[sanesecurity] Re: Blocking the "here you have" malware payload

From: "GrayHat" <grayhat@xxxxxxx>
To: <sanesecurity@xxxxxxxxxxxxx>
Date: Fri, 17 Sep 2010 12:05:23 +0200

> The run is actually already over. The malware was discovered at 8
> Sept. and the offending url's were taken offline one day later.

Yes, it seems to be over "for the moment" but since the whole
blob of stuff is still floating around I doubt it really disappeared

> As for the signature, there is no sample needed as the regex just
> checks for links to files with executable extensions of several sorts.

exact

> However, I already had a similar signature in place some time ago
> and it was causing false positives in HTML.

That's why I wrote "test or experimental signature" see, I was
wondering about false positives

> Alternatively "MailFollowURLs" could be enabled in clamd.conf.

Heh... not really a viable alternative if you're running ClamD on
a quite busy mailserver, the "follow" may slow down things
quite a lot and probably cause a number of problems, sure,
it may be handled by a "postqueue" scanning process but
not everybody has things set up that way

Follow-Ups:

[sanesecurity] Re: Blocking the "here you have" malware payload
From: tBB

References:
- [sanesecurity] Blocking the "here you have" malware payload
  - From: GrayHat
- [sanesecurity] Re: Blocking the "here you have" malware payload
  - From: Steve Basford
- [sanesecurity] Re: Blocking the "here you have" malware payload
  - From: tBB

[sanesecurity] Re: Blocking the "here you have" malware payload

Other related posts: