eEye Digital Security

Spunner:

Can we get protection from this?  I sold them on using Blink because of its hardened security (I know it's a cat-and-mouse game) but we're pretty smart cats!

I don't doubt that, there are so many variants of it, it is sickening.  Being able to stop them all is going to be difficult.  I have personally sent eEye like 4 different versions of it now (pretty much same general file name) but with different MD5 hashes.

Here are two other versions of it that I found and that I have tickets on pending with Norman.  eEye has already sent them in and we are waiting on a signature to be made for them.

Name: AV2009Install_880174.exe

MD5: 2f772504e41a9a0a1b55c564f0601818

Name: AntvrsInstall.exe

MD5: a114da736592860009233c6ddaab4692

-------------------------------------------------------------------------------- 

My personal recommendation is to create two rules:

1. One IPS signature that blocks any email attachment with the file extension of:  .exe, .dll, .com, .php, and .bat  ... you might go as far as to block .txt also.

2. One System Protection signature (Under the "Execution Protection" tab) that keeps anything in Outlook (link, file, etc) from opening IE or Firefox (whatever one your using for your browser) that has the following:

Type of System Resource:  Execution

Specifiy the Executable that this rule will protect against:  "C:\Program Files\Internet Explorer\iexplore.exe"

- Match the type:  Partial

- Do not use executable MD5 (in the bottom part)

 Specifiy the Parent Process that this rule will filter against:  (This would be the path to the Outlook executable)

 - Match type: Wildcard

 - Do not use parent process MD5

------------------------------------------------------------------------------------

I have also gone overboard and made individual new rules that were copies of the top rule (for Adobe Acrobat under the "Execution Protection" tab) but are for blocking the following from opening the "cmd.exe":

Microsoft Word

Microsoft Excel

Microsoft Powerpoint

Windows Word Notepad

----------------------------------------------------------------------- 

Do you know for a fact there was an actual attachment?  If not I will bet on it being imbedded code of some nature: HTML or maybe even scripts imbedded in images (used a lot to bypass Phishing security measures) that ran itself when the pane viewer displayed it.  At that point it probably downloaded the executable to your system from the internet and ran it.

Blue1978:

Name: AV2009Install_880174.exe

MD5: 2f772504e41a9a0a1b55c564f0601818

Now Detected as:

Blue1978:

Name: AntvrsInstall.exe

MD5: a114da736592860009233c6ddaab4692

Now Detected as:

Found yet another variant of this junk tonight!  Waiting on a signature for it now.

Name:    IAInstall.exe

MD5:    d93c308f8a4c3e58e6bdace73390d5fb

Blue1978:

Name:    IAInstall.exe

MD5:    d93c308f8a4c3e58e6bdace73390d5fb

Now detected as:

Yeah, the infamous "reading pane". Can you disable it? It's the first and only protection you get in Outlook :D

Best,

Art

What version of Outlook are you using?  In Outlook 2003 you would have to do the following for each folder:

1. Select the folder you want to disable the preview pane on.

2. Go to View >> Reading Pane, and then mouse over to select "Off"

Other Items to consider: 

- Keep in mind Outlook uses the "Internet" zone security settings in IE for its security.  If this zone is set low, a lot will be allowed to happen in Outlook email messages.

- In Outlook 2003 I recommend also tightening up its security a bit by making the following setting changes:

1. Under Tools >> Options >> Preferences Tab

    - Select the "E-mail Options" button

       1a. Make sure the "Read all standard email in text" and "Read all digitally signed mail in plain text" have their boxes checked

       1b. At the bottom I would recommend setting "Include original message in text" be set for the "when replying" and "when forwarding" fields.

2. Under the Mail Format Tab

     - for the "Compose in this message format"  set this to:  Plain Text

3. Under the Security Tab

     - Make sure the Security Zones section has the "Internet" zone selected in the filed that is visible.

These are my personal recommendations for tightening up security a little bit in Outlook 2003.