Today there were quite a few more nasties arriving than usual. There was some unusual activity which I'll explain later.
The following are the unique malware received since yesterday.
Subject / Attachment
DELIVERY FAILED / onlineconnections.com.au
Mail delivery failed : returning message to sender / Message Part>ilh.zip
Jessica would like to be your friend on hi5! / Invitation Card.zip
Your friend invited you to twitter! / Invitation Card.zip
You have received A Hallmark E-Card! / Postcard.zip
Shipping update for your Amazon.com order / Shipping documents.zip
Re: message / message_audictionary.zip
Re: Developement / document09_audictionary.zip
Re: your data / data_audictionary.zip
Your internet access is going to get suspended / user-EA3911X-activities.zip
Your illegal internet activities are being logged / user-B41642-activities.zip
Congratulations! / list.zip
Returned mail: Data format error / audictionary@onlineconnections.com.au.zip
Here is it / ranking.zip
Delivery Status Notification (Failure) / Message Part>screensaver.zip
hi / winmail.dat>Documents and Settings\MyDocuments\Readme.doc .exe
Delivery failed / .zip
Mail delivery failed: returning message to sender / Message Part>message.zip
Your Pay Pal Account May Be Compromised / account-1407A4-report.zip
The unusual activity was with the following malware.
Mail delivery failed : returning message to sender / Message Part>ilh.zip
MSE did not detect the virus because it was text in the message. Because it was text it couldn't be downloaded as a file. Avast picked it up and tried to delete it, but it didn't delete and Avast kept trying each time we clicked on the message. AVG missed the malware. CA identified and fixed the malware. OzEfilter also missed the malware.
The reason the anti-virus products missed this malware is it wasn't an attachment, but it was text which would have been the raw form of the original data. This form is usually not seen by the use. It took us a while to work out what had happened. I'll explain.
Somewhere a computer sent out a fake email with malware using our domain. The receiving email server saw the malware and sent a copy of the malware as text in an email message to the mail server I use, thinking it was that mail server that sent the message. My mail server saw this rejection of the message and passed it back to me. Now since I send out emails to people on my mailing list and sometimes people's email addresses no longer exist, I need to accept these emails from the mail server. I could just delete them, but this information helps me to keep my mailing list clean. That is why OzEfilter didn't flag the email. It was from the mail server and I want those emails. MSE had nothing to work since it was text in an email and not an attachment. AVG missed it, Avast saw it and got stuck on how to handle it. Only CA treated it correctly. Although since the virus was now in the form of a text message as raw data, there is no way the virus could infect a computer. Thus, whilst this was very interesting the analyse, from a users point of view it would have been a benign email that was just junk to be deleted.
OzEfilter works differently to other approaches. I set the conditions so OzEfilter knows who I receive emails from and then it only shows me the emails from people I don't know. This approach is called exception handling and saves quite a bit of time. I only need to review the emails from people I don't know before accepting them or not. Emails from people I now I always want to accept. I am presented with a screen which shows the total number of emails and how many emails are from people I don't know (the To filter value on the screen image belowe). Most emails from people I don't know are spam or malware. I receive 70-100 emails a day and around half are unwanted. All of the unwanted emails are deleted at the mail server and never reach my computer. When I review the emails I see the subject, who the message is from, and around half the time I see the country the email has come from. The country of origin is a great indicator as to whether or not the email will be wanted.
CA missed 0
AVG missed 1
Message Part>ilh.zip
MSE missed 1
Message Part>ilh.zip
OzEfilter missed 1
Message Part>ilh.zip
Avast missed 2
Postcard.zip
Shipping documents.zip
One other thing that I noticed was the MSE signature file had not been updated since the 6/10 and it was now the 9th of October. Before checking for malware I perform an update of all the packages. However in the real world this would not be the case. The user would turn their computer on and within a few minutes check their email. If an update had occurred then the software would have the latest protection. If not the users protection reduces. The next round will be done without manual updating.
Another thing that MSE did that was strange is when I went to save ranking.zip to the computer MSE stopped me. That means MSE does recognise some malware in a zip file. This isn't what I've seen before.
For MSE to be a better product in my opinion it should automatically check zip files without the files being extracted. Microsoft should at least have their own products (Outlook, Winmail, Outlook Express) check the attachments on incoming emails as they arrive. That would in my opinion put MSE ahead of the pack.
AVG performed very well today. It placed malware into a separate folder without fuss.
Avast has been slow recognising the malware others now recognise. One thing I didn't like about Avast is when receiving emails it would stop if it found malware and wait until I took action. With dozens of malware that was quite time consuming. With the other anti-virus software I could leave the computer and do others things. I had to interact with Avast and it was quite time consuming and tedious.
Ranking
1. CA
2. OzEfilter, AVG, MSE
3. Avast
The winner of today's round is CA. That's a pretty impressive effort from the CA team. At this stage CA is out front because it is having the best outcome and scans email attachments as they are received.
Until tomorrow.
- Kelvin Eldridge
No comments:
Post a Comment