Discussion:
Unofficial Phishing Signatures
Steve Basford
2006-01-24 20:49:03 UTC
Permalink
There are already a number of great phishing signatures in ClamAV but
the Official ClamAV signature makers are obviously very busy taking care
of the higher priority Virus/Trojan signatures.

As, I've seen a number of new phishing attempts get past the Official
ClamAV signatures, I thought I'd try to produce my own signatures, to
see if some of these newer phishing attempts could be stopped.

They are here to download, if anyone is interested:
http://www.sanesecurity.com/clamav/

Note 1: Please, no discussion on whether phishing sigs should be
included, in ClamAv (see clamscan: --no-phishing option and clamd:
DetectPhishing option)

Note 2: Use the unofficial phish.ndb at your own risk.

Cheers,

Steve

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Dennis Peterson
2006-01-25 00:56:35 UTC
Permalink
Post by Steve Basford
http://www.sanesecurity.com/clamav/
What methodology are you using to create these? It looks
like an opportunity for collaboration if there's a way
to avoid dupes.

dp
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Jason Haar
2006-01-25 08:32:07 UTC
Permalink
Post by Dennis Peterson
What methodology are you using to create these? It looks
like an opportunity for collaboration if there's a way
to avoid dupes.
If signature development is truly getting bogged down, perhaps more
official people are needed? I guess we'd hear a call for volunteers if
it was?

Is there a process by which people can volunteer? I think more skills
than "need to know how to run md5sum" will be required ;-)
--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Mike Robinson
2006-01-25 18:24:33 UTC
Permalink
Post by Jason Haar
Post by Dennis Peterson
What methodology are you using to create these? It looks
like an opportunity for collaboration if there's a way
to avoid dupes.
If signature development is truly getting bogged down, perhaps more
official people are needed? I guess we'd hear a call for volunteers if
it was?
Is there a process by which people can volunteer? I think more skills
than "need to know how to run md5sum" will be required ;-)
The first question is, does clamd automatically detect changes to .ndb
files? If not, I'm thinking we should get it put into the newest
CVS...then we would need someone to host the updates...maybe make a tool
like freshclam or get a change into freshclam that lets us put in extra
signature locations. We could do it something like SARE for
SpamAssassin... (http://www.rulesemporium.com/)

You know, having different signatures...some bleeding edge, others that
we can eventually feed back into the ClamAV database...
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-01-26 22:32:22 UTC
Permalink
Post by Mike Robinson
The first question is, does clamd automatically detect changes to .ndb
files?
Sorry for the late reply...

I did a quick test and it seems to only get "re-loaded", after running
freshclam,

ie: like this:

1) example phish.ndb has two sigs
2) clamd is running
3) you overwrite the phish.ndb, with one that has a total update of four
sigs
4) clamdscan, when run will not recognize the last two updated sigs,
when scanning
5) run freshclam
6) the database then gets reloaded and the last two updated sigs, are
available to clamd, when scanning

I guess it's this section of freshclam.conf:

# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf
NotifyClamd /cygdrive/c/clamav-devel/etc/clamd.conf

So, I doubt any code-changes are needed.... but then... it's been a long
day ;)

Cheers,

Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Tomasz Kojm
2006-01-26 22:37:35 UTC
Permalink
On Thu, 26 Jan 2006 22:32:22 +0000
Post by Steve Basford
Post by Mike Robinson
The first question is, does clamd automatically detect changes to .ndb
files?
Sorry for the late reply...
I did a quick test and it seems to only get "re-loaded", after running
freshclam,
clamd automatically detects and loads new databases on every SelfCheck
--
oo ..... Tomasz Kojm <***@clamav.net>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Thu Jan 26 23:35:49 CET 2006
Stephen Gran
2006-01-27 00:13:40 UTC
Permalink
Post by Steve Basford
Post by Mike Robinson
The first question is, does clamd automatically detect changes to .ndb
files?
Sorry for the late reply...
I did a quick test and it seems to only get "re-loaded", after running
freshclam,
clamd notices new databases after a restart, a RELOAD command, a signal,
or SelfCheck seconds have passed. Pick the one that works for you.
--
--------------------------------------------------------------------------
| Stephen Gran | Now there's a violent movie titled, |
| ***@lobefin.net | "The Croquet Homicide," or "Murder With |
| http://www.lobefin.net/~steve | Mallets Aforethought." -- Shelby |
| | Friedman, WSJ. |
--------------------------------------------------------------------------
c***@pcez.com
2006-01-27 00:39:58 UTC
Permalink
Does anyone know if the lastest "cvd" have the virus:

