1
Ransomware threats getting through mail server
Problem reported by Matthew Titley - March 2, 2016 at 9:32 AM
Submitted
Hi all,
 
One of my clients just got hit with the latest and greatest crypto-locker variant which has the very cute name of "Locky" and is very effective. It does the same thing as previous iterations and more. It attacks more file types, and it will attack network shares, even UNCs. Yes. Which it did, but luckily didn't get too far, not sure why yet. It also will attempt to kill any shadow copies used by VSS in order to prevent restore from shadow copy.
 
In this instance it arrived from "admin@clientsdomainname.com" with the typical "Your files are attached" nonsense as a zip file. The dummy opened and ran the JavaScript. However, latest and greatest AV didn't stop it. This was ThreatTrack Vipre Business which generally is excellent at catching things others don't. This one client had their own domain name on their trusted senders list, which must have contributed to the email bypassing certain filters, but that's just bad luck to some degree as if it were from a legit account somewhere it would have passed.
 
I grabbed a copy of the malicious code from the message archive and have it sitting on my desktop. Avast doesn't consider it a virus either. Seems that until one executes the code, most AV has nothing to say about it.
 
So, at the server, I can't really block all zip attachments but is there away to have SmarterMail look inside the zip and if a file extension which is on the block list is detected, then block it? What security settings do other admins use at mail server to reduce these exploits from getting through?
 
Matt

4 Replies

Reply to Thread
0
Jay Altemoos Replied
March 2, 2016 at 2:33 PM
To combat this situation on our server we blocked ZIP and RAR attachments outright for most users. We do have a policy in place on the spam filtering we use that allows ZIP and RAR attachments for specific email accounts that need to have those delivered. It's not something we really wanted to implement on our users but they understand that if they get infected they have the possibility to lose their data. We don't use the built in spam filtering from SmarterMail, we use ASSP and have it configured to police said attachments. It's been very effective for us.
0
Linda Pagillo Replied
March 3, 2016 at 6:56 AM
Hi Matthew. We offer a free program called Declude that will look inside a zip and if a file extension which is on the block list is detected, it will block it. You can download Declude and the user manual at the following link: http://mailsbestfriend.com/downloads
 
Declude can be used for anti-spam, anti-virus and anti-hijack. There are separate user manuals for each of the 3 components at the link above. You can use all 3 components or just the ones you need. Declude is completely compatible with all versions of Smartermail and all Windows servers.
 
I hope this helps. Good luck!
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
0
Matthew Titley Replied
March 7, 2016 at 8:56 AM
Hi Linda, we've used Declude on and off over the years with mixed results. I can't recall why we stopped using it but I think it had something to do with spool issues. Too long ago to recall the details. Anyway, maybe I'll give it a go again.  Commtouch has worked well on the spam side, overall, but these things getting through all the layers is frustrating. I think Declude is just disabled on my server. Guess it's time to resurrect it.
Actually, I just found an email from you from 2009 when my company was a Declude Compass paid subscriber!
Thanks for the note,
Matt
0
Linda Pagillo Replied
March 7, 2016 at 9:01 AM
My pleasure Matt! Please let me know if you have any questions about it. I will be happy to help.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com

Reply to Thread