Comments on: FakeRean trojan is using the same subject of the latest ZBot variant http://blog.mxlab.eu/2009/10/14/fakerean-trojan-is-using-the-same-subject-of-the-latest-zbot-variant/ mx lab blog - all about anti virus and anti spam Fri, 12 Mar 2010 07:14:13 +0000 http://wordpress.com/ hourly 1 By: steve http://blog.mxlab.eu/2009/10/14/fakerean-trojan-is-using-the-same-subject-of-the-latest-zbot-variant/#comment-13207 steve Fri, 26 Feb 2010 16:14:02 +0000 http://blog.mxlab.eu/?p=568#comment-13207 so... how do i get rid of this virus. my Microsoft essentials detects and gets rid of it, but it comes back at least a dozen times a day. it is slowly chewing up my outlook program. so… how do i get rid of this virus. my Microsoft essentials detects and gets rid of it, but it comes back at least a dozen times a day. it is slowly chewing up my outlook program.

]]> By: mxlab http://blog.mxlab.eu/2009/10/14/fakerean-trojan-is-using-the-same-subject-of-the-latest-zbot-variant/#comment-12600 mxlab Fri, 16 Oct 2009 22:01:36 +0000 http://blog.mxlab.eu/?p=568#comment-12600 From a security stand point, a zero hour ,or 0-day protection, anti virus system is a must have these days. Virus writers are so clever that they can easily fool traditional anti virus engines and can outrun anti virus engines based on distributed AV definitions once an hour. Combined with powerfull botnets and the latest techniques they can distribute viruses and trojans variant more often. The AV vendors are just catching up on this. Sorry that I have to say this. We do recommend each and every (potential) client not to look for anything less than a zero hour AV engine. At MX Lab we have such an engine and quite often we see our clients getting protected while others have emails with malicious attachments in their mailbox. In the early days we had two email security appliances as gateway servers. We received hourly new definitions. In those days we often placed extra filters to block ZIP attachments based on their name to catch a virus. These appliances had 3 layered anti virus engines and they still didn't catch the malware. Of course, those gateways are ancient history by now. I can't confirm that this virus increased in size to 500k because I haven't intercepted such one yet. What we receive is around 50k. Try to configure your appliance that it will scan large emais too but be carefull not to overload your systems. Appliances comes with hardware that can't handle heavy loads (limited RAM, older CPU,...). At MX Lab we treat everything as supsicious until proven safe, no matter what file size it has. We quite often see spam with file sizes between 150k to 250k. Good luck in catching them. From a security stand point, a zero hour ,or 0-day protection, anti virus system is a must have these days. Virus writers are so clever that they can easily fool traditional anti virus engines and can outrun anti virus engines based on distributed AV definitions once an hour. Combined with powerfull botnets and the latest techniques they can distribute viruses and trojans variant more often. The AV vendors are just catching up on this. Sorry that I have to say this.

We do recommend each and every (potential) client not to look for anything less than a zero hour AV engine. At MX Lab we have such an engine and quite often we see our clients getting protected while others have emails with malicious attachments in their mailbox.

In the early days we had two email security appliances as gateway servers. We received hourly new definitions. In those days we often placed extra filters to block ZIP attachments based on their name to catch a virus. These appliances had 3 layered anti virus engines and they still didn’t catch the malware. Of course, those gateways are ancient history by now.

I can’t confirm that this virus increased in size to 500k because I haven’t intercepted such one yet. What we receive is around 50k. Try to configure your appliance that it will scan large emais too but be carefull not to overload your systems. Appliances comes with hardware that can’t handle heavy loads (limited RAM, older CPU,…).

At MX Lab we treat everything as supsicious until proven safe, no matter what file size it has. We quite often see spam with file sizes between 150k to 250k.

Good luck in catching them.