http://cme.mitre.org/data/list.html#24



Thanks,

Ken

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Freddie Cash
2006-01-26 22:37:25 UTC
Permalink
Post by Mike Robinson
Post by Jason Haar
Post by Dennis Peterson
What methodology are you using to create these? It looks
like an opportunity for collaboration if there's a way
to avoid dupes.
If signature development is truly getting bogged down, perhaps more
official people are needed? I guess we'd hear a call for volunteers
if it was?
Is there a process by which people can volunteer? I think more skills
than "need to know how to run md5sum" will be required ;-)
The first question is, does clamd automatically detect changes to .ndb
files? If not, I'm thinking we should get it put into the newest
clamd loads the databases once at startup. You can restart clamd, send a
notify to clamd, or run freshclam to have it reload the databases.

clamscan loads the databases each time it is called, so it will pick up
the new databases right away.

clamdscan uses clamd, see above.
--
Freddie Cash, LPIC-1 CCNT CCLP Helpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
fcash-***@sd73.bc.ca
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Todd Lyons
2006-01-25 18:30:37 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Steve Basford
Note 2: Use the unofficial phish.ndb at your own risk.
Any reason to call it phish.ndb instead of phish.db? Just a way to make
automating it easier?
- --
Regards... Todd
when you shoot yourself in the foot, just because you are so neurally
broken that the signal takes years to register in your brain, it does
not mean that your foot does not have a hole in it. --Randy Bush
Linux kernel 2.6.12-15mdksmp load average: 0.12, 0.10, 0.04
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD18PNY2VBGxIDMLwRAvT5AJ9OsDd5U5AFeKC7xowqQQnUPvyi+gCeMZmx
oI/Lxue/SXfq0Z0r00hy0KE=
=vLZW
-----END PGP SIGNATURE-----
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-01-25 18:40:37 UTC
Permalink
Post by Todd Lyons
Any reason to call it phish.ndb instead of phish.db? Just a way to make
automating it easier?
Hi Todd,

If you look at the current signature pdf docs here:
http://www.clamav.net/doc/0.88/signatures.pdf

If you look at Section 3.3 (Basic Signature format) you'll see that
these databases are .db format, which
doesn't have a html type, it looks for matches in ALL file types, which
I thought would increase the risk of
false positives.

So, I went for Extended Signature format (Section 3.4), which MUST be in
a .ndb format.

I think that's right anyway ;)

Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Todd Lyons
2006-01-25 18:44:49 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Steve Basford
If you look at Section 3.3 (Basic Signature format) you'll see that
these databases are .db format, which
doesn't have a html type, it looks for matches in ALL file types, which
I thought would increase the risk of
false positives.
Very good reasoning. Quite frankly I'm a bit embarrassed having asked
that question now.
- --
Regards... Todd
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. --Benjamin Franklin
Linux kernel 2.6.12-15mdksmp load average: 0.14, 0.11, 0.08
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD18chY2VBGxIDMLwRApNNAJ9eSW4IBuSd0KCZzOU/PGGiR8AyHQCeOOHd
OiNL0Jdc9hfwSLDI90OhN5Y=
=BopR
-----END PGP SIGNATURE-----
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-01-29 21:37:55 UTC
Permalink
Hi,

Firstly, I've done an update to the Unofficial Phishing Signatures.

