Tuesday, 26. August 2008
PermaLink Friend of Dorothy?
Some people evidently don't believe my assertion that signature based AV is no longer an effective part of a security strategy.

Allow me to demonstrate again why both signature based AV and email disclaimers are not always a good thing.

Dorothy.jpg

Here's a recent sample of what CA is calling Win32/Auraax.I.

It seems to be the latest variant of that malware I mentioned just the other day.

This one has passed through some corporate email infrastructure which both includes a signature based AV scan and adds a disclaimer.

  • AV failed to spot the worm.
  • Disclaimer asserts that
    • the mail was scanned - though to what end is unclear - and
    • email content may be monitored to ensure compliance with policies and procedures - though there appears to be no effective procedure to ensure that mass mailing malware is not allowed to propagate via this company's email infrastructure.

Yes - AV signatures do eventually catch up, which is why CA now spots this one, but the rate at which these things are changing, the speed at which they are propagating and the varied routes they are taking are clear evidence that the inherent lag between sample analysis by AV vendors and signature availability is just too long.

Update: And here's one a user received at home and forwarded to the office. You can see two AVG scans, one for the inbound and one for the outbound. Neither spotted the malware. AV signatures were only 10 hours old at the time of receipt.

Dorothy2.jpg



Category: Viruses and Worms
Technorati:

Comments :

1. Conrad Longmore27/08/2008 08:52:44
Homepage: http://www.dynamoo.com/


Again, blocking EXEs in ZIPs is an essential thing to do to prevent this. That's certainly a viable solution for many corporate customers.

Of course, you mentioned a home PC as well. All your clever security and mail filtering can be blown away by a user who reads their personal web mail on a work machine..



2. Chris Linfoot27/08/2008 13:43:11


Yes, but users are not allowed personal email on work machines. They've no access to POP or IMAP, no privileges to install any new MUA and SurfControl keeps them out of web mail.



3. Tim Sullivan27/01/2009 03:12:37
Homepage: http://www.workflowstudios.com


I've recently tried to keep my standards of blocking .zip and .exe, but many large companies are sending all email with .zip's. Am I the only one having issues with this?



4. Chris Linfoot27/01/2009 09:11:21


@Tim - the trick is to examine the contents of archives (.zip, .rar, etc) and block or quarantine those containing executables.

You can't do this with native Domino, but most virus scanning software will permit the creation of rules like this.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2009
2009
2009
2009
2008
Full Archive
Links
Chris' Posterous
CircleID
Anti-Spam Tools
Misc Links
Land banking information
LDV Blog
Landscape Gardener in Birmingham
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments

Visitor Locations
Locations of visitors to this page
Hosted by


logicspot.com