Topic: Hash/SHA256 based attachment filter - catched WannaCry

[warren]

@Knuddi
will this also catch the Erebus Linux Ransomware http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/

Seems Virust Total Has some hashes for it :
SHA256 detected as RANSOM_ELFEREBUS.A:

    0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f
    d889734783273b7158deeae6cf804a6be99c3a5353d94225a4dbe92caf3a3d48

[Knuddi]

No these SHA256 are not currently registered in the DB which means no one has seen them yet. As of right now the community part has found and added 238 different signatures that will be rejected.

I will look into a model to add "preventive" SHAs to the DB.

[guest22]

Heads-up, it seems there is another attack under way (June 27, 2017).


@Knuddi, any prove of this in your monitoring systems please?

[Knuddi]

I cannot see any specific patterns that are unusual today or yesterday. The community has provided 9 attachments with bad stuff (trojans, virus, etc.) and most of these are zip attachments with a few Java variants (jar).

A good example of the many caught:
https://virustotal.com/en/file/79d5ae8f94e5320458f3ba5f7556590b7d3366ebd9eda21a77289b07687deba1/analysis/

[SchulzStefan]

SMEOptimizer reports from a wrong public IP. How can this be fixed? IP was changed in a static one, it seems that it's still the old dynamic IP.

Regards,
stefan

[Knuddi]

@Stefan,

SMEOptimizer just uses a stamdard HTTPS connection from your SME server towards the smeoptimizer.com server. So whatever IP your server uses it will use. Why do you think it uses a wrong IP and what is the problem with that?

[SchulzStefan]

@Knuddi,

Blacklist warning for your SME Server von SMEOptimizer Alert:

Your SME server with public IP address 84.130.159.73 has been listed in international blacklist databases.

This is not the public server IP.

Regards,
stefan

[SchulzStefan]

@Knuddi,

today I'm receiving again this email:

Your SME server with public IP address 84.130.159.73 has been listed in international blacklist databases. It has been observed registered now 21 day(s) in this database(s). This blacklist registration very often means that the emails sent from will not successfully reach their intended destination.

We assume that you are not a spammer and suggest that you right away initiate actions to identify the reasons for the listing. This could require security updates of client PCs in your organization including checks for virus and botnets and potentially, the reconfiguration of your mail server.


Blacklist    Reason    Return code
pbl.spamhaus.org    https://www.spamhaus.org/query/ip/84.130.159.73
   127.0.0.10


Best regards,
SME Optimizer

My public IP is a different one. I assume this IP was formerly the dynamic public IP and it's obviously still in the database of SME Optimizer. Do I have to re-register with my new static IP or how is this going to be updated?

Regards,
stefan

[SchulzStefan]

Opened a bug https://bugs.contribs.org/show_bug.cgi?id=10385

regards,
stefan

[Knuddi]

@Stefan,

Thanks for opening a bug, this makes it much easier to track and follow for me. Do not get to the forums that often

The problem that you have reported has now been resolved.

Enjoy,
Jesper