Idiomas

Inicio de sesión
Crear nueva cuenta

Navegación

Donaciones recientes

Martin Herlitschka
donó € 40.00

dennis.butz
donó € 100.00

knife
donó € 50.00

David Padilla Abarca
donó $ 10.00

knife
donó € 40.00

Donar ahora!

bc1q3t3vxjhd3dmvg3cfn24k4l7n4mf750utpp75hn

Enviado por amenex el Dom, 08/16/2015 - 20:14.

ClamAV fails to detect malware

Por favor lea y siga las Reglas de la Comunidad.

Inicie sesión o regístrese para enviar comentarios

2 respuestas [Último envío]

Dom, 08/16/2015 - 20:14

amenex

Desconectado/a

se unió: 01/03/2015

After working out a good method of accessing multiple Icedove profiles, combining multitudes of emails into one grand filesystem, and then finding one nasty little email that insinuates itself into any folder into which I move any emails, I'm finding that I cannot get rid of its payload.

I did find several copies/versions of the email and then move them into a holding folder, but even though they seem to be isolated there, every time I do move anything else within the email filesystem, a new copy of that nasty little email finds its way into the target folder.

I have all the sourcecode of the original phishing email in four of versions or copies of the offending email, and I can quickly locate all the new copies of the nasty email by searching on its 12/31/1969 date and then deleting the ones that consist of just a date with no headers and no text body, but the propagation still persists as long as the offending emails remain "isolated" in their quarantine folder.

I installed ClamAV and ClamTK, but neither the console-based or the GUI version detects anything.

Here's the console output:

>> sudo clamscan -r -v --scan-mail=yes --phishing-scan-urls --move=/home/amenex/.icedove/ /home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ClamAVMalware/

>> ----------- SCAN SUMMARY -----------
>> Known viruses: 3945913
>> Engine version: 0.98.7
>> Scanned directories: 1
>> Scanned files: 0
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 8.300 sec (0 m 8 s)

The GUI version counts the number of files that it scans, but the console version does not.

If I expand the scope of the scan to "everything" I get the same output:

>> sudo clamscan -r -v --scan-mail=yes --phishing-scan-urls --move=/ /home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ClamAVMalware/

>> ----------- SCAN SUMMARY -----------
>> Known viruses: 4548014
>> Engine version: 0.98.7
>> Scanned directories: 1
>> Scanned files: 0
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 9.991 sec (0 m 9 s)

If I point the scan right into the directory containing the known malware-bearing emails, I still get no "hits":

>> sudo clamscan -r -v --scan-mail=yes --phishing-scan-urls --move=/home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ /home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ClamAVMalware/

>> ----------- SCAN SUMMARY -----------
>> Known viruses: 4679254
>> Engine version: 0.98.7
>> Scanned directories: 1
>> Scanned files: 0
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 10.000 sec (0 m 10 s)

If I do a Google search on a portion of the subject line, I get a large number of hits identifying the emails as phishes.

The ClamAVMalware folder above remains empty after all my attempts.

While I was sorting files into my main mail filesystem, I noticed that Icedove could not accurately count the number of emails in the source folder, whose count fluctuated up and down. I had combined emails from several other disparate email profiles into that one folder, however. Other source folders were better behaved.

In the test profile used above, I deleted the folder and contents of the offending emails and also deleted the one blank email with its 12/31/1969 date from the target folder after moving files into it, and when I tried that again after no known instances of the offending email could be found with the search function, the insinuations stopped. However, when I repeated this exercise with the much bigger main profile, I could not get rid of the insinuations. However, I did find that they were not propagated by selecting & moving the emails from within the source folder into a target folder; only search & move performed the propagation.

My questions are:

1. Is ClamAV skipping over hidden files (like ".icedove") ?
2. The offending emails came to me in 2005; has their payload been forgotten ?
3. What in my syntax is causing ClamAV to skip all but one directory and even to skip all files within that directory ?
4. Where else should I look in order to find and clean out the present location of the offending payload ?
5. Where are the payloads likely to be located in my Trisquel 7 file system ?

Mié, 08/19/2015 - 14:51

amenex

Desconectado/a

se unió: 01/03/2015

Nothing to do with ClamAV, 'cuz it's a Mozilla/linux feature.

It's related to a Mozilla bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=209501 ... They've been working on it since 2003 ...

In one of my Trisquel PC's, on which I haven't yet started consolidating emails, I found two emails with no subject, no headers, and no body but with the 12/31/1969 date as the only information, associated with folders in which the latest entries were both related to the changing of passwords, one for this Trisquel forum and the other for my McAfee antivirus (used on the WinXP OS on my laptop).

Evidently, folks in the linux community have been using linux's zero-time glitch to make/modify admin passwords with some sort of trickery:
http://www.codejourneymen.com/content/adding-admin-user-drupal-site-without-overwriting-admin-user
https://books.google.com/books?id=tj0-8ctawTsC&pg=PA108&lpg=PA108&dq=password+12/31/1969#v=onepage&q=password%2012%2F31%2F1969&f=false

Search on "password 12/31/1969" and you'll see how ubiquitous this problem is.

Finding where this mysterious phantom email resides is another matter having nothing to do with malware.
Call it dateware, if you will.

Mié, 08/19/2015 - 18:58

amenex

Desconectado/a

se unió: 01/03/2015

If one could "copy" emails from Icedove's "search" results into a destination folder and then manually delete them with the search-results popup, then the problem of generating phantom emails that have the 12/31/1969 date in the destination folder would be solved, but one cannot do so. There is only a "move" function, and that is what is broken. The Mozilla bug describes this, just as I observed in my original posting.

I also noticed that while performing "search and move" operations in Icedove that obtained large numbers of hits (from tens to thousands) the move would repeat itself from one to three times, resulting in a count of emails moved that was a corresponding multiple of the number of emails actually moved. of course, we can now deduce that the extra X*(n - 1) emails were in fact phantom emails. Such phantom emails do not accumulate in any one destination; they just disappear into one master phantom, The Phantom. That is confirmed when the search and delete function finds a hundred hits or so, but only one The Phantom ends up visible in the trash folder.

As these phantoms have a source in dateware rather than malware, we probably don't have to worry about them any more.

Inicie sesión o regístrese para enviar comentarios