com/2100-1009_3-5067311.html
| | ...
Race against Sobig reportedly successful
Last modified: August 22, 2003, 2:07 PM PDT
By Robert Lemos
Staff Writer, CNET News.com
The second stage of an attack by the Sobig.F computer virus fizzled Friday when security researchers and network operators managed to secure the 20 servers from which the virus was scheduled to download new instructions.
[big snip]
E-mail service provider MessageLabs said that, like previous versions of the virus, Sobig.F likely would have turned infected PCs into tools for sending spam.
"The mail component is so much more efficient than previous versions, so it's highly likely that the purpose of the virus is to act as launching pad to send spam, because the efficient e-mail is such a key change," said Mark Sunner, chief technology officer for the New York-based company.
Sobig.F has spread aggressively, sending far more e-mails with copies of the virus than any such program to date. [...]
|
but http://earthlink.com.com/2100-1083_3-5069594.html
| | Think the threat of the nasty Sobig mass-mailing virus has passed? Think again.
Security researchers believe that the creator of the Sobig mass-mailing computer virus won't stop with Sobig.F--the money may be too good. The Sobig viruses, the first of which started spreading in January, are designed to load special software that can make spam anonymous on people's PCs. The tens of thousands of computers infected by the virus can then be used by bulk e-mailers to send unsolicited messages that can't be tracked.
"It is very well planned, very well designed and very well executed," said Mikko Hypponen, director of antivirus research for security company F-Secure. Hypponen believes that the virus' author likely sells the list of compromised PCs to spammers. "For once we have a virus with a very good motive: money."
[big snip]
|
A good place to find out exactly how a particular piece of
malware works is the Virus Encyclopedia http://www.viruslist.com/eng/viruslist.html
maintained by Kaspersky Labs. (They are a Russian maker of anti-virus
and anti-hacker software: details on offerings at
http://www.kaspersky.com ... with which I have no affiliation whatsoever
-- I just trust Symantec not at all on the basis of some of their
management's opinions, like that it would be okay to sell an anti-virus
that would deliberately *not* pick up any virus/worm combo the U.S.
government might wish to release and to criminalize information-sharing
between computer research people on security matters as a means of
"stopping computer crime".)
Anyway, once you've looked up how a particular virus, worm or
piece of spyware operates, you can create your own filters to
screen out copies. Of course, that's assuming your frequently-
updated anti-virus software doesn't do it for you *and* that
you've set up your computer so as to prevent unknown nasties
from running themselves without your permission. If you haven't
already protected your system, just filtering the messages is
no guarantee that you won't get infected by something new.
HTH,
Judyth
##########################################################
Judyth Mermelstein "cogito ergo lego ergo cogito..."
Montreal, QC <espr-@e-scape.net>
##########################################################
"A word to the wise is sufficient. For others, use more."
"Un mot suffit aux sages; pour les autres, il en faut plus."
##########################################################
|
|
 |
|
