Re: [swinog] New .exe virus in.zip file via mail

[Daniel Rechsteiner]

Hi Benoit,


We see a lot of such viruses at the moment.

Clamav is desperately behind all other AV's at the moment...


We see them too. It seems Upatre is morphing very quickly, so signature 
based AV solutions will always be behind. Here Cloudmark recognizes new 
variants of Upatre in about one hour after the first one arrives, but in 
that one hour lots of them arrive. So we decided to just block all 
emails with EXE-in-ZIP attachments.


Daniel

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Benoit Panizzon]

We see a lot of such viruses at the moment.

Clamav is desperately behind all other AV's at the moment...

Example:
https://www.virustotal.com/de/file/bf84db71be81fa27d0d796d000347d47ef0dcd814062663d556726bf15e15678/analysis/1429864439/

Known since at least one week. Clamav still does not recognize it.

I have submitted the sample to the clamav team directly now.

Mit freundlichen Grüssen

Benoit Panizzon
-- 
I m p r o W a r e   A G-
__

Zurlindenstrasse 29 Tel  +41 61 826 93 07
CH-4133 PrattelnFax  +41 61 826 93 02
Schweiz Web  http://www.imp.ch
__


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Roger Buchwalder]

Hi all

Regarding AV: have once a look on Palo Alto's "Trap"
Very nice idea..

Grüessli
rog

> Am 16.04.2015 um 16:54 schrieb Mike Kellenberger 
> :
> 
> Hi all
> 
> I've been contacted by a couple of customers which caught a new virus in the 
> last few days, sent by e-mail in a .zip file containing an .exe. (yes, there 
> are still people out there who open these kind of attachments if they come 
> from a known address)
> 
> The .zip file passes our AV on the mailserver (Kaspersky) as well as our 
> desktop AV (Symantec) with the newest definitions.
> 
> Once infected, it spreads via e-mail (probably through the outlook e-mail 
> profile, it authenticates nicely against our mailserver anyway) blasting out 
> hundreds of mails in a single short session only to sleep again until the 
> next day...
> 
> Has anybody else seen this? Is there a name or details or cure fo it yet?
> 
> Regards,
> 
> Mike
> 
> -- 
> Mike Kellenberger | Escapenet GmbH
> www.escapenet.ch
> +41 52 235 0700/04
> Skype mikek70atwork
> 
> 
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
> 


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Viktor Steinmann]

On 17.04.2015 08:11, Slavo Greminger wrote:

So, what can you do?



Blocking all non-allowed executables on Windows is a good start 
(whitelist approach). Well, maybe not for home-users, but in an office 
environment this makes absolute sense. Google for Applocker.


Kind regards,
Viktor


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Slavo Greminger]

Dear all

This is Upatre downloading Dyre, a banking trojan. The Dyre here is part
of a campaign "UK21" targeting several hundred banks worldwide.


Upatre is a specialized downloader, bypassing all AV engines around for
a couple of hours. It does download Dyre and shows a decoy pdf to the
user. After AV catches up, Upatre will change its structure to bypass
detection again. So, what can you do? Blocking some file extensions of
email attachment at the perimeter, however, this can easily circumvented
by the adversaries, and, of course, build user awareness.

On the network side, blocking outgoing SMTP (also a good measure to
detect infected client machines) and spam filtering outgoing mails on
your MTAs may be effective measures.

Kind regards,
Slavo


On 16.04.15 17:07, Mike Kellenberger wrote:
> Thanks for the tip, Steven.
> 
> https://www.virustotal.com/en/file/6159e15c7a5401ba8e7708755b75ce5bb911cb1dbe15253c13a06b4c0f35e5e3/analysis/1429196664/
> 
> 
> Kaspersky should detect it now - time to force a definition update...
> 
> Regards,
> 
> Mike
> 


-- 
SWITCH
Slavo Greminger, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 15 45
slavo.gremin...@switch.ch, http://www.switch.ch

Security-Blog: http://securityblog.switch.ch


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Rainer Duffner]

> Am 16.04.2015 um 16:54 schrieb Mike Kellenberger 
> mailto:mike.kellenber...@escapenet.ch>>:
> 
> Hi all
> 
> I've been contacted by a couple of customers which caught a new virus in the 
> last few days, sent by e-mail in a .zip file containing an .exe. (yes, there 
> are still people out there who open these kind of attachments if they come 
> from a known address)
> 
> The .zip file passes our AV on the mailserver (Kaspersky) as well as our 
> desktop AV (Symantec) with the newest definitions.
> 
> Once infected, it spreads via e-mail (probably through the outlook e-mail 
> profile, it authenticates nicely against our mailserver anyway) blasting out 
> hundreds of mails in a single short session only to sleep again until the 
> next day...
> 
> Has anybody else seen this? Is there a name or details or cure fo it yet?


virustotal will tell you a name, which you can google.

