For a few months now (since the demise of bluefrog actually) I’ve noticed that the level of junk mail has gone up on my own mail server. Yes, I use spamassassin to filter and tag, but the volume of stuff that’s tagged has gone up (as well as the volume that slips through.) I’ve had to flush out the bayes filter more than I would like after some massive bayes poisoning attempts (those messages with lots of random words or text.) I’ve also been following news on the topic and thought I’d detail some of it here for those that haven’t been paying attention.
Tag: antivirus
-
System patching 0-days and ancient-day vulnerabilities
There’s a good article at Michael Sutton’s Blog which points out something that really makes sense and I think many people are aware of, but with all the buzz that a new previously undisclosed vulnerability has, we forget. The point is this, there are plenty of machines online vulnerable to ancient flaws that have been known (in some cases for years.) In his article, he does a search for one specific vulnerability and finds targets. Some of the comments speculate that some may be honeypots, but I would doubt that a high percentage are and suspect that most are the real deal.
-
CA etrust antivirus false positive
We’ve got an antivirus false positive to pass along… apparently, a signature update for CA eTrust Antivirus has flagged lsass.exe on Windows 2003 as an undesirable program. There have been updates to address the problem, but if you’re running CA eTrust on Windows 2003 Server you’ve probably already seen the effects. Sans reports some 2003 servers as failing or being unable to reboot.
-
Good sarc monitoring tip
Sarc is still in their month of security tips per day and todays is another good one. Todays tip is about monitoring machines, particularly those that “defend” your network. (Mail antivirus scanners/ proxy fitlers/scanners/etc.) The core of the advice is to not just ping – that only tells you if the system exists and is online – it doesn’t tell if things are working. They suggest scripting tests (antivirus scanner can be tested via the EICAR test signature for instance.) They note that doesn’t tell if the av scanner is updated (I prefer a crontab output of the days updates – looks like there were around 9 clamav signature updates yesterday.
-
Hiding malware may evade antivirus
Sans had an interesting malware analysis this morning about a blob that appeared to be ascii text (gibberish) that was retrieved by a piece of malware. It turns out that the ascii text was a cleverly encoded exe file (windows executable or program file.) It took several iterations of their analysis to uncover the actual file. A followup referred to a study of “hiding” malware in various Microsoft Word supported formats and how successful (or unfortunately UNsuccessful) several antivirus programs tested were able to identify it. This was performed by running the files through virus total and the virus was the EICAR test pattern.
-
Clamav 0.88.4 and prior DoS
According to incidents.org a denial of service vulnerability has been noted in all versions of clamav prior to 0.88.4 (inclusive). At incidents last report the download for 0.88.4 was back after disappearing for a while which seemed to indicate a fix, however. I wasn’t aware 0.88.4 had been released before today (?). It looks as though http://www.clamav.net/ has perhaps a re-release of 0.88.4? that fixes it? Clamav is a popular open source antivirus scanning engine.
–UPDATED AND CORRECTED – looking at the Secunia advisory version 0.88.3 and 0.88.2 are vulnerable others may be – and I suspect that 0.88.4 is the version that will fix it – so it looks as though 0.88.4 will be the fixed version. AGAIN – it looks as though 0.88.4 FIXES the DoS vulnerability.
-
Another McAfee security product flaw
Sans has info on a security flaw affect several McAfee security products. It could allow remote code execution. The 2007 versions of the products are not affected and a patch is expected soon. For your information, here are the affected products: McAfee Internet Security Suite 2006, McAfee Wireless Home Network Security, McAfee Personal Firewall Plus, McAfee VirusScan, McAfee Privacy Service, McAfee SpamKiller, McAfee AntiSpyware.
You may note that antivirus software is increasingly being scrutinized as a means to remotely exploit systems. Be watching for the patch to come from McAfee.
-
The end for Windows 98 may be a boost to linux?
There are articles out about the demise of official Windows 98 and ME support would be a boost to linux uptake. Realistically, I suppose it may, but I personally am not holding my breath. Here’s why. 1) The people still running Windows 98/ME are likely doing so because that’s what came with their PC. There is a common perception that ~6 is a point where they might replace it anyway with a new pc. 2) IF you’re running Windows98 on original equipment (as opposed to someone that opted for 98 instead of xp on a slightly newer system, or has upgraded from the original equipment.) You might be frustrated with the performance of MOST linux distributions on your equipment. Let’s face it, linux can run on most anything, but most of the distributions that people HEAR about focus on newer hardware….
-
Another wolf in sheeps clothing to watch for
Wolves in sheeps clothing are the label I give to those rogue antispyware, or antivirus programs that bring pests instead of protect against them, or are otherwise questionable in their tactics. Titan Shield seems to be a new threat on the block in this area, I haven’t seen it first hand yet, but it looks like it is one you’ll want to avoid *(You may want to block antispywarebox(dot)com and titanshield(dot)com if you’re in a position to do such things in your network.)