]]> By: Nino Papageorgio http://blog.mxlab.eu/2009/10/14/fakerean-trojan-is-using-the-same-subject-of-the-latest-zbot-variant/#comment-12599 Nino Papageorgio Fri, 16 Oct 2009 20:40:36 +0000 http://blog.mxlab.eu/?p=568#comment-12599 I see that, not sure how I missed it (da) and I agree that it is not a logical defense method. However many spam vendors do not have the 0 day protection in place or may be classifiying the threat incorrectly. We have a tool within our spam device that allows the admin to block/drop individual e-mails in the event the spam filter is not catching them. Block to me is always prefered as then you don't run into the issue where a user may think it is legit and try to deliver it to themselves. This specific one morphed to a new subject aroun midnight EST on 10/15 that said Microsoft outlook - also in increased in file size from 24k to 500k bypassing most if not all spam appliances just based on file size attributes. Real-crafty! I see that, not sure how I missed it (da) and I agree that it is not a logical defense method. However many spam vendors do not have the 0 day protection in place or may be classifiying the threat incorrectly. We have a tool within our spam device that allows the admin to block/drop individual e-mails in the event the spam filter is not catching them.

Block to me is always prefered as then you don’t run into the issue where a user may think it is legit and try to deliver it to themselves.

This specific one morphed to a new subject aroun midnight EST on 10/15 that said Microsoft outlook – also in increased in file size from 24k to 500k bypassing most if not all spam appliances just based on file size attributes. Real-crafty!

]]> By: mxlab http://blog.mxlab.eu/2009/10/14/fakerean-trojan-is-using-the-same-subject-of-the-latest-zbot-variant/#comment-12583 mxlab Wed, 14 Oct 2009 21:03:13 +0000 http://blog.mxlab.eu/?p=568#comment-12583 One more thought regarding spam filters and attachment blockers: These techniques can stop those emails coming into your mailbox but they are most of the time not doing this in real time. What I mean is that if you build and configure a rule to block messages based on the subject line, you could face new viruses coming through when the email parameters like the subject change. It is not 100% protection for sure. One more thought regarding spam filters and attachment blockers:

These techniques can stop those emails coming into your mailbox but they are most of the time not doing this in real time. What I mean is that if you build and configure a rule to block messages based on the subject line, you could face new viruses coming through when the email parameters like the subject change.

It is not 100% protection for sure.

]]> By: mxlab http://blog.mxlab.eu/2009/10/14/fakerean-trojan-is-using-the-same-subject-of-the-latest-zbot-variant/#comment-12582 mxlab Wed, 14 Oct 2009 21:00:20 +0000 http://blog.mxlab.eu/?p=568#comment-12582 The subject is mentioned in the article. So far we only had one version but it is possible that there are multiple versions going around the world. We can only provide information from our experience. A possible sibject line could be: "The settings for the andre@****.com mailbox" as we've seen as a variant on the latest ZBot trojan with similar content but with the difference that the payload is on a malicious host. The subject is mentioned in the article. So far we only had one version but it is possible that there are multiple versions going around the world. We can only provide information from our experience.

A possible sibject line could be: “The settings for the andre@****.com mailbox” as we’ve seen as a variant on the latest ZBot trojan with similar content but with the difference that the payload is on a malicious host.

]]> By: Nino Papageorgio http://blog.mxlab.eu/2009/10/14/fakerean-trojan-is-using-the-same-subject-of-the-latest-zbot-variant/#comment-12580 Nino Papageorgio Wed, 14 Oct 2009 20:48:22 +0000 http://blog.mxlab.eu/?p=568#comment-12580 Love the site, just found it today with the 0 day exploit on 10/14/09. Can you start including subject lines in the spam/virus e-amil you detect. Many spam filters and attachment blockers can query by subject and that would help me and others grreatly. Great site, really like the picture and I look forward to checking back in more. Thanks, Love the site, just found it today with the 0 day exploit on 10/14/09. Can you start including subject lines in the spam/virus e-amil you detect. Many spam filters and attachment blockers can query by subject and that would help me and others grreatly.

Great site, really like the picture and I look forward to checking back in more.

Thanks,

]]>