On 29/05/12 15:04, Henrik K wrote: > On Tue, May 29, 2012 at 12:33:30PM +0100, Cedric Knight wrote: >> It seems there's at least new variant every day of Kryptik/Kazy/Zbot >> worms or Trojan droppers sent zipped through email. These are attached >> to a type of spam usually headlined something like "FedEx delivery problem". > > Is this actually problem for someone? I don't remember the last time my > users reported something like this passing through normal spam filtering > stuff..
Yes, provided of course you accept that this is being sent because it's a successful vector, that malware distribution is something we want to stop and that naive users will still open attachments out of curiosity or inattention. Email worms are perhaps passé, but I've had reported cases of these getting through ClamAV and SpamAssassin (and other AV measures) and being detected by a desktop antivirus. Judging by the multi-AV-scanner results (Jotti and VT), and by the automated responses I get from Kaspersky confirming the sample is a new variant, a fair amount would be novel enough for several hours to get through most server-based AVs *and* most desktop AVs, which I think may make it /less/ likely to be reported. Such stuff doesn't usually hit any checksum-based service. It's sometimes picked up by RBLs including BRBL, PSBL or SCBL, but the standard SpamAssassin 3.3 rules don't help much. So I've written my own rules, which is why I'm conscious of seeing it in logs. It has already gone through ClamAV (including clamav-unofficial-signatures) and not otherwise been detected. What I'm looking for is a way to avoid having to report new malware variants so frequently. Wouldn't more spamtraps that feed virus samples directly to AV analysts help? All best wishes Cedric _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