Secondly... will whoever is using ip address 216.35.188.119, please sort
out their wget config file:

216.35.188.119 - - [29/Jan/2006:20:36:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:38:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:40:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:42:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:44:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:46:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:48:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:50:02 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:52:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:54:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:56:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:58:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"

I don't update the sigs *that* often ;)

IP has been blocked access for now.

Cheers,

Steve

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Rob MacGregor
2006-01-29 21:56:09 UTC
Permalink
Post by Steve Basford
Hi,
Firstly, I've done an update to the Unofficial Phishing Signatures.
Secondly... will whoever is using ip address 216.35.188.119, please sort
A quick WhoIS check says it's mail.mrball.net (POC todd <at> mrball.net).

--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Oliver Stöneberg
2006-01-29 21:57:44 UTC
Permalink
You should really cleanup your signatures. I have a Phishing set of
512 Phishing of which 23 are not recognised by ClamAV. From those
only 4 are captured by your signatures, which are the following:

d:\_ham-mails\_scan/phishing.070:
Html.Phishing.Bank.Sanesecurity.05080100 FOUND
d:\_ham-mails\_scan/phishing.192:
Html.Phishing.Auction.Sanesecurity.05080100 FOUND
d:\_ham-mails\_scan/phishing.199:
Html.Phishing.Pay.Sanesecurity.05120802 FOUND
d:\_ham-mails\_scan/phishing.335:
Html.Phishing.Pay.Sanesecurity.06011101 FOUND

So these are Phishing mails, that are not recognised by ClamAV, but
by your signatures.

If I scan the complete set with your signatures a lot of mails
already recognised by ClamAV are actually recognised by your
signatures, so there are quite some duplicates in your signatures,
compared to ClamAV.

I might post a list of the signatures, that are recognising mails,
that are already in ClamAV signatues, but I rather see you doing a
cleanup first.

I did this test with 0.88-1 and siagntures database version 1257.
Post by Steve Basford
Hi,
Firstly, I've done an update to the Unofficial Phishing Signatures.
Secondly... will whoever is using ip address 216.35.188.119, please sort
216.35.188.119 - - [29/Jan/2006:20:36:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:38:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:40:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:42:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:44:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:46:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:48:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:50:02 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:52:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:54:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:56:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.119 - - [29/Jan/2006:20:58:01 +0000] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
I don't update the sigs *that* often ;)
IP has been blocked access for now.
Cheers,
Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Dennis Peterson
2006-01-29 22:46:44 UTC
Permalink
Post by Oliver Stöneberg
So these are Phishing mails, that are not recognised by ClamAV, but
by your signatures.
If I scan the complete set with your signatures a lot of mails
already recognised by ClamAV are actually recognised by your
signatures, so there are quite some duplicates in your signatures,
compared to ClamAV.
I might post a list of the signatures, that are recognising mails,
that are already in ClamAV signatues, but I rather see you doing a
cleanup first.
I did this test with 0.88-1 and siagntures database version 1257.
It's worth repeating the question I asked over a week ago - what methodology is
used in collecting these so that dupes are avoided? Nobody answered,
unfortunately, so now we see we have dupes.

dp
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-01-30 18:47:58 UTC
Permalink
Post by Dennis Peterson
It's worth repeating the question I asked over a week ago - what
methodology is used in collecting these so that dupes are avoided?
Nobody answered, unfortunately, so now we see we have dupes.
Sorry for the delay... apart from being more than a little busy... I
must admit, I've spent more time adding to the signatures,
then doing the "boring" bit of documenting the methods of producing them.

