Hi all
I've been contacted by a couple of customers which caught a new virus in the last few days, sent by e-mail in a .zip file containing an .exe. (yes, there are still people out there who open these kind of attachments if they come from a known address)
The .zip file passes our AV on the mailserver (Kaspersky) as well as our desktop AV (Symantec) with the newest definitions.
Once infected, it spreads via e-mail (probably through the outlook e-mail profile, it authenticates nicely against our mailserver anyway) blasting out hundreds of mails in a single short session only to sleep again until the next day...
Has anybody else seen this? Is there a name or details or cure fo it yet?
Regards,
Mike
Hi Mike
We have seen the same. We use ClamAV and it does not detect it neither (I reported it today to them). Microsoft Security Essentials detects it with the newest signatures of today.
Regards
Matthias
On 16/04/15 16:54, Mike Kellenberger wrote:
Hi all
I've been contacted by a couple of customers which caught a new virus in the last few days, sent by e-mail in a .zip file containing an .exe. (yes, there are still people out there who open these kind of attachments if they come from a known address)
The .zip file passes our AV on the mailserver (Kaspersky) as well as our desktop AV (Symantec) with the newest definitions.
Once infected, it spreads via e-mail (probably through the outlook e-mail profile, it authenticates nicely against our mailserver anyway) blasting out hundreds of mails in a single short session only to sleep again until the next day...
Has anybody else seen this? Is there a name or details or cure fo it yet?
Regards,
Mike
hey mike,
hm… try to upload the exe to www.virustotal.com http://www.virustotal.com/ maybe you get some more information about the name and so on … good luck,
-steven
Am 16.04.2015 um 16:54 schrieb Mike Kellenberger mike.kellenberger@escapenet.ch:
Hi all
I've been contacted by a couple of customers which caught a new virus in the last few days, sent by e-mail in a .zip file containing an .exe. (yes, there are still people out there who open these kind of attachments if they come from a known address)
The .zip file passes our AV on the mailserver (Kaspersky) as well as our desktop AV (Symantec) with the newest definitions.
Once infected, it spreads via e-mail (probably through the outlook e-mail profile, it authenticates nicely against our mailserver anyway) blasting out hundreds of mails in a single short session only to sleep again until the next day...
Has anybody else seen this? Is there a name or details or cure fo it yet?
Regards,
Mike
-- Mike Kellenberger | Escapenet GmbH www.escapenet.ch +41 52 235 0700/04 Skype mikek70atwork
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Thanks for the tip, Steven.
https://www.virustotal.com/en/file/6159e15c7a5401ba8e7708755b75ce5bb911cb1db...
Kaspersky should detect it now - time to force a definition update...
Regards,
Mike
Dear all
This is Upatre downloading Dyre, a banking trojan. The Dyre here is part of a campaign "UK21" targeting several hundred banks worldwide.
Upatre is a specialized downloader, bypassing all AV engines around for a couple of hours. It does download Dyre and shows a decoy pdf to the user. After AV catches up, Upatre will change its structure to bypass detection again. So, what can you do? Blocking some file extensions of email attachment at the perimeter, however, this can easily circumvented by the adversaries, and, of course, build user awareness.
On the network side, blocking outgoing SMTP (also a good measure to detect infected client machines) and spam filtering outgoing mails on your MTAs may be effective measures.
Kind regards, Slavo
On 16.04.15 17:07, Mike Kellenberger wrote:
Thanks for the tip, Steven.
https://www.virustotal.com/en/file/6159e15c7a5401ba8e7708755b75ce5bb911cb1db...
Kaspersky should detect it now - time to force a definition update...
Regards,
Mike
On 17.04.2015 08:11, Slavo Greminger wrote:
So, what can you do?
Blocking all non-allowed executables on Windows is a good start (whitelist approach). Well, maybe not for home-users, but in an office environment this makes absolute sense. Google for Applocker.
Kind regards, Viktor
Ciao Mike
I've been contacted by a couple of customers which caught a new virus in the last few days, sent by e-mail in a .zip file containing an .exe. (yes, there are still people out there who open these kind of attachments if they come from a known address) Has anybody else seen this? Is there a name or details or cure fo it yet?