Antivirus is a bit of a placebo and snake oil - but surprisingly, a lot of 
people still believe in its value for them while the only value it really has 
is for those who sell signature-updates...

I’m pretty sure you can also block exe’s in zips - AFAIK, google has recently 
started blocking exes, too.

https://support.google.com/mail/answer/6590?hl=en 


Bugs in „popular“ office-productivity software would in practice require to 
block .doc, .xsl, .ppt etc.
So, it’s not usually done.

I’d be glad that the thing was so noisy. If it was an APT-style attack, you’d 
only realize it months later (or not at all, until MELANI and SWITCH contact 
you, or worse: the press).
Or maybe there’s an APT going on in the background and this was only the decoy 
;-)




___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Serge Droz]

Hi Mike

recently Geodo was doing this in Switzerland. Direct your customers to
https://www.swiss-isa.ch/en/security-check/

and ask them to go through the check. There is a "second opinion"
scanner in the test, which detects and cleans a lot of stuff AV does not
yet see.

Could you send me one of the exe's? I'd like to run them through our
analysis system.

Cheers
Serge

On 16.4.15 16:54 , Mike Kellenberger wrote:
> Hi all
> 
> I've been contacted by a couple of customers which caught a new virus in
> the last few days, sent by e-mail in a .zip file containing an .exe.
> (yes, there are still people out there who open these kind of
> attachments if they come from a known address)
> 
> The .zip file passes our AV on the mailserver (Kaspersky) as well as our
> desktop AV (Symantec) with the newest definitions.
> 
> Once infected, it spreads via e-mail (probably through the outlook
> e-mail profile, it authenticates nicely against our mailserver anyway)
> blasting out hundreds of mails in a single short session only to sleep
> again until the next day...
> 
> Has anybody else seen this? Is there a name or details or cure fo it yet?
> 
> Regards,
> 
> Mike
> 


-- 
SWITCH
---
Dr. Serge Droz, Head Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.d...@switch.ch, http://www.switch.ch
Security-News: http://securityblog.switch.ch


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Markus Wild]

Ciao Mike

> > I've been contacted by a couple of customers which caught a new virus in 
> > the last few days, sent by e-mail in
> > a .zip file containing an .exe. (yes, there are still people out there who 
> > open these kind of attachments if they
> > come from a known address)
> > Has anybody else seen this? Is there a name or details or cure fo it yet?

I've seen multiple of these, the first one had "Re: Quote" as Subject, the 
other one 
"My photo". Guess which one was opened more *g* 

When I checked them, VirusTotal only knew about them for a few minutes, and 
just 3 or so AV recognized them. One of the
names given was "Packer.W32.Krap" (the Quote thing), the "my photo" went 
"Win32.Trojan.Inject.Auto". I'd assume these 
viruses are now part of official signatures, but if it helps, I've appended the 
two custom signatures I created for
clamav. I've recently seen quite a few 0-day virus outbreaks, where classic 
signature based AV engines
are bound to take a while to pick up on them. It helps if you check with 
multiple products, but you can't
really get recognition up to 100%, that's just not feasible.

Cheers,
Markus





customsig.ndb
Description: Binary data

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[naz]

  Hello all,Steven is right, at the moment only four avs are recognizing it.I think that for this kind of stuff a clamav is efficient as you can add signatures within minutes Best regards,   NazC'est chose royale d'être payé des bienfaits en calomnies [Marc Aurele]De: Steven GloggerEnvoyé: jeudi, 16 avril 2015 17:03À: Mike KellenbergerCc: swi...@swinog.chObjet: Re: [swinog] New .exe virus in.zip file via mailhey mike,hm… try to upload the exe to www.virustotal.commaybe you get some more information about the name and so on …good luck,-stevenAm 16.04.2015 um 16:54 schrieb Mike Kellenberger :Hi allI've been contacted by a couple of customers which caught a new virus in the last few days, sent by e-mail in a .zip file containing an .exe. (yes, there are still people out there who open these kind of attachments if they come from a known address)The .zip file passes our AV on the mailserver (Kaspersky) as well as our desktop AV (Symantec) with the newest definitions.Once infected, it spreads via e-mail (probably through the outlook e-mail profile, it authenticates nicely against our mailserver anyway) blasting out hundreds of mails in a single short session only to sleep again until the next day...Has anybody else seen this? Is there a name or details or cure fo it yet?Regards,Mike-- Mike Kellenberger | Escapenet GmbHwww.escapenet.ch+41 52 235 0700/04Skype mikek70atwork___swinog mailing listswinog@lists.swinog.chhttp://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Mike Kellenberger]

Thanks for the tip, Steven.

https://www.virustotal.com/en/file/6159e15c7a5401ba8e7708755b75ce5bb911cb1dbe15253c13a06b4c0f35e5e3/analysis/1429196664/

Kaspersky should detect it now - time to force a definition update...

