[unisog] SP*M Detection Methods & Processes --> ImageSpam Signature

Cam Beasley cam at austin.utexas.edu
Mon Sep 25 11:13:36 GMT 2006


Russell, et al --

(i posted this to a few lists earlier this month -- also in bleedingsnort)

we've been using the following signature to identify the bloody image spams
for the past month or so with decent success..  i can't seem to get our
anti-spam vendor to adopt them, but feel free to see if they work for you..

/--------------------------------------------------------------------

; simpler, but potentially more false positives

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 25 (flow:established,to_server;
content:"Content-Transfer-Encoding|3A|";content:"AMAgAOAgAABAACBAAEBAAGBAAIB
AAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575;
content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAAD
AACDA";content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAA
QCAAQEAAQGAA"; msg:"Possible ImageSpam - Simple"; classtype:misc-activity;
sid:1000079; gid:1; rev:32; )

/--------------------------------------------------------------------

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 25 (flow:established,to_server;
content:"Content-Transfer-Encoding|3A|";content:"AMAgAOAgAABAACBAAEBAAGBAAIB
AAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575;
content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAAD
AACDA";content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAA
QCAAQEAAQGAA";content:"QIAAQKAAQMAAQOAAQAAgQCAgQEAgQGAgQIAgQKAgQMAgQOAgQABAQ
CBAQEBAQGBAQIBAQKBA";content:"QMBAQOBAQABgQCBgQEBgQGBgQIBgQKBgQMBgQOBgQACAQC
CAQECAQGCAQICAQKCAQMCAQOCA";content:"QACgQCCgQECgQGCgQICgQKCgQMCgQOCgQADAQCD
AQEDAQGDAQIDAQKDAQMDAQODAQADgQCDg";content:"QEDgQGDgQIDgQKDgQMDgQODgQAAAgCAA
gEAAgGAAgIAAgKAAgMAAgOAAgAAggCAggEAggGAg";content:"gIAggKAggMAggOAggABAgCBAg
EBAgGBAgIBAgKBAgMBAgOBAgABggCBggEBggGBggIBggKBg";content:"gMBggOBggACAgCCAgE
CAgGCAgICAgKCAgMCAgOCAgACggCCggECggGCggICggKCggMCggOCg";content:"gADAgCDAgED
AgGDAgIDAgKDAgMDAgODAgADggCDggEDggGDggIDggKDggMDggODggAAAwCAA";content:"wEAA
wGAAwIAAwKAAwMAAwOAAwAAgwCAgwEAgwGAgwIAgwKAgwMAgwOAgwABAwCBAwEBAwGBA";conten
t:"wIBAwKBAwMBAwOBAwABgwCBgwEBgwGBgwIBgwKBgwMBgwOBgwACAwCCAwECAwGCAwICAwKCA"
;content:"wMCAwOCAwACgwCCgwECgwGCgwICgwKCgwMCgwOCgwADAwCDAwEDAwGDAwIDAwKDAwP
/78KCg"; msg:"Possible ImageSpam"; classtype:misc-activity; sid:1000079;
gid:1; rev:24; )

/---------------------------------------------------------------------

this base64 appears to be common to all of the image spam i have run across
recently (2.6M+ samples) and i am fairly certain that it represents the
global color table of the GIFs. the image spams all use the same identical
global color table, perhaps based on the tool used to convert the text to a
GIF, etc?

it is surprising to me that the spammers haven't noticed this, since they've
gone to the effort to put random pixels in the images to make them each
unique and thus foil signature-based schemes. the anti-spam community may
have already identified this but i wanted to propose it none the less...
perhaps this is known, but generates too many false positives?
or perhaps it is easily defeated?

~cam.


-- 
Cam Beasley CISSP CIFI
University Information Security Officer
Information Security Office
ITS | University of Texas at Austin
cam at austin.utexas.edu | 512.475.9476


On 9/23/06 2:19 AM, "Russell Fulton" <r.fulton at auckland.ac.nz> articulated:

> We have been very happy with this set up and it has worked extremely
> well until the recent image spam started a few months ago. Now we are
> getting regular moans because most users have had virtually spam free
> mail boxes for two years.   We are experimenting with OCR plug-in but I
> fear this will be, at best, a temporary solution as we have already seen
> images that use obscured fonts.
> 
> I have been wondering if the stock scam we have been seeing are actually
> some sort of clever experiment to measure the effectiveness of different
> delivery techniques.   I have received multiple copies of the same spam
> encoded in several different ways or maybe it is just spammer generating
> random combinations of font, colours, and headers to defeat razor detection.
> 
> The images combined with fast rotation of sending machines and throwaway
> urls makes this spam very difficult to detect :(
> 
> Anyone got any success stories to report?
> 
> Russell
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> http://lists.dshield.org/mailman/listinfo/unisog


More information about the unisog mailing list