Notice to Appear, from the Ximian Evolution spammer (2 viral samples, Oct 27 / 2014)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
After 4.5 days of trying, the Ximian Evolution spammer finally found an
IP address that I wasn't blocking and put this "Notice to Appear"
between the uprights.  My server rejected some 2250 SMTP connection
attempts during those 4.5 days, no doubt some (or many?) of those were
the Ximian fool.

=============================
Received: from lawyerscaringforarizona.com ([64.135.3.78])  
Subject: Notice to appear in court
X-Mailer: XimianEvolution1.4.6

Notice to Appear,

The copy of the court notice is attached to this letter.
Please, read it thoroughly.

Truly yours,
Clerk to the Court,
Carol Mason
===============================

And isin't that nice?

lawyerscaringforarizona.com

lawyers caring for arizona . com

And we thought that lawyers were scum.

VT is really slow tonight.

Here's the VT result:

https://www.virustotal.com/en/file/a8a5b56eef029eec01f83858317109641a2c3dd991de2533d7b1b33b4f0ea8e6/analysis/1414453886/

Kaspersky is calling it Win32.Dapato (never seen that before).

Very bad detection rate - 10/54.  Here's who detected it:

AVware         Avast       DrWeb     ESET-NOD32
F-Prot         Kaspersky   Sophos    TrendMicro
TrendMicro-HC  VIPRE

And here's the hall of shame:

AVG           Ad-Aware       AegisLab         Agnitum  
AhnLab-V3     Antiy-AVL      Avira            Baidu-Int.
BitDefender   Bkav           ByteHero         CAT-SlowHeal
CMC           ClamAV         Comodo           Cyren
Emsisoft      F-Secure       Fortinet         GData
Ikarus        Jiangmin       K7AntiVirus      K7GW
Kingsoft      Malwarebytes   McAfee           McAfee-GW
MicroWorld    Microsoft      NANO-Antivirus   Norman
Qihoo-360     Rising         SUPERAntiSpyware Symantec
Tencent       TheHacker      TotalDefense     VBA32
ViRobot       Zillya         Zoner            nProtect

And we have more!  This one's hot-off-the-press (as of 3 hours ago):

----------------------------
Received: from employmentlawyersfortlauderdale.com ([76.184.137.116])
Subject: Hearing of your case in Court
Mon, 27 Oct 2014 17:09:11 -0
X-Mailer: XimianEvolution1.4.6

Notice to Appear,

The copy of the court notice is attached to this letter.
Please, read it thoroughly.

Truly yours,
Clerk to the Court,
Lily Mason
------------------------------

Hmmm.  Lily Mason and Carol Mason both working in the same court house?

https://www.virustotal.com/en/file/438f30bda635325fd2f814a6861f7e13f07602713f930b5bea374367894d6759/analysis/1414454543/

This file is the exact same size as the first, but not binary
identical.  The exact same 10 AV programs are detecting this second file
just like the first file.

Get your copy of these files here:

http://www.filedropper.com/note6833copy

Re: Notice to Appear, from the Ximian Evolution spammer (2 viral samples, Oct 27 / 2014)


Quoted text here. Click to load it

You still don't grasp how the detection works, obviously.

I hate to tell you this, but it's really not hard to write malware  
that won't be detected when you submit it to virus total. What's  
worse, you can even take source code to already existing malware and  
with very little modification, likely compile a fresh sample that  
will not be detected by anything on virustotal.  

Here's the real ass kicker for you to dwell on:

The scenario above is normal; this is exactly HOW it works. AV/AM are  
primarily retroactive in nature. They often don't detect what they  
don't have a signature for.

In many cases these days, the malware samples are server side  
polymorphic (google the term, my patience is low tonight). As they  
are polymorphs, You most likely will not be able to develop a single  
signature that will get all varients of it. And this too, is by  
design.

Your complaints are baseless and unfounded because you really *don't*  
understand how this game is played. How detection/prevention actually  
works and how trivial it really is to evade most of it.
  
Quoted text here. Click to load it

And it means absolutely nothing. That's the thing you don't seem to  
comprehend.
  


--  
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!



Re: Notice to Appear, from the Ximian Evolution spammer (2 viral samples, Oct 27 / 2014)

Dustin wrote:

Quoted text here. Click to load it

So what you're saying is that for the 10 AV programs that *can* detect
those files as viral - it means nothing.

The work they do so that they can perform the detection almost
immediately as those files get into circulation - according to you it
means nothing.  It has no value.  They do it for no reason.

Because according to you, the general population of windoze computer
users don't need to be able to detect those files as malware.  They
magically don't need protection from their own stupidity in case they
click on them, because for some reason they don't click on them, and
therefor according to you - AV software doesn't have to detect these
files in "real time".

Does anyone else here feel the same way as Dustin about this ability (or
lack thereof) of the vast majority of AV software to be able to detect
these threats when they first enter circulation?

And btw Dustin, did you download those files so you can take them apart
and submit the actual droppers to VT?

Re: Notice to Appear, from the Ximian Evolution spammer (2 viral samples, Oct 27 / 2014)

On Mon, 27 Oct 2014 21:39:36 -0400, Virus Guy wrote:

Quoted text here. Click to load it

I'll volunteer as *anyone else here*. I'll repeat Dustin's comment that:-

Your complaints are baseless and unfounded because you really *don't*
understand how this game is played. How detection/prevention actually
works and how trivial it really is to evade most of it.

One of these days you will get a clue! (Well, maybe).

Just keep blocking IP's. It's what you do well.