Anyway, here's a very rushed, "first draft" version of how I put
together one signature:
http://sanesecurity.com/clamav/method.pdf

No doubt, it's got a lot of stuff missing and people will have much
better/quicker way of doing the same thing..... but,
I guess that's life! ;)

Cheers,

Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-01-30 19:23:12 UTC
Permalink
Post by Oliver Stöneberg
You should really cleanup your signatures. I have a Phishing set of
512 Phishing of which 23 are not recognised by ClamAV. From those
Firstly, thanks for the feedback. Although I must say, I'm
disappointed but not really surprised that
my signatures, didn't get all your samples, as there are sooo many ways
of doing phishing attempts.
Post by Oliver Stöneberg
If I scan the complete set with your signatures a lot of mails
already recognised by ClamAV are actually recognised by your
signatures, so there are quite some duplicates in your signatures,
compared to ClamAV.
Hmmm.... well, in my sample set, I've certainly scanned them with the
default ClamAV sigs and
then used --remove to remove the samples *before* I try to create a sig
for the missed ones. I guess
there muar be dupes...elsewhere.

Both signatures will match... but
Post by Oliver Stöneberg
I might post a list of the signatures, that are recognising mails,
that are already in ClamAV signatues, but I rather see you doing a
cleanup first
I feel that it's going to be quite difficult for me to go though 500-odd
ClamAV phishing signatures and
compare them, with an editor to my 100-ish signatures and find out what
bits are duplicated. I really
need some samples.

If possible, to save a whole load of time... could you:

a) give me the sample phishing emails that are duplicated
b) give me the sample phishing emails that are missed

Email me, to chat off-list: steveb_clamav -AT- sanesecurity -DOT- com

Thanks again for the feedback...

Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Oliver Stöneberg
2006-02-01 11:40:49 UTC
Permalink
Post by Steve Basford
I feel that it's going to be quite difficult for me to go though 500-odd
ClamAV phishing signatures and
compare them, with an editor to my 100-ish signatures and find out what
bits are duplicated. I really
need some samples.
a) give me the sample phishing emails that are duplicated
b) give me the sample phishing emails that are missed
Email me, to chat off-list: steveb_clamav -AT- sanesecurity -DOT- com
Thanks again for the feedback...
I will give you access to the mails you requested, but here a few
statistics first for everybody outthere.

I used ClamAV 0.88-1 with main.cvd 35 and daily.cvd 1263. The
Unoffical Phsihing sigantues are the 162 ones from 31st January.

Total Phishing mail count - 522
Deteted by ClamAV only - 490 (of 522)
Undetected - 32 (of 522)
Post by Steve Basford
From the undetected, detected by unofficial signatues - 13 (of 32)
Total undetected - 19 (of 522)

Detected by ClamAV and also by unofficial signatures - 121 (of 490)
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Webmaster
2006-01-31 05:56:48 UTC
Permalink
Hello Steve,
Post by Steve Basford
As, I've seen a number of new phishing attempts get past the Official
ClamAV signatures, I thought I'd try to produce my own signatures, to
see if some of these newer phishing attempts could be stopped.
http://www.sanesecurity.com/clamav/
Your signatures are based on HTML (Filetype = 3).
Shouldn't it be based on Mail (Filetype = 4) ?

This could avoid false positive like this one :
- Go to http://www.sanesecurity.com/clamav/
- Save the html page on your hardisk
- Scan the saved web page with your phish.ndb signatures
=> Html.Phishing.Auction.Sanesecurity.06010701 FOUND

Anyway, thank you for creating signatures. This is usefull for a lot of us.

Best regards,

Arnaud Jacques
Consultant Sécurité

Téléphone / Fax : +33-(0)3.44.39.76.46
Portable : +33-(0)6.24.40.95.03
E-mail : ***@securiteinfo.com

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-01-31 07:18:50 UTC
Permalink
Post by Webmaster
Your signatures are based on HTML (Filetype = 3).
Shouldn't it be based on Mail (Filetype = 4) ?
Interesting... I'll do some tests later today changing the type.

