store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Oct 18, 2019 9:50 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: remittance advice trojans
Unread postPosted: Tue Jan 06, 2015 11:46 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
We have been seeing huge numbers of "remittance advice" emails containing boobytrapped documents sailing past clamav (and obviously also spamassassin and spamdyke).

They also seem to frequently elude the AV on client PCs.

Has anybody had any luck mitigating this issue? Any tips?


Edit: also "your energy bill" type emails with similar booby-trapped documents (and I hear there's also something similar regarding water bills or water air or something like that though I've not seen these on our systems).


Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: remittance advice trojans
Unread postPosted: Tue Jan 06, 2015 1:32 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4086
Location: Chantilly, VA
Could you send us some of these for our malware team to examine?

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: remittance advice trojans
Unread postPosted: Tue Jan 06, 2015 3:12 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
OK. I only have one handy at the moment. I'll zip it and raise a case.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: remittance advice trojans
Unread postPosted: Tue Jan 06, 2015 3:19 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
OK. Case 40372 contains the one I have handy.

I'll add more as they come in.

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: remittance advice trojans
Unread postPosted: Tue Jan 06, 2015 6:45 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Another thought I had on this, are those emails coming from IP's we might already track in the Threat Intelligence system?

You can look them up here: http://atomicrbl.com/lookup/

The T.I. is implemented as an RBL, and while we've never tried this in an anti-spam context, theres nothing that would prevent you from using it that way.


Top
 Profile  
Reply with quote  
 Post subject: Re: remittance advice trojans
Unread postPosted: Tue Jan 06, 2015 9:15 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
None of them are in the TI RBL, although three of the five samples I submitted came from IPs that had been seen (once each) mid-December by the TI system.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: remittance advice trojans
Unread postPosted: Tue Jan 06, 2015 9:17 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Another interesting thing about them is that they come from IP listed as static, not dynamic ranges. So spamdyke is letting them in. They don't appear on any anti-spam RBLs I use (the bigger ones).

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: remittance advice trojans
Unread postPosted: Thu Jan 08, 2015 7:04 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Any luck with this? Was what I was able to give you useful enough to work with?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: remittance advice trojans
Unread postPosted: Fri Jan 09, 2015 7:13 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4086
Location: Chantilly, VA
New heuristics rules added and pushed today for this type.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group