[Discuss] email virus

[me at mattgillen.net (Matthew Gillen)]

On 01/11/2012 08:31 AM, markw at mohawksoft.com wrote:
> I won't post it, because I'm not sure who would be vulnerable, but I just
> received this great email virus.
>
> It basically uses google code javascript decryption to deploy the package
> sent as an encrypted text stream. Nice.
>
> How will the mail filters deal with this? Can they? The decrypt is written
> in javascript and comes from the google code url, so it is probably viewed
> by filters as safe. The text stream looks merely like random text with no
> obvious patterns also, your javascript stream gets blacklisted? Change the
> encrypt key, done.

I make it a habit to turn off javascript in anything that doesn't need 
it (a list 'according to me'; pdf viewers, mail clients, etc). 
Javascript is a cesspool of vulnerabilities (nearly every adobe acrobat 
exploit over the last few years has been javascript related, most 
web-browser vulnerabilities are js related...).

I even turn js off on my android web browser, but I periodically have to 
turn it back on (e.g., wikipedia's mobile version is great, except that 
it needs javascript to be useful).

That said, signature based detection could still nail it, unless they 
encrypt it differently for each recipient (less likely in the general 
phishing case because the computational requirements are too high, but 
very likely in a spear-phishing attempt).

I've seen a perhaps slightly different kind of spam where it's just a 
single link to google docs (presumably to a doc that has malicious 
javascript).  That would be very hard for the email signature-based 
stuff to detect, because creating a bunch of unique urls puts load on 
google's infrastructure, not the spam-bot-net.

Interesting aside: you know what they call spear-phishing for C-level 
executives?  Whaling.  (can't remember where I heard that from; 
apologies if it was from this list)

Matt