I've seen multiple of these, the first one had "Re: Quote" as Subject, the other one "My photo". Guess which one was opened more *g*
When I checked them, VirusTotal only knew about them for a few minutes, and just 3 or so AV recognized them. One of the names given was "Packer.W32.Krap" (the Quote thing), the "my photo" went "Win32.Trojan.Inject.Auto". I'd assume these viruses are now part of official signatures, but if it helps, I've appended the two custom signatures I created for clamav. I've recently seen quite a few 0-day virus outbreaks, where classic signature based AV engines are bound to take a while to pick up on them. It helps if you check with multiple products, but you can't really get recognition up to 100%, that's just not feasible.
Cheers, Markus
We see a lot of such viruses at the moment.
Clamav is desperately behind all other AV's at the moment...
Example: https://www.virustotal.com/de/file/bf84db71be81fa27d0d796d000347d47ef0dcd814...
Known since at least one week. Clamav still does not recognize it.
I have submitted the sample to the clamav team directly now.
Mit freundlichen Grüssen
Benoit Panizzon
Hi Mike
recently Geodo was doing this in Switzerland. Direct your customers to https://www.swiss-isa.ch/en/security-check/
and ask them to go through the check. There is a "second opinion" scanner in the test, which detects and cleans a lot of stuff AV does not yet see.
Could you send me one of the exe's? I'd like to run them through our analysis system.
Cheers Serge
On 16.4.15 16:54 , Mike Kellenberger wrote:
Hi all
I've been contacted by a couple of customers which caught a new virus in the last few days, sent by e-mail in a .zip file containing an .exe. (yes, there are still people out there who open these kind of attachments if they come from a known address)
The .zip file passes our AV on the mailserver (Kaspersky) as well as our desktop AV (Symantec) with the newest definitions.
Once infected, it spreads via e-mail (probably through the outlook e-mail profile, it authenticates nicely against our mailserver anyway) blasting out hundreds of mails in a single short session only to sleep again until the next day...
Has anybody else seen this? Is there a name or details or cure fo it yet?
Regards,
Mike
Am 16.04.2015 um 16:54 schrieb Mike Kellenberger <mike.kellenberger@escapenet.ch mailto:mike.kellenberger@escapenet.ch>:
Hi all
I've been contacted by a couple of customers which caught a new virus in the last few days, sent by e-mail in a .zip file containing an .exe. (yes, there are still people out there who open these kind of attachments if they come from a known address)
The .zip file passes our AV on the mailserver (Kaspersky) as well as our desktop AV (Symantec) with the newest definitions.
Once infected, it spreads via e-mail (probably through the outlook e-mail profile, it authenticates nicely against our mailserver anyway) blasting out hundreds of mails in a single short session only to sleep again until the next day...
Has anybody else seen this? Is there a name or details or cure fo it yet?
virustotal will tell you a name, which you can google.
Antivirus is a bit of a placebo and snake oil - but surprisingly, a lot of people still believe in its value for them while the only value it really has is for those who sell signature-updates...
I’m pretty sure you can also block exe’s in zips - AFAIK, google has recently started blocking exes, too.
https://support.google.com/mail/answer/6590?hl=en https://support.google.com/mail/answer/6590?hl=en
Bugs in „popular“ office-productivity software would in practice require to block .doc, .xsl, .ppt etc. So, it’s not usually done.
I’d be glad that the thing was so noisy. If it was an APT-style attack, you’d only realize it months later (or not at all, until MELANI and SWITCH contact you, or worse: the press). Or maybe there’s an APT going on in the background and this was only the decoy ;-)
Hi all
Regarding AV: have once a look on Palo Alto's "Trap" Very nice idea..
Grüessli rog
Am 16.04.2015 um 16:54 schrieb Mike Kellenberger mike.kellenberger@escapenet.ch:
Hi all
I've been contacted by a couple of customers which caught a new virus in the last few days, sent by e-mail in a .zip file containing an .exe. (yes, there are still people out there who open these kind of attachments if they come from a known address)
The .zip file passes our AV on the mailserver (Kaspersky) as well as our desktop AV (Symantec) with the newest definitions.
Once infected, it spreads via e-mail (probably through the outlook e-mail profile, it authenticates nicely against our mailserver anyway) blasting out hundreds of mails in a single short session only to sleep again until the next day...
Has anybody else seen this? Is there a name or details or cure fo it yet?
Regards,
Mike
-- Mike Kellenberger | Escapenet GmbH www.escapenet.ch +41 52 235 0700/04 Skype mikek70atwork
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
-
Benoit Panizzon -
Markus Wild -
Matthias Cramer -
Mike Kellenberger -
naz@barge.ch -
Rainer Duffner -
Roger Buchwalder -
Serge Droz -
Slavo Greminger -
Steven Glogger -
Viktor Steinmann