Pages

Wednesday 3 February 2016

Here's what could be done about the malware

I was sent four copies of this. When I uploaded it to VirusTotal, 7 out of 53 products flagged it as a javascript trojan.

But one of the emails I got was very interesting.

The subject of three of the emails was: "1/24/2016 10:42:18 AM" (or a similar date and time). The fourth one said "[WARNING: VIRUS REMOVED] 2/2/2016 7:59:52 AM". So I looked at the header.

Received: from ipb4.telenor.se (ipb4.telenor.se [195.54.127.167])       by
 smtprelay-h12.telenor.se (Postfix) with ESMTP id 66690E996D;   Wed,
 3 Feb 2016 08:04:50 +0100 (CET)
X-Sender-Ip: [83.227.178.74]
X-Listener: [smtp.bredband.net]
X-Ironport-Anti-Spam-Filtered: true
X-Ironport-Anti-Spam-Result:
    A2Dr/5mKU7BWPEqy41MoGxsZAQECBwQBAgYBAQEBgVkBAQMCgSAFSodWgXica5R2AQFfgQ8TgxaCYwECYR46Pg8BAQEB
    AQEBBgEBAQFBKxSCHoIyEQozLgoJAQIDKw4CBCsMChoBGgmHC30GAQECrwuPEAiGDokAgmorgQ8BBASUI4JDBwGCeYFj
    Lpcxjj0COAEBAYFpAYIqilUBAQE
X-Ipas-Result:
    A2Dr/5mKU7BWPEqy41MoGxsZAQECBwQBAgYBAQEBgVkBAQMCgSAFSodWgXica5R2AQFfgQ8TgxaCYwECYR46Pg8BAQEB
    AQEBBgEBAQFBKxSCHoIyEQozLgoJAQIDKw4CBCsMChoBGgmHC30GAQECrwuPEAiGDokAgmorgQ8BBASUI4JDBwGCeYFj
    Lpcxjj0COAEBAYFpAYIqilUBAQE
X-Suspected-Spam: Yes
X-Ironport-Av: E=Sophos;i="5.22,384,1449529200";  
    d="js'?zip'48?scan'48,208,217,48";a="174043015"
X-Ironport-Av: E=Sophos;i="5.22,388,1449529200";    v="Mal/DrodZp-A'5'rd";
    d="txt'?js'?zip'48?scan'48,48,217,208";a="174043015"
Subject: [WARNING: VIRUS REMOVED] =?ISO-8859-1?Q?2=2F2=2F2016_7=3A59=3A52_AM?=
Received: from ua-83-227-178-74.cust.bredbandsbolaget.se (HELO
 server.herdevall.se) ([83.227.178.74]) by ipb4.telenor.se with ESMTP;
 02 Feb 2016 07:59:59 +0100
Received: from localhost (localhost [127.0.0.1])        by server.herdevall.se
 (Postfix) with ESMTP id 8BB8725A26CF;  Tue,  2 Feb 2016 07:59:55 +0100
 (CET)
X-Virus-Scanned: amavisd-new at herdevall.se
Received: from server.herdevall.se ([127.0.0.1])        by localhost
 (server.herdevall.se [127.0.0.1]) (amavisd-new, port 10024)    with ESMTP id
 0jsyqQDombg1; Tue,  2 Feb 2016 07:59:55 +0100 (CET)
Received: from xserver.herdevall.se (unknown [196.207.125.196]) by
 server.herdevall.se (Postfix) with ESMTPA id 99ADD25A26B7;     Tue,
 2 Feb 2016 07:59:53 +0100 (CET)
Message-ID: <7EF36DC57E64B760EC095A34D9E9D172@xserver.herdevall.se>
From: "micheline101" <micheline101@herdevall.se>


Yes, I know it's gibberish, but let me explain it to you. Email gets to you via a server a long way away from you. In this case, it came from xserver.herdevall.se. But that server was running a malware scanner (Sophos, version 5.22,384,1449529200), and that scanner spotted the malware (on one of the other emails, where it wasn't removed, VirusTotal said that Sophos was one of the products that spotted it).

So the Sophos product remover the malware before forwarding the email, and put the [WARNING: VIRUS REMOVED] in the subject.

This is more like it! The virus was removed before it was even mailed across the internet. But it's just a start. Here's what I think should happen.

1) More ISPs should be doing something like this, both at source and destination.
2) Any enclosed file that is just a javascript, should be removed. I can't think of a legitimate reason why anyone would email a zipped javascript file.
3) And with a bit of thought, a whole bunch of other categories of malware can be stripped out.
4) For example, any PDF file with the malformation that caused the exploit to trigger should be stripped out.
5) Any Word file of Excel file should have macros stripped out.


8 comments:

  1. You are too keen Dr. Surely most good excel files will have macros in them legitimately? Mind you, you could strip out every attachment until the recipient has accepted the sender as friendly.

    ReplyDelete
  2. I don't know. I don't do macros much, but I suppose some people do. I have no idea how prevalent they are.

    But I would imagine that most emails of spreadsheets with macros are sent and received on the internal network? So a macro stripper at the boundary would be good, and if you really did want to get one in from outside, you'd ask the IT people to9 make an exception for that one.

    ReplyDelete
  3. Hello Dr Solomon. Very long time since you came to my apt in NYC prior to our selling your superb product to Merrill Lynch. Graham pointed me to this site. Glad to see you still active. -- --Norman Hirsch. NH&A.

    ReplyDelete
  4. Hello Dr Solomon. Very long time since you came to my apt in NYC prior to our selling your superb product to Merrill Lynch. Graham pointed me to this site. Glad to see you still active. -- --Norman Hirsch. NH&A.

    ReplyDelete
  5. Well I never - Alan, I thought you'd dropped off the face of the planet after S&S! Hope you, Susan and the girls (young women now!) are all doing well.

    ReplyDelete
  6. Be that as it may, if the System gets to be temperamental. it is conceivable to dependably return towards the old name expansion. Download and run a registry scanner. Ordinarily malwarebytes will dispose of practically everything except for normally on the off chance that you have One bit of spyware or malware you could wind up with additional.adware removal

    ReplyDelete