rules to detect 100% of swen-infected emails

  • Thread starter Thread starter Veronica Loell
  • Start date Start date
V

Veronica Loell

See http://nakawe.sf.net/MMM3 for more information. I have been running
this myself for many days now and it catches all the swen-emails. Note:
It needs the 25 first lines of the body so you need a filtering program
(such as MMM3) that allows you to choose this.

- Veronica Loell

#====================================================================#
#-- PROGRAM ------: SWEN-virus-spam filter for Magic Mail Monitor 3
#-- (http://mmm3.sf.net) The current rule-file can be
#-- found at http://nakawe.sf.net/MMM3
#-- FILENAME -----: swen-regler5.txt
#-- VERSION ------: 5
#-- DESCRIPTION --: This file describes the rules in SWEN-smartast.magic
#-- COPYRIGHT ----: This document is placed in the public domain
#-- AUTHOR -------: Veronica Loell gpl at nakawe.se
#-- FILE CREATED -: 2003-09-26 21:57
#-- LAST CHANGED -: 2003-09-28 06:44
#====================================================================#
Changes in Ver. 5:
Added rule: Att24
Changed /Content-Type: audio/x-wav;/ to /Content-Type: audio/x-*;/
#====================================================================#

Rules in SWEN-smartast.magic Ver. 5
-----
Fake HTML-email:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
The month and year in the text is the system date of the infected computer.
September 2003
January 1998
-----
fakeHTML1 *"* *, Cumulative Patch" update which resolves*'
OR *"* *, Cumulative Patch" update which updates*

fakeHTML2 *"* *, Cumulative Patch" update which eliminates*
OR *"* *, Cumulative Patch" update which fixes*

-----
Fake returned mail with attachment:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
* I have seen the following attachments
*.zip
*.com
*.exe
Content-Type: audio/x-wav
Content-Type: audio/x-midi

-----
Att1 <Header> Equals '*Content-Type: audio/x-*; name=*.ade*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.adp*'

Att2 <Header> Equals '*Content-Type: audio/x-*; name=*.asx*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.bas*'

Att3 <Header> Equals '*Content-Type: audio/x-*; name=*.bat*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.chm*'

Att4 <Header> Equals '*Content-Type: audio/x-*; name=*.cmd*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.com*'

Att5 <Header> Equals '*Content-Type: audio/x-*; name=*.cpl*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.crt*'

Att6 <Header> Equals '*Content-Type: audio/x-*; name=*.dbx*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.exe*'

Att7 <Header> Equals '*Content-Type: audio/x-*; name=*.hlp*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.hta*'

Att8 <Header> Equals '*Content-Type: audio/x-*; name=*.inf*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.ins*'

Att9 <Header> Equals '*Content-Type: audio/x-*; name=*.isp*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.js*'

Att10 <Header> Equals '*Content-Type: audio/x-*; name=*.jse*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.lnk*'

Att11 <Header> Equals '*Content-Type: audio/x-*; name=*.mda*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.mdb*'

Att12 <Header> Equals '*Content-Type: audio/x-*; name=*.mde*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.mdz*'

Att13 <Header> Equals '*Content-Type: audio/x-*; name=*.mht*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.msc*'

Att14 <Header> Equals '*Content-Type: audio/x-*; name=*.msi*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.msp*'

Att15 <Header> Equals '*Content-Type: audio/x-*; name=*.mst*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.nch*'

Att16 <Header> Equals '*Content-Type: audio/x-*; name=*.pcd*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.pif*'

Att17 <Header> Equals '*Content-Type: audio/x-*; name=*.prf*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.reg*'

Att18 <Header> Equals '*Content-Type: audio/x-*; name=*.sct*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.shb*'

Att19 <Header> Equals '*Content-Type: audio/x-*; name=*.shs*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.url*'

Att20 <Header> Equals '*Content-Type: audio/x-*; name=*.vb*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.vbe*'

Att21 <Header> Equals '*Content-Type: audio/x-*; name=*.vbs*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.wms*'

