Feeds:
Posts
Comments

Okaerinasai





Happened to pass here after a lot of time and thought “why not?!?”

Is there still room for a personal blog like this one in 2020?

Would I have the time to write anything in here at all?

Perhaps I’ll give it another try…

Malware aruba.it

Oggi vedo arrivare messaggi contenenti presunte fatture di Aruba.it:

 

From: comunicazioni@staff.aruba.it
Subject: Invio copia bollettino

Gentile cliente,

come da lei richiesto in allegato potrà trovare copia del bollettino postale con cui effettuare il pagamento.

Saluti
______________________________

Aruba S.p.A.

Servizio Clienti – Aruba.it

http://www.aruba.it

http://assistenza.aruba.it

Call center: 0575/0505

Fax: 0575/862000

_______________________________

 

In allegato, un file con nome del tipo 123456789_1234567890.pdf.zip

Guardando l’allegato un po’ più da vicino:

skull@mithrandir:~$ unzip 12345678_1234567890.pdf.zip
Archive: 12345678_1234567890.pdf.zip
inflating: 87654321_0987654321.pdf.pif

skull@mithrandir:~$ file 87654321_0987654321.pdf.pif
87654321_0987654321.pdf.pif: MS-DOS executable

Ovviamente, una occhiata agli header conferma che la mail non viene affatto da Aruba:

Return-Path: <xxxxx@hotel.de>
Received: from [80.86.156.104] (unknown [80.86.156.104])
	by mta1.spin.it (Postfix) with ESMTP id xxxxx
	for <xxxxx>; Mon, 21 Jul 2014 13:xx:xx +0200 (CEST)
Received: from [59.22.31.20] (helo=xxxxx.xxxxx.net)
	by  with esmtpa (Exim 4.69)
	(envelope-from )
	id xxxxx
	for xxxxx; Mon, 21 Jul 2014 12:xx:xx +0100
Received: from [109.26.59.81] (helo=xxxxx.xxxxx.su)
	by  with esmtpa (Exim 4.69)
	(envelope-from )
	id xxxxx
	for xxxxx; Mon, 21 Jul 2014 12:xx:xx +0100
Date: Mon, 21 Jul 2014 12:xx:xx +0100
From: comunicazioni@staff.aruba.it
To: <xxxxx>
Subject: Invio copia bollettino


Al momento della ricezione, la lista degli AV che lo riconoscono per quel che è è desolantemente scarna, come di consueto:

 

VirusTotal

 

All’occhio…

Months ago I wrote a serie of articles (Italian only) about why relying on an AntiVirus only is far from being an effective approach to network safety nowadays. Today, I stumbled upon this piece, where Brian Dye, Symantec’s senior Vice President for Information Security apparently says «AntiVirus is dead».

To quote Mark Twain, I think the report of AV death is an exaggeration: nobody should -in my opinion- turn their AV off because it’s not effective anymore. It is certainly true, however, that this approach cannot be the only one in place if you plan to combat malware on your network effectively.

In the fourth part of the series above I already suggested using lists of Command & Control IPs to create nullrouting or firewall entries to inhibit network traffic trying to reach “bad resources”. I also said how one of these lists is available from Spamhaus (as that’s the one I’ve been using) and how they provide this list in the form of a BGP feed you can configure directly in your border router(s).

Whatever the list you chose and however you’re feeding it to your router, you’re going to face a problem: how to monitor what is being nullrouted and what the supposedly infected system is trying to do?

Here is what I did and how you can use a normal linux system to dump and log the blocked traffic and hijack the HTTP sessions (that are by far the most interesting ones) to obtain more intel about the infections.

Continue Reading »

I spent a good part of the last few days trying to debug a very weird problem involving postfix and opendkim, so I thought it was a good idea to write the entire experience down for anybody who might be encountering the same (or a similar) problem. This was probably the weirdest misbehaviour I managed to trigger without involving any real bug…

 

On a system I control, I installed opendkim for signing only and configured postfix to interact with it: installation was smooth as usual and everything was deployed in an hour or two. The emails sent by the system are partly anonymized and some headers are therefore stripped before the mail goes out. For this reason, DKIM was configured to sign only some of the headers (and not all of them) or the signatures would fail to validate for remote users.

I sent a few test emails to Gmail and everything seemed to be fine: mail signed, signature header as expected, Google verifying the signature correctly and so on. So I told other users of the same server that the feature was enabled and to poke me in case something was wrong. Immediately one user wrote back saying he wasn’t seeing any signature at all in the emails he was sending.

I checked the logs for his email and found this:

Mar 24 12:22:56 myserver opendkim[32082]: 0CA2F2F1: can’t determine message sender; accepting

The presence of a “From” or “Sender” header within the email is mandatory for DKIM, otherwise the mail can’t be signed; this message was saying that the mail had none and was therefore refusing to sign it.

Easy.

 

Continue Reading »

OK, this is ridiculous…

Screen Shot 2014-02-16 at 16.01.39

<span>%d</span> bloggers like this: