PermaLink Friend of Dorothy?
Some people evidently don't believe my assertion that signature based AV is no longer an effective part of a security strategy.

Allow me to demonstrate again why both signature based AV and email disclaimers are not always a good thing.

Dorothy.jpg

Here's a recent sample of what CA is calling Win32/Auraax.I.

It seems to be the latest variant of that malware I mentioned just the other day.

This one has passed through some corporate email infrastructure which both includes a signature based AV scan and adds a disclaimer.

  • AV failed to spot the worm.
  • Disclaimer asserts that
    • the mail was scanned - though to what end is unclear - and
    • email content may be monitored to ensure compliance with policies and procedures - though there appears to be no effective procedure to ensure that mass mailing malware is not allowed to propagate via this company's email infrastructure.

Yes - AV signatures do eventually catch up, which is why CA now spots this one, but the rate at which these things are changing, the speed at which they are propagating and the varied routes they are taking are clear evidence that the inherent lag between sample analysis by AV vendors and signature availability is just too long.

Update: And here's one a user received at home and forwarded to the office. You can see two AVG scans, one for the inbound and one for the outbound. Neither spotted the malware. AV signatures were only 10 hours old at the time of receipt.

Dorothy2.jpg



Category: Viruses and Worms
Technorati:

Comments :

1. Conrad Longmore27/08/2008 08:52:44
Homepage: http://www.dynamoo.com/


Again, blocking EXEs in ZIPs is an essential thing to do to prevent this. That's certainly a viable solution for many corporate customers.

Of course, you mentioned a home PC as well. All your clever security and mail filtering can be blown away by a user who reads their personal web mail on a work machine..




2. Chris Linfoot27/08/2008 13:43:11


Yes, but users are not allowed personal email on work machines. They've no access to POP or IMAP, no privileges to install any new MUA and SurfControl keeps them out of web mail.




Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Popular Categories
Monthly Archive
Other stuff
ClustrMaps
Meta
Proudly powered by IBM Lotus Domino 8 Proudly powered by IBM Lotus Domino 8

Subscribe to articles Subscribe to articles feed

Subscribe to comments Subscribe to comments feed

ROR info ROR info

Like what I do?
Then please consider a donation to support the work of Research Autism.

Idea Jam
Planet Lotus
Contact Me