Att22 <Header> Equals '*Content-Type: audio/x-*; name=*.wsc*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.wsf*'

Att23 <Header> Equals '*Content-Type: audio/x-*; name=*.wsh*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.zip*'

Att24 <Header> Equals '*Content-Type: audio/x-*; name=*.scf*'
OR <Header> Equals '*Content-Type: audio/x-*; name=*.scr*'
 
Veronica Loell said:
See http://nakawe.sf.net/MMM3 for more information. I have been running
this myself for many days now and it catches all the swen-emails. Note:
It needs the 25 first lines of the body so you need a filtering program
(such as MMM3) that allows you to choose this.
Click to expand...

The suggested filter is far too complicated. A simple yet effective filter for
Swen, for MMM3 is available from http://invircible.com/download/xswen5mmm.zip

It's actually the same filter that I suggested for MailWasher, implemented for
Magic Mail Monitor 3. Compared to the 26 (2 + 24) rule pairs of the filter
below, mine has just one, and is equally effective, with no "false positives"
(didn't find any among the thousands of Swen deleted messages, so far).

Regards, Zvi
 
Zvi Netiv wrote / skrev:
The suggested filter is far too complicated. A simple yet effective filter for
Swen, for MMM3 is available from http://invircible.com/download/xswen5mmm.zip

It's actually the same filter that I suggested for MailWasher, implemented for
Magic Mail Monitor 3. Compared to the 26 (2 + 24) rule pairs of the filter
below, mine has just one, and is equally effective, with no "false positives"
(didn't find any among the thousands of Swen deleted messages, so far).

Regards, Zvi
Click to expand...

Why don't you post your rules here? Thanks.

- Veronica
 
Zvi Netiv wrote / skrev:
The suggested filter is far too complicated. A simple yet effective filter for
Swen, for MMM3 is available from http://invircible.com/download/xswen5mmm.zip

It's actually the same filter that I suggested for MailWasher, implemented for
Magic Mail Monitor 3. Compared to the 26 (2 + 24) rule pairs of the filter
below, mine has just one, and is equally effective, with no "false positives"
(didn't find any among the thousands of Swen deleted messages, so far).

Regards, Zvi
Click to expand...

<Header> Equals '*Content-Type: audio/x-*; name=*'
OR <Header> Equals '*"* *, Cumulative Patch" update which *'

I suppose you mean something like this? And yeah it shouldn't produce
any false positives probably.

- Veronica
 
Veronica Loell said:
Zvi Netiv wrote / skrev:


Why don't you post your rules here? Thanks.
Click to expand...

I did, in the zip file. The rule is plain simple: Header contain $swen.txt

For the Swen.txt file, either download the ZIP, or create it and paste the
following three lines in it:

<iframe src=3D"cid
TITLE=3D"Microsoft Home Site" target=3D"_top">Microsoft</A>
this is the latest version of security update

Lastly, set to 25 the extra lines to download with header.

Regards, Zvi
 
Veronica Loell said:
Zvi Netiv wrote / skrev:

<Header> Equals '*Content-Type: audio/x-*; name=*'
OR <Header> Equals '*"* *, Cumulative Patch" update which *'

I suppose you mean something like this? And yeah it shouldn't produce
any false positives probably.
Click to expand...

That *would* produce many false positives. See my reply to your other post.

Regards, Zvi
 
That *would* produce many false positives. See my reply to your other post.
Click to expand...

You people are making this way too complicated.

You should want to delete from the server without downloading,
and you need a filter that works only on the header lines
for that.

Swen messages always have a content type of either
multipart/mixed or multipart/alternative. And they
always have a boundary that contains only lowercase
letters. Use a regular expression:

Content-Type: multipart/[ma][a-z]*; boundary="[a-z]+"

If you normally get legitimate messages that are
multipart, put rules before this one to keep them.

Done.
 
Zvi Netiv wrote / skrev:
I did, in the zip file. The rule is plain simple: Header contain $swen.txt

For the Swen.txt file, either download the ZIP, or create it and paste the
following three lines in it:

<iframe src=3D"cid
TITLE=3D"Microsoft Home Site" target=3D"_top">Microsoft</A>
this is the latest version of security update

Lastly, set to 25 the extra lines to download with header.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
will be answered in the newsgroup. Top posting is not appreciated!
Click to expand...

I did try to download your zip-file but I got a message that it wasn't
available.

You can actually use this techique with MMM3, the reference to an
external file?

- Veronica Loell
 
Jason Wade wrote / skrev:
You people are making this way too complicated.

You should want to delete from the server without downloading,
and you need a filter that works only on the header lines
for that.
Click to expand...

Downloading 25 lines along with the header does not create all that much
more traffic, downloading the entire emails would be very different.
Swen messages always have a content type of either
multipart/mixed or multipart/alternative. And they
always have a boundary that contains only lowercase
letters. Use a regular expression:

Content-Type: multipart/[ma][a-z]*; boundary="[a-z]+"

If you normally get legitimate messages that are
multipart, put rules before this one to keep them.

Done.
Click to expand...

The idea of the filters is to NOT create any false positives. The filter
should be all you need.

- Veronica
 
Jason Wade said:
You people are making this way too complicated.

You should want to delete from the server without downloading,
and you need a filter that works only on the header lines
for that.
Click to expand...

I examined hundreds of Swen messages of all sorts (first wave, bounces,
"cleaned", etc.) and came to the conclusion that you can't capture them all on
base of the headers alone. As pointed out by Veronica, downloading the extra 25
lines has marginal effect on MMM's performance. Besides, other mail monitoring
applications, like MailWasher, download the extra lines anyway.
Swen messages always have a content type of either
multipart/mixed or multipart/alternative. And they
always have a boundary that contains only lowercase
letters. Use a regular expression:

Content-Type: multipart/[ma][a-z]*; boundary="[a-z]+"

If you normally get legitimate messages that are
multipart, put rules before this one to keep them.
Click to expand...

The idea is to have a simple as possible filter, and that is also *self
contained*. Your suggestion is sensitive to the exact implementation details
(the pre-filtering) and therefore impractical.

Thanks for suggesting anyway.

Regards, Zvi
 
Zvi Netiv wrote / skrev:
Of course. How do you think MMM3 maintains its black and friends' list?

Regards, Zvi
--
Click to expand...

That I realise but I didn't know that you could use it in
filter-expressions. This is very interesting information, I will look
into this right away, thanks!!!

- Veronica
 
Veronica Loell wrote / skrev:
Zvi Netiv wrote / skrev:



That I realise but I didn't know that you could use it in
filter-expressions. This is very interesting information, I will look
into this right away, thanks!!!

- Veronica
Click to expand...

Ah, but you cannot use wildcards with this technique it seems?

- Veronica
 
Veronica Loell said:
Veronica Loell wrote / skrev:


Ah, but you cannot use wildcards with this technique it seems?
Click to expand...

You can. Yet there is no need for wildcards in my filter as the rule used is
'Header *include*, not *equal*'! Wildcards are required only where the rule
used is "equal".

Regards, Zvi
 
You can. Yet there is no need for wildcards in my filter as the rule used is
'Header *include*, not *equal*'! Wildcards are required only where the rule
used is "equal".

Regards, Zvi
--
Click to expand...

Of course! That's where I went wrong. Thanks again for this information
it is most valuable!

- Veronica
 
Just to inform that I upgraded the filter for MMM3 by adding a couple of lines
to the swen.txt file as follows:

<iframe src=3D"cid
<iframe src=3Dcid
<iframe src="cid
TITLE=3D"Microsoft Home Site" target=3D"_top">Microsoft</A>
this is the latest version of security update

The entire filter for Magic Mail Monitor 3, is available for download from
ftp://invircible.com/pub/iv/xswen4mmm.zip

Regards, Zvi
 
Back
Top