Malware aruba.it

Oggi vedo arrivare messaggi contenenti presunte fatture di Aruba.it:

 

From: comunicazioni@staff.aruba.it
Subject: Invio copia bollettino

Gentile cliente,

come da lei richiesto in allegato potrà trovare copia del bollettino postale con cui effettuare il pagamento.

Saluti
______________________________

Aruba S.p.A.

Servizio Clienti – Aruba.it

http://www.aruba.it

http://assistenza.aruba.it

Call center: 0575/0505

Fax: 0575/862000

_______________________________

 

In allegato, un file con nome del tipo 123456789_1234567890.pdf.zip

Guardando l’allegato un po’ più da vicino:

skull@mithrandir:~$ unzip 12345678_1234567890.pdf.zip
Archive: 12345678_1234567890.pdf.zip
inflating: 87654321_0987654321.pdf.pif

skull@mithrandir:~$ file 87654321_0987654321.pdf.pif
87654321_0987654321.pdf.pif: MS-DOS executable

Ovviamente, una occhiata agli header conferma che la mail non viene affatto da Aruba:

Return-Path: <xxxxx@hotel.de>
Received: from [80.86.156.104] (unknown [80.86.156.104])
	by mta1.spin.it (Postfix) with ESMTP id xxxxx
	for <xxxxx>; Mon, 21 Jul 2014 13:xx:xx +0200 (CEST)
Received: from [59.22.31.20] (helo=xxxxx.xxxxx.net)
	by  with esmtpa (Exim 4.69)
	(envelope-from )
	id xxxxx
	for xxxxx; Mon, 21 Jul 2014 12:xx:xx +0100
Received: from [109.26.59.81] (helo=xxxxx.xxxxx.su)
	by  with esmtpa (Exim 4.69)
	(envelope-from )
	id xxxxx
	for xxxxx; Mon, 21 Jul 2014 12:xx:xx +0100
Date: Mon, 21 Jul 2014 12:xx:xx +0100
From: comunicazioni@staff.aruba.it
To: <xxxxx>
Subject: Invio copia bollettino

Al momento della ricezione, la lista degli AV che lo riconoscono per quel che è è desolantemente scarna, come di consueto:

 

 

All’occhio…

Read Full Post »

Sinkholing your network

Months ago I wrote a serie of articles (Italian only) about why relying on an AntiVirus only is far from being an effective approach to network safety nowadays. Today, I stumbled upon this piece, where Brian Dye, Symantec’s senior Vice President for Information Security apparently says «AntiVirus is dead».

To quote Mark Twain, I think the report of AV death is an exaggeration: nobody should -in my opinion- turn their AV off because it’s not effective anymore. It is certainly true, however, that this approach cannot be the only one in place if you plan to combat malware on your network effectively.

In the fourth part of the series above I already suggested using lists of Command & Control IPs to create nullrouting or firewall entries to inhibit network traffic trying to reach “bad resources”. I also said how one of these lists is available from Spamhaus (as that’s the one I’ve been using) and how they provide this list in the form of a BGP feed you can configure directly in your border router(s).

Whatever the list you chose and however you’re feeding it to your router, you’re going to face a problem: how to monitor what is being nullrouted and what the supposedly infected system is trying to do?

Here is what I did and how you can use a normal linux system to dump and log the blocked traffic and hijack the HTTP sessions (that are by far the most interesting ones) to obtain more intel about the infections.

(more…)

Read Full Post »

Postfix opendkim and missing From header

I spent a good part of the last few days trying to debug a very weird problem involving postfix and opendkim, so I thought it was a good idea to write the entire experience down for anybody who might be encountering the same (or a similar) problem. This was probably the weirdest misbehaviour I managed to trigger without involving any real bug…

 

On a system I control, I installed opendkim for signing only and configured postfix to interact with it: installation was smooth as usual and everything was deployed in an hour or two. The emails sent by the system are partly anonymized and some headers are therefore stripped before the mail goes out. For this reason, DKIM was configured to sign only some of the headers (and not all of them) or the signatures would fail to validate for remote users.

I sent a few test emails to Gmail and everything seemed to be fine: mail signed, signature header as expected, Google verifying the signature correctly and so on. So I told other users of the same server that the feature was enabled and to poke me in case something was wrong. Immediately one user wrote back saying he wasn’t seeing any signature at all in the emails he was sending.

I checked the logs for his email and found this:

Mar 24 12:22:56 myserver opendkim[32082]: 0CA2F2F1: can’t determine message sender; accepting

The presence of a “From” or “Sender” header within the email is mandatory for DKIM, otherwise the mail can’t be signed; this message was saying that the mail had none and was therefore refusing to sign it.

Easy.

 

(more…)

Read Full Post »

OK, this is ridiculous…

Read Full Post »

[Riciclo] Filtraggio e reputazione posta in uscita

Ogni tanto capita di scrivere qualcosa di lungo in risposta ad una domanda posta in qualche newsgroup/ML/forum/whatever.
Visto che oramai son scritte, tantovale riciclarle qui, dove magari possono essere integrate e corrette nel tempo (e magari popolano anche queste pagine altrimenti scevre di novità)…Inizio con questa, passata su it.comp.os.linuxsys:

On 03/02/14 10:05, Roberto Tagliaferri wrote:

Hola, capita che qualche cliente si becchi uno worm di quelli che invia le
credenziali email per spammare.
Il server ovviamente lo fa inviare (ha login e password corretti) e le
botnet nuove sono abbastanza intelligenti da non inviare troppe email
insieme (per non sovraccaricare il server) e magari le spediscono fuori
orario ufficio (così vengono beccati dopo qualche giorno).
Oltre a decapitare il cliente (è comunque una azione postuma) che si può
fare?
Avevo pensato ad un controllo che bloccasse invii da classi di ip diverse
(chessò, invii da 10 classi ip differenti in 12 ore) ma è un approccio forse
un po’ troppo grossolano (c’è comunque un filtro di fail2ban o un milter
adatto?)
Con postfix che si può fare?
(more…)

Read Full Post »