[unisog] Zero-day viruses
Andrew Daviel
advax at triumf.ca
Fri Sep 12 00:35:06 GMT 2008
Is everyone getting them, or is it just us ?
The last few weeks, we have noticed an increase in email viruses getting past
our filters. There are multiple versions of what Kaspersky AVP
identifies as Trojan-Spy.Win32.Zbot and Worm.Win32.AutoRun, with suffixes
running into 3 characters, which have a burst of a day or so , then die off
just as they make it into the pattern databases. We've had a few infections
getting past ClamAV and AVP on the mailserver, then past Symantec on desktops.
Typical subject lines:
Fedex Tracking N*0612214734
Western Union MTCN #5754647577
E-ticket #4226265971
Payment confirmation #6007128885904141404
Statement of fees 2008/09
(some of these are caught by SpamAssassin as spam, but not all)
So a few days ago I decided I'd had enough, and wrote a signature to
match any Windows portable EXE file for ClamAV (turns out to be quite
easy), which leverages ClamAV's ability to examine all sorts of encoding,
archives and mail attachments cf. e.g. MIMEDefang. Hopefully this will
stem the tide somewhat - looks good so far. If anyone wants to mail a
legit executable, they'll have to encrypt it (as does one of our local
phone companies, with e-bills)
We had at least once incident of a PC rebooting when opening one of these
as a nonprivileged user. Not clear yet if anything nasty survived the
reboot; in principle it could write into the user's personal startup or
registry keys, even if it can't write into system files or keys.
(ClamAV is an open-source antivirus for Linux and Windows;
www.clamav.net. We run it with a sendmail milter to reject mail without
sending a DSN message)
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
go Linux - virus free! (for now)
More information about the unisog
mailing list