Regards,

Mike

--
Mike Kellenberger | Escapenet GmbH
www.escapenet.ch
+41 52 235 0700/04
Skype mikek70atwork

On 16.04.2015 17:02, Steven Glogger wrote:

hey mike,

hm… try to upload the exe to www.virustotal.com 
maybe you get some more information about the name and so on …
good luck,

-steven


Am 16.04.2015 um 16:54 schrieb Mike Kellenberger
mailto:mike.kellenber...@escapenet.ch>>:

Hi all

I've been contacted by a couple of customers which caught a new virus
in the last few days, sent by e-mail in a .zip file containing an
.exe. (yes, there are still people out there who open these kind of
attachments if they come from a known address)

The .zip file passes our AV on the mailserver (Kaspersky) as well as
our desktop AV (Symantec) with the newest definitions.

Once infected, it spreads via e-mail (probably through the outlook
e-mail profile, it authenticates nicely against our mailserver anyway)
blasting out hundreds of mails in a single short session only to sleep
again until the next day...

Has anybody else seen this? Is there a name or details or cure fo it yet?

Regards,

Mike

--
Mike Kellenberger | Escapenet GmbH
www.escapenet.ch 
+41 52 235 0700/04
Skype mikek70atwork


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog





___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Steven Glogger]

hey mike,

hm… try to upload the exe to www.virustotal.com 
maybe you get some more information about the name and so on …
good luck,

-steven

> Am 16.04.2015 um 16:54 schrieb Mike Kellenberger 
> :
> 
> Hi all
> 
> I've been contacted by a couple of customers which caught a new virus in the 
> last few days, sent by e-mail in a .zip file containing an .exe. (yes, there 
> are still people out there who open these kind of attachments if they come 
> from a known address)
> 
> The .zip file passes our AV on the mailserver (Kaspersky) as well as our 
> desktop AV (Symantec) with the newest definitions.
> 
> Once infected, it spreads via e-mail (probably through the outlook e-mail 
> profile, it authenticates nicely against our mailserver anyway) blasting out 
> hundreds of mails in a single short session only to sleep again until the 
> next day...
> 
> Has anybody else seen this? Is there a name or details or cure fo it yet?
> 
> Regards,
> 
> Mike
> 
> -- 
> Mike Kellenberger | Escapenet GmbH
> www.escapenet.ch
> +41 52 235 0700/04
> Skype mikek70atwork
> 
> 
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] New .exe virus in.zip file via mail

[Matthias Cramer]

Hi Mike

We have seen the same. We use ClamAV and it does not detect it neither (I 
reported it today to them). Microsoft Security Essentials detects it with the 
newest signatures of today.

Regards

  Matthias

On 16/04/15 16:54, Mike Kellenberger wrote:
> Hi all
> 
> I've been contacted by a couple of customers which caught a new virus in the 
> last few days, sent by e-mail in a .zip file containing an .exe. (yes, there 
> are still people out there
> who open these kind of attachments if they come from a known address)
> 
> The .zip file passes our AV on the mailserver (Kaspersky) as well as our 
> desktop AV (Symantec) with the newest definitions.
> 
> Once infected, it spreads via e-mail (probably through the outlook e-mail 
> profile, it authenticates nicely against our mailserver anyway) blasting out 
> hundreds of mails in a single
> short session only to sleep again until the next day...
> 
> Has anybody else seen this? Is there a name or details or cure fo it yet?
> 
> Regards,
> 
> Mike
> 


-- 
Matthias Cramer / mc322-ripe   Senior Network & Security Engineer
iway AGPhone +41 43 500 
Badenerstrasse 569 Fax   +41 44 271 3535
CH-8048 Zürich http://www.iway.ch/
GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E  3959 B62F DF1C 2D20 8250



signature.asc
Description: OpenPGP digital signature

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] New .exe virus in.zip file via mail

[Mike Kellenberger]

Hi all

I've been contacted by a couple of customers which caught a new virus in 
the last few days, sent by e-mail in a .zip file containing an .exe. 
(yes, there are still people out there who open these kind of 
attachments if they come from a known address)


The .zip file passes our AV on the mailserver (Kaspersky) as well as our 
desktop AV (Symantec) with the newest definitions.


Once infected, it spreads via e-mail (probably through the outlook 
e-mail profile, it authenticates nicely against our mailserver anyway) 
blasting out hundreds of mails in a single short session only to sleep 
again until the next day...


Has anybody else seen this? Is there a name or details or cure fo it yet?

Regards,

Mike

--
Mike Kellenberger | Escapenet GmbH
www.escapenet.ch
+41 52 235 0700/04
Skype mikek70atwork


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog