[Discuss] email virus

Scott Ehrlich srehrlich at gmail.com
Wed Jan 11 09:18:01 EST 2012 

On Wed, Jan 11, 2012 at 9:12 AM, Matthew Gillen <me at mattgillen.net> wrote:
> On 01/11/2012 08:31 AM, markw at mohawksoft.com wrote:
>>
>> I won't post it, because I'm not sure who would be vulnerable, but I just
>> received this great email virus.
>>
>> It basically uses google code javascript decryption to deploy the package
>> sent as an encrypted text stream. Nice.
>>
>> How will the mail filters deal with this? Can they? The decrypt is written
>> in javascript and comes from the google code url, so it is probably viewed
>> by filters as safe. The text stream looks merely like random text with no
>> obvious patterns also, your javascript stream gets blacklisted? Change the
>> encrypt key, done.
>
>
> I make it a habit to turn off javascript in anything that doesn't need it (a
> list 'according to me'; pdf viewers, mail clients, etc). Javascript is a
> cesspool of vulnerabilities (nearly every adobe acrobat exploit over the
> last few years has been javascript related, most web-browser vulnerabilities
> are js related...).
>
> I even turn js off on my android web browser, but I periodically have to
> turn it back on (e.g., wikipedia's mobile version is great, except that it
> needs javascript to be useful).
>
> That said, signature based detection could still nail it, unless they
> encrypt it differently for each recipient (less likely in the general
> phishing case because the computational requirements are too high, but very
> likely in a spear-phishing attempt).
>
> I've seen a perhaps slightly different kind of spam where it's just a single
> link to google docs (presumably to a doc that has malicious javascript).
>  That would be very hard for the email signature-based stuff to detect,
> because creating a bunch of unique urls puts load on google's
> infrastructure, not the spam-bot-net.
>
> Interesting aside: you know what they call spear-phishing for C-level
> executives?  Whaling.  (can't remember where I heard that from; apologies if
> it was from this list)
>

I'm an active user of noscript for both chrome and firefox.

Scott

> Matt
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss

More information about the Discuss mailing list