We have been seeing huge numbers of "remittance advice" emails containing boobytrapped documents sailing past clamav (and obviously also spamassassin and spamdyke).
They also seem to frequently elude the AV on client PCs.
Has anybody had any luck mitigating this issue? Any tips?
Edit: also "your energy bill" type emails with similar booby-trapped documents (and I hear there's also something similar regarding water bills or water air or something like that though I've not seen these on our systems).
Faris.
remittance advice trojans
remittance advice trojans
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: remittance advice trojans
Could you send us some of these for our malware team to examine?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: remittance advice trojans
OK. I only have one handy at the moment. I'll zip it and raise a case.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: remittance advice trojans
OK. Case 40372 contains the one I have handy.
I'll add more as they come in.
Faris.
I'll add more as they come in.
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: remittance advice trojans
Another thought I had on this, are those emails coming from IP's we might already track in the Threat Intelligence system?
You can look them up here: http://atomicrbl.com/lookup/
The T.I. is implemented as an RBL, and while we've never tried this in an anti-spam context, theres nothing that would prevent you from using it that way.
You can look them up here: http://atomicrbl.com/lookup/
The T.I. is implemented as an RBL, and while we've never tried this in an anti-spam context, theres nothing that would prevent you from using it that way.
Re: remittance advice trojans
None of them are in the TI RBL, although three of the five samples I submitted came from IPs that had been seen (once each) mid-December by the TI system.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: remittance advice trojans
Another interesting thing about them is that they come from IP listed as static, not dynamic ranges. So spamdyke is letting them in. They don't appear on any anti-spam RBLs I use (the bigger ones).
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: remittance advice trojans
Any luck with this? Was what I was able to give you useful enough to work with?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: remittance advice trojans
New heuristics rules added and pushed today for this type.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone