remittance advice trojans

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

remittance advice trojans

Unread post by faris »

We have been seeing huge numbers of "remittance advice" emails containing boobytrapped documents sailing past clamav (and obviously also spamassassin and spamdyke).

They also seem to frequently elude the AV on client PCs.

Has anybody had any luck mitigating this issue? Any tips?


Edit: also "your energy bill" type emails with similar booby-trapped documents (and I hear there's also something similar regarding water bills or water air or something like that though I've not seen these on our systems).


Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: remittance advice trojans

Unread post by mikeshinn »

Could you send us some of these for our malware team to examine?
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: remittance advice trojans

Unread post by faris »

OK. I only have one handy at the moment. I'll zip it and raise a case.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: remittance advice trojans

Unread post by faris »

OK. Case 40372 contains the one I have handy.

I'll add more as they come in.

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: remittance advice trojans

Unread post by scott »

Another thought I had on this, are those emails coming from IP's we might already track in the Threat Intelligence system?

You can look them up here: http://atomicrbl.com/lookup/

The T.I. is implemented as an RBL, and while we've never tried this in an anti-spam context, theres nothing that would prevent you from using it that way.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: remittance advice trojans

Unread post by faris »

None of them are in the TI RBL, although three of the five samples I submitted came from IPs that had been seen (once each) mid-December by the TI system.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: remittance advice trojans

Unread post by faris »

Another interesting thing about them is that they come from IP listed as static, not dynamic ranges. So spamdyke is letting them in. They don't appear on any anti-spam RBLs I use (the bigger ones).
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: remittance advice trojans

Unread post by faris »

Any luck with this? Was what I was able to give you useful enough to work with?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: remittance advice trojans

Unread post by mikeshinn »

New heuristics rules added and pushed today for this type.
Post Reply