Invoice Malware & Doc files

Hi,

I'd like to follow up on two comments in this thread:

'being generated now.  Plus I cannot upload the file to virustotal anymore as endpoint detects as a virus.'

This indicates that SophosLabs did not have detection available at the time the viral email was received and that later it was added - so this detection problem would affect any product using the Sophos engine, both PureMessage and Sophos