The interesting thing though, is that when you go to the online database
search site http://clamav-du.securesites.net/cgi-bin/clamgrok and type
in "Phishing", Select "contains" and then
tick the "signature" box, you'll get a list of current ClamAV
signatures... the majority of which are type 3.
But you're right... it does work... but would mail format be better?
Post by Webmaster
- Go to http://www.sanesecurity.com/clamav/
- Save the html page on your hardisk
- Scan the saved web page with your phish.ndb signatures
=> Html.Phishing.Auction.Sanesecurity.06010701 FOUND
Doh ;) Okay...thanks for reporting that one... I'll take a look....
Post by Webmaster
Anyway, thank you for creating signatures. This is usefull for a lot of us.
No problem... just trying to help.

In fact, yesterday the sigs certainly saved me a job yesterday, as this
attempt came in and was blocked by the sig that I
make in November. ClamAV's default sigs didn't know about the virus in
the attachment but I caught it using the content
of the text :)

Eg:
http://groups.google.co.uk/groups?q=sightings+%22picture+is+not+to+your+liking%22&start=0&scoring=d&hl=en&

Thanks again,

Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Dennis Davis
2006-02-01 10:44:42 UTC
Permalink
Date: Tue, 24 Jan 2006 20:49:03 +0000
Subject: [Clamav-users] Unofficial Phishing Signatures
There are already a number of great phishing signatures in ClamAV
but the Official ClamAV signature makers are obviously very busy
taking care of the higher priority Virus/Trojan signatures.
As, I've seen a number of new phishing attempts get past the
Official ClamAV signatures, I thought I'd try to produce my own
signatures, to see if some of these newer phishing attempts could
be stopped.
...

Very useful. I started using these signatures on this University's
mail servers on Monday. Appended below are the stats on the
incoming crap they stopped yesterday (Tuesday).

Virus Count
----- -----
Html.Phishing.Bank.Sanesecurity.06012200 169
Html.Phishing.Pay.Sanesecurity.05082900 38
Html.Phishing.Bank.Sanesecurity.06012600 19
Html.Phishing.Bank.Sanesecurity.06013001.rock 19
Html.Phishing.Bank.Sanesecurity.06012000 15
Html.Phishing.Auction.Gen004.Sanesecurity.06012903 12
Html.Phishing.Bank.Sanesecurity.06012500 11
Html.Phishing.Auction.Gen002.Sanesecurity.06012901 3
Html.Phishing.Pay.Gen001.Sanesecurity.06012700 3
Html.Phishing.Pay.Sanesecurity.06010901 3
Html.Phishing.Bank.Sanesecurity.05101900 2
Html.Phishing.Pay.Gen002.Sanesecurity.06012700 2
Html.Phishing.Pay.Gen003.Sanesecurity.06012700 2
Html.Phishing.Auction.Gen005.Sanesecurity.06012904 1
Html.Phishing.Azon.Sanesecurity.06011000 1
Html.Phishing.Bank.Sanesecurity.05118103 1
Html.Phishing.Bank.Sanesecurity.05120800 1
Html.Phishing.Bank.Sanesecurity.06011002 1
Html.Phishing.Bank.Sanesecurity.06012601 1
Html.Phishing.Pay.Sanesecurity.05100500 1
Html.Phishing.Pay.Sanesecurity.05120802 1
Html.Phishing.Pay.Sanesecurity.06011103 1
Html.Phishing.Pay.Sanesecurity.06012201 1
------
Total 308

The total incoming virus count for yesterday was 512[1]. So these
signatures account for some 60% of what was detected.

[1] I'm blocking on several RBLs and using other methods for
reducing incoming rubbish. These may well be preventing a lot
of viruses even reaching the scanning stage.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
***@bath.ac.uk Phone: +44 1225 386101
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-02-02 19:40:17 UTC
Permalink
Post by Dennis Davis
Very useful. I started using these signatures on this University's
mail servers on Monday. Appended below are the stats on the
incoming crap they stopped yesterday (Tuesday).
Virus Count
----- -----
Total 308
The total incoming virus count for yesterday was 512[1]. So these
signatures account for some 60% of what was detected.
Thanks for those stats :) I'm glad they seem to be working great.