Thane

Re: Notice to Appear, from the Ximian Evolution spammer (2 viral samples, Oct 27 / 2014)


Quoted text here. Click to load it

They aren't viral. Please use the proper terminology. I *know* you  
already understand the differences so I won't bore you with the  
specifics again. It's not my intention to talk down to you or come  
across that way.
  
Quoted text here. Click to load it

That isn't what I wrote to you, Virus Guy. Please do not attempt to  
twist exactly what I wrote to mean anything other than exactly what I  
wrote. Reminder:

This is what I wrote in response to your entire thread in general and  
the previous ones.

Quoted text here. Click to load it

And it means absolutely nothing. That's the thing you don't seem to  
comprehend.  

I am glad ten products are picking something up, and Kaspersky  
impressed me with what appears to be an actual signature hit; IE:  
it's not 0day malware to them, although it was to you.

I didn't say the work anybody did meant nothing, I said your  
complaints in general mean nothing. The ones like this one, for  
example. You complain that a few detect such and such trojan you got  
via email. You expect all of them or nearly all of them to nail it as  
soon as you submit it, but the reality is, the technology doesn't  
actually work that way.

We can get into specifics of detection technologies and their  
respective limitations/consequences when deployed if you really want  
to bother, but the statement I made isn't going to change. It was  
directly in reference to YOUR posts, not the tireless/thankless work  
of the researchers.  
  
Quoted text here. Click to load it

Not according to me. See above.

Quoted text here. Click to load it

I said nothing of the sort. It's not realistically feasable that AV  
software or AM software is going to detect all threats the second  
they see it the first time. It's not even logical.  
  
Quoted text here. Click to load it

The actual droppers? Umm.. bro, the files I pulled from your url are  
actually themselves, the dropper. They 'install' the real malware for  
you. I took the actual malware apart too. [g] Unlike yourself, I  
*don't* have to submit a suspicious file to virustotal. I'm capable  
of taking a peek for myself.  

I have shared my findings with others in the AV/AM industries,  
though; I'm not stingy. I suppose I could have sent it to virustotal  
as well; but I already have those contacts, so there was no real  
point. Besides, virustotal wouldn't have passed it to everyone on my  
research list. Better I do that myself in this case.  

Don't worry, every malware sample I pull that you've kindly taken the  
time to fork over is shared with the AV/AM community; their programs  
will be able to add detection/possible removal as a result. They'll  
also be able to hone in on a better scan string if they don't already  
have one instead of a generic hit that could also trigger with a  
legit file.  

The thing is, every technology you employ for detection,  
disinfection, and other removal methods, have pros and cons to using  
them. No single technology is perfect and some carry more risk of  
accidentally flagging a legit file as a bad one. As a  
developer/researcher you weigh those risks and try to determine  
what's best for the user.  

What is likely to get the bad guys and hopefully, not bother the user  
with too many false positives. it's not realistically possible to  
claim no false positives with most of the technologies because most  
malware is written HLL these days and much of it is identical to a  
legitimate application.  

Take AVG for example. It's false positive city. It has a very active  
heuristics engine that is mostly in paranoid mode all the time. This  
can be considered a good thing on one hand, it's far less likely a  
user is going to run something AVG doesn't like; especially if their  
constantly told that if their AV blocks it, you DON'T run it.

OTH, this can also result in unnecessary technical support for you;  
when AVG doesn't like some program all of a sudden (a database update  
usually causes this) and the user thinks they have a virus or  
something, when infact, they don't.

And there's the fun of downloading apps from nirsoft to be told by  
AVG that such and such is a trojan or something; when you know it's a  
perfectly legit app.

I'm just using AVG as an example. Every program on the market has  
it's issues. AVG is just one of the better known ones for being..  
overzealous in it's detection.

You're expecting a magic bullet and I'm trying to explain to you that  
there isn't one and there won't be one anytime soon. I keep writing  
that you don't understand how any of this actually works behind the  
scenes, and, based on your replies, it's clear you really don't.

You need to learn how your computer actually 'runs' programs. Once  
you do, you'll understand how modern day, HLL compiled malware is  
doing what it does and why the AV/AM products you rail on aren't  
detecting them the moment you submit them. It'll make alot more sense  
to you then. As long as you refuse to take a little time and do a  
little reading, this is all going to seem like I'm making excuses for  
what you feel is shoddy protection, at best.


--  
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!



Re: Notice to Appear, from the Ximian Evolution spammer (2 viral samples, Oct 27 / 2014)

Virus Guy expressed precisely :
Quoted text here. Click to load it

It looks to me as if they are detecting the packer and not the actual  
malware in the package. IOW they have seen the packer before with  
samples of other malware inside.

[...]

Quoted text here. Click to load it

It is inherently impossible to identify any *new* sample with signature  
based detection if no signature has yet been promulgated.

In some cases they may be able to 'detect' that it is malware by  
guessing that malware would reside in such a packed file, but not be  
able to 'identify' what malware it is.



Re: Notice to Appear, from the Ximian Evolution spammer (2 viral samples, Oct 27 / 2014)

On Tuesday, October 28, 2014 8:33:24 AM UTC+8, Virus Guy wrote:
  
Quoted text here. Click to load it

Wait, how do you know this doesn't spell: "Lawyer SCARING for arizona .com"? :-)

RL

"Dustin is not a dirtbag, he's a dustbin"

Re: Notice to Appear, from the Ximian Evolution spammer (2 viral samples, Oct 27 / 2014)


Quoted text here. Click to load it

LOL! Dustin knows that int21 doesn't stand for integer in assembler,  
though. Ray, not so much.
  



--  
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!



Site Timeline