Why Friends Don’t Let Friends Run Windows: Virus Scanning

So an email made its way through all the spam filtering:

From:     USPS Service <us@usps.com>
Reply-To:     USPS Service <us@usps.com>
To:     (me)
Subject:     Failure to deliver

Notification,

Your parcel can’t be delivered by courier service.
Status:The size of parcel is exceeded.

LOCATION OF YOUR ITEM:Riverside
STATUS OF YOUR ITEM: not delivered
SERVICE: One-day Shipping
:U954571533NU
INSURANCE: Yes

Label is enclosed to the letter.
Print a label and show it at your post office.

Information in brief:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $12.70 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for your attention.
USPS Customer.

It had, of course, an attachment:
Zip archive attachment (Label_Parcel_USPS_ID.45-123-14.zip)

Not having sent a package using “one-day shipping” (which the USPS would call Express Mail), this seemed odd, as did the somewhat stilted phrasing.

We all know how this is going to work out, but let’s do the exercise anyway.

Save the ZIP attachment in /tmp, then …

Apply ClamAV: run freshclam to update the virus signatures and fire clamscan at the ZIP file:

/tmp/Label_Parcel_USPS_ID.45-123-14.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 1201128
Engine version: 0.97.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.04 MB
Data read: 0.02 MB (ratio 2.00:1)
Time: 7.549 sec (0 m 7 s)

Huh. Well, then, it must be safe, right? (The alert reader will note that my version of clamav is one click back from the latest & greatest. Maybe that would make a difference. Probably not.)

Let’s see what VirusTotal has to say:

SHA256: febe98371e5b327118f5a703215f6f55ab47760764c68b0b9a64d1e5bdb28e25
File name: Label_Parcel_USPS_ID.45-123-14.zip
Detection ratio: 3 / 42
Analysis date: 2012-04-20 11:40:44 UTC ( 0 minutes ago )
More details
Antivirus Result Update
AhnLab-V3 - 20120420
AntiVir - 20120420
Antiy-AVL - 20120420
Avast - 20120420
AVG - 20120420
BitDefender - 20120420
ByteHero - 20120417
CAT-QuickHeal - 20120420
ClamAV - 20120419
Commtouch W32/Trojan2.NQWF 20120420
Comodo - 20120420
DrWeb - 20120420
Emsisoft - 20120420
eSafe - 20120419
eTrust-Vet - 20120420
F-Prot - 20120420
F-Secure - 20120420
Fortinet - 20120420
GData - 20120420
Ikarus - 20120420
Jiangmin - 20120420
K7AntiVirus - 20120418
Kaspersky - 20120420
McAfee - 20120420
McAfee-GW-Edition - 20120420
Microsoft TrojanDownloader:Win32/Kuluoz.A 20120420
NOD32 a variant of Win32/Kryptik.AEKY 20120420
Norman - 20120420
nProtect - 20120420
Panda - 20120420
PCTools - 20120420
Rising - 20120420
Sophos - 20120420
SUPERAntiSpyware - 20120402
Symantec - 20120420
TheHacker - 20120420
TrendMicro - 20120420
TrendMicro-HouseCall - 20120420
VBA32 - 20120419
VIPRE - 20120420
ViRobot - 20120420
VirusBuster - 20120420

Obviously, this blob of slime arrived still warm from the oven: even though the Big Name AV checkers have up-to-date signatures, they detect nothing wrong and would happily let me run a Trojan installer. That’s what malware protection buys you these days.

To a good first approximation, whatever virus scanner you’re using won’t save your bacon, either; the advice to keep the signatures up-to-date is necessary, but not sufficient. Of course, you know enough to not autorun random files on your Windows box, but this attack works often enough to justify sending messages to everybody in the world. Repeatedly.

I recently had a discussion with someone who wanted a system secured against email and web malware. She also insisted that it had to run Windows and share files with other Windows machines. I declined to bid on the job…

About these ads

  1. #1 by Aki on 2012-04-23 - 11:28

    Just to secure the cash flow maybe there are dudes in anti-virus companies coding online banking malware? ;-)

    “Malware threatening secure online banking”

    http://yle.fi/uutiset/malware_threatening_secure_online_banking/6006640

  2. #2 by PeterNL on 2012-04-23 - 13:36

    I’m surprized no class-action lawsuits have been filed against Microsoft yet for criminal neglicence and the economic damage their Swiss-cheese OS has caused and, very likely, will yet cause. I fear it won’t just be economic damage, but lost lives too.

    I’m reasonably sure that one day, such suits will happen, when more people realize that MS is not the only maker of OS-es, and that, oh so strangely, those other OS-es are much less vulnerable.

    • #3 by Ed on 2012-04-23 - 14:41

      Well, that EULA everybody clicks through on the way to firing up that new PC for the first time pretty much relieves Microsoft of all liability and obligation no matter what happens. I actually read the entire thing when I get a new PC and it’s obviously been crafted to let them keep all the money while I keep all the problems.

      The GPL does much the same, although it clearly states you keep all the broken pieces when the software fails. I count that as a major advantage, but that’s just me.

      The recent problems with OS X vs. the Flashback Trojan, tiny though they are by comparison with Windows, shows that any OS will fail under concerted attack.

      Linux systems may be less vulnerable, if only because they have so little market penetration and so much diversity. That’s cold comfort, I think…