×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Zbot trojan allowed through?

Unanswered Question
Sep 9th, 2013
User Badges:

Hi,


We're running 7.5.1-028 on X1070 appliances and we're using the Sophos A/V engine. We have Sopho engine 3.2.07.378_4.90 of 04 Sep 13, and IDE rules 2013090806 of 08 Sep 13.


For the past week or so we've seen a significant number of messages get through which contain the Zbot trojan in a ZIP attachment. Of the messages I've looked at, all come from yahoo.com mail accounts and appear to pass through the Yahoo mail infrastructure, so I'm assuming compromised Yahoo accounts are being used. All the messages have a subject line that looks like one of these:


DHL Delivery service notify T7RUKTZYPC

FedEx Global report UU6PLGIEZU

UPS Global notifocation PE4HKNFNR4

USPS INC report ZR05Q0G5RZ


The code at the end appears to be random. The body of the message claims that the courier has a parcel which could not be delivered, and the recipient is invited to open the attachment for details of how to arrange delivery. See the example below.


Has anyone else seen this problem? It's easy enough to block with a content filter, but it should be picked up by the A/V engine IMHO.


Cheers,

Simon


UPS Notification

Our company`s courier couldn`t make the delivery of parcel.


REASON: Postal code contains an error

DELIVERY STATUS: sort order

SERVICE: Three-day shipping

NUMBER OF parcel: PE4HKNFNR4

FEATURES: No


Read the attached file for details.


An extra information:


If the parcel isn`t received within 10 working days our company will have the right to claim compensation from you for it`s keeping in the amount of $6.66 for each day of keeping of it.


Thank you for using our service.


UPS Global

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Robert Sherwin Mon, 09/09/2013 - 05:04
User Badges:
  • Cisco Employee,

Simon -


This sounds like the current threat outbreaks, usually these type of emails are being detected and battled on a daily basis - all with similar subjects/content.


Take a look @ the following --->

http://tools.cisco.com/security/center/threatOutbreak.x?i=77


If you feel there are a hard number of these making it through - please, as always, submit these.  The subjects and submissions are used to tag and increase the scoring changes for the threat outbreaks --- which are then re-pushed through to all appliances.


#########################

-Save the email as a .eml file

-Attach the file to an email and send to the following:


Cisco IronPort Anti-Spam

Report undetected spam to: [email protected]

Report false-positives to: [email protected]


Phishing Spam

Report phising attempts to: [email protected]


Marketing Spam

Report marketing spam false positives to: [email protected]

Report marketing spam false negatives to: [email protected]


--------------------------------------------

NOTE:

Please be aware that neither the automatic nor the manual submissions will result in an automatic response from our AntiSpam team, so in case you would like feedback, please let us know how the submissions were done, when it was done, and the email address used for the submission.

--------------------------------------------


For more information on submitting spam, then please review:


http://tinyurl.com/lpz9z


Article #493: IronPort Anti-Spam Efficacy Checklist Link: http://tools.cisco.com/squish/Aa7E8

Article #472: How do I create RFC-822 MIME encoded attachments? Link: http://tools.cisco.com/squish/E4Fe0

#########################


As you have noted - your rules/engines are showing up-to-date.  If you feel there is a need - run a force update to assure that you have the latest and greatest:

> antispamupdate ironport force

> antivirusupdate ironport force

> outbreakupdate force


This will force your appliance to communicate with the update servers, and retreive the latest rules and engine updates.


Hope that information aides a little.


Regards,

Robert

Email Content Security Technical Services - RTP, NC

Ken Stieers Mon, 09/09/2013 - 06:27
User Badges:
  • Gold, 750 points or more

are your Outbreak Filters enabled? This is what they are for...


Sent from Cisco Technical Support iPad App

SIMON RAINEY Mon, 09/09/2013 - 06:35
User Badges:

Thanks Ken.


Outbreak Filters are enabled, but the maximum message size to scan is set at 256K, which I assume is the default.


The messages in question vary in size, but they are all in the 300K - 500K range, so presumably they are excluded. I've increased the limit to 1M to see if that helps.

Actions

This Discussion