I've just done an sig update, increasing from 164 sigs to 199 sigs.
Hopefully, they improve things a little more :)

Cheers,

Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
George R. Kasica
2006-02-02 21:40:41 UTC
Permalink
Post by Steve Basford
Post by Dennis Davis
Very useful. I started using these signatures on this University's
mail servers on Monday. Appended below are the stats on the
incoming crap they stopped yesterday (Tuesday).
Virus Count
----- -----
Total 308
The total incoming virus count for yesterday was 512[1]. So these
signatures account for some 60% of what was detected.
Thanks for those stats :) I'm glad they seem to be working great.
I've just done an sig update, increasing from 164 sigs to 199 sigs.
Hopefully, they improve things a little more :)
Cheers,
Steve
Steve or Dennis:

Where did you get the tool to get clamav stats? We just installed it
here and could really use something like that.

Thanks,

===[George R. Kasica]=== +1 262 677 0766
President +1 206 374 6482 FAX
Netwrx Consulting Inc. Jackson, WI USA
http://www.netwrx1.com
***@netwrx1.com
ICQ #12862186
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Dennis Davis
2006-02-03 10:21:56 UTC
Permalink
Date: Thu, 02 Feb 2006 15:40:41 -0600
Subject: Re: [Clamav-users] Unofficial Phishing Signatures
...
Where did you get the tool to get clamav stats? We just installed it
here and could really use something like that.
I suspect this will greatly depend on the MTA you're using. I'm
using exim as my MTA and all incoming mail is run through both ClamAV
and Sophos virus scanners. Mail containing a virus is rejected after
the DATA phase of the SMTP dialogue and I've set up exim to log this.
For example:

2006-02-03 09:21:56 1F4x8d-0004hS-G1 H=mars.math.nctu.edu.tw (Webmail.Math.NCTU.edu.tw) [140.113.22.51] I=[138.38.32.23]:25 U=root F=<***@Webmail.Math.NCTU.edu.tw> rejected after DATA: rejected by exiscan-acl: message contains malware (Html.Phishing.Pay.Sanesecurity.05082900 ClamAV).

Logs are rotated daily. So it's a simple matter to run a perl script
over yesterday's logs, pick out lines similar to the above[1], and
produce a summary.

I do much the same with spam scores. Spam counts are logged and
a daily summary produced.

[1] Simple perl code of the form:


if ($line =~ "This message contains a virus" ||
$line =~ "message contains malware") {
($day, $time, $junk) = split (/ /, $line);
$last = $time;
$first = $time unless defined ($first);

print EXISCANLOG "$line\n";

$line =~ s/^.* \(//;
$line =~ s/..$//;
$virus{$line} += 1;
next;
}


will add up the virus counts and produce a "condensed" log
that can be used to produce weekly and/or monthly summaries.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
***@bath.ac.uk Phone: +44 1225 386101
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Nigel Horne
2006-02-03 10:45:13 UTC
Permalink
Post by George R. Kasica
Where did you get the tool to get clamav stats? We just installed it
here and could really use something like that.
Try the link at http://www.bandsman.co.uk/cgi-bin/virus/display.pl

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Mark Twells
2006-02-02 20:23:24 UTC
Permalink
Apologies for wibbling in the group, but I don't appear to have the root
message of this thread.

Where might I obtain these unofficial signatures?

