BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] email virus

Subject: [Discuss] email virus
From: srehrlich at gmail.com (Scott Ehrlich)
Date: Wed, 11 Jan 2012 09:18:01 -0500
In-reply-to: <4F0D98DE.9000902@mattgillen.net>
References: <3edc323c2c517a479ca68922036fe001.squirrel@mail.mohawksoft.com> <4F0D98DE.9000902@mattgillen.net>

On Wed, Jan 11, 2012 at 9:12 AM, Matthew Gillen <me at mattgillen.net> wrote:
> On 01/11/2012 08:31 AM, markw at mohawksoft.com wrote:
>>
>> I won't post it, because I'm not sure who would be vulnerable, but I just
>> received this great email virus.
>>
>> It basically uses google code javascript decryption to deploy the package
>> sent as an encrypted text stream. Nice.
>>
>> How will the mail filters deal with this? Can they? The decrypt is written
>> in javascript and comes from the google code url, so it is probably viewed
>> by filters as safe. The text stream looks merely like random text with no
>> obvious patterns also, your javascript stream gets blacklisted? Change the
>> encrypt key, done.
>
>
> I make it a habit to turn off javascript in anything that doesn't need it (a
> list 'according to me'; pdf viewers, mail clients, etc). Javascript is a
> cesspool of vulnerabilities (nearly every adobe acrobat exploit over the
> last few years has been javascript related, most web-browser vulnerabilities
> are js related...).
>
> I even turn js off on my android web browser, but I periodically have to
> turn it back on (e.g., wikipedia's mobile version is great, except that it
> needs javascript to be useful).
>
> That said, signature based detection could still nail it, unless they
> encrypt it differently for each recipient (less likely in the general
> phishing case because the computational requirements are too high, but very
> likely in a spear-phishing attempt).
>
> I've seen a perhaps slightly different kind of spam where it's just a single
> link to google docs (presumably to a doc that has malicious javascript).
> ?That would be very hard for the email signature-based stuff to detect,
> because creating a bunch of unique urls puts load on google's
> infrastructure, not the spam-bot-net.
>
> Interesting aside: you know what they call spear-phishing for C-level
> executives? ?Whaling. ?(can't remember where I heard that from; apologies if
> it was from this list)
>

I'm an active user of noscript for both chrome and firefox.

Scott

> Matt
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss

Follow-Ups:
- [Discuss] email virus
  - From: me at mattgillen.net (Matthew Gillen)

References:
- [Discuss] email virus
  - From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] email virus
  - From: me at mattgillen.net (Matthew Gillen)

Prev by Date: [Discuss] [OT] Least worst ISPs generally
Next by Date: [Discuss] email virus
Previous by thread: [Discuss] email virus
Next by thread: [Discuss] email virus
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org