Mark
Date: Tue, 24 Jan 2006 20:49:03 +0000
Subject: [Clamav-users] Unofficial Phishing Signatures
There are already a number of great phishing signatures in ClamAV
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-02-02 20:44:19 UTC
Permalink
Post by Mark Twells
Where might I obtain these unofficial signatures?
http://www.sanesecurity.com/clamav/

Cheers,

Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Eric Cunningham
2006-02-02 21:04:05 UTC
Permalink
Post by Mark Twells
Apologies for wibbling in the group, but I don't appear to have the root
message of this thread.
Where might I obtain these unofficial signatures?
From Steve Basford on 1/24/06:

http://www.sanesecurity.com/clamav/

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
jef moskot
2006-02-02 21:09:02 UTC
Permalink
The latest batch seems to include a number of false positives, so I had to
revert. I don't want to submit private user data, but an example is the
apparently legit report from eBay entitled "Changes to eBay User Agreement
and Privacy Policy".

Other issues include apparently legitimate communications between buyers
and sellers.

Jeffrey Moskot
System Administrator
***@math.miami.edu
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-02-02 21:43:57 UTC
Permalink
Post by jef moskot
The latest batch seems to include a number of false positives, so I had to
revert. I don't want to submit private user data, but an example is the
apparently legit report from eBay entitled "Changes to eBay User Agreement
and Privacy Policy".
Other issues include apparently legitimate communications between buyers
and sellers.
Could you give me the signature names that match the false positives
please.

Cheers,

Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Noel Jones
2006-02-02 21:54:20 UTC
Permalink
Post by Steve Basford
Post by jef moskot
The latest batch seems to include a number of false
positives, so I had to
revert. I don't want to submit private user data, but an
example is the
apparently legit report from eBay entitled "Changes to
eBay User Agreement
and Privacy Policy".
Other issues include apparently legitimate communications
between buyers
and sellers.
Could you give me the signature names that match the false
positives please.
Cheers,
Steve
_______________________________________________
I'm getting false positives with
Html.Phishing.Auction.Gen009.Sanesecurity.06020102

Marking legit eBay communications as Phish; bid
confirmations, outbid notices, "you won" notices.
--
Noel Jones

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-02-02 22:08:31 UTC
Permalink
Post by Noel Jones
I'm getting false positives with
Html.Phishing.Auction.Gen009.Sanesecurity.06020102
Marking legit eBay communications as Phish; bid confirmations, outbid
notices, "you won" notices.
Okay, I've disabled this sig and re-uploaded... that should fix it until
i can find sample email.

One thing about that sig, is that it was using multiple matches.. but I
did test without any problems... hmmm.

Out of interest... could you email me a header from the false positive
email?
If you can, steveb_clamav ATT sanesecurity DOTT COMM

Cheers,

Steve

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Dennis Peterson
2006-02-02 22:24:18 UTC
Permalink
Post by Steve Basford
Post by Noel Jones
I'm getting false positives with
Html.Phishing.Auction.Gen009.Sanesecurity.06020102
Marking legit eBay communications as Phish; bid confirmations, outbid
notices, "you won" notices.
Okay, I've disabled this sig and re-uploaded... that should fix it until
i can find sample email.
One thing about that sig, is that it was using multiple matches.. but I
did test without any problems... hmmm.
Out of interest... could you email me a header from the false positive
email?
If you can, steveb_clamav ATT sanesecurity DOTT COMM
I can verify it blocks legitimate mail from Ebay (outbidnotice and endofitem).
I cannot provide samples for obvious reasons.

dp
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2006-02-02 22:33:43 UTC
Permalink
Post by Dennis Peterson
I can verify it blocks legitimate mail from Ebay (outbidnotice and endofitem).
I cannot provide samples for obvious reasons.
Thanks to all for the reports... the signature was faulty and I've now
disabled it. I've re-uploaded, with it removed.

Sorry for all this...

Cheers,

Steve
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
jef moskot
2006-02-02 22:05:49 UTC
Permalink
Post by Steve Basford
Could you give me the signature names that match the false positives
please.
Oh, duh. Of course.

Looks like 2 completely different kinds of eBay communications both
matched: Html.Phishing.Auction.Gen009.Sanesecurity.06020102

Thanks.

Jeffrey Moskot
System Administrator
***@math.miami.edu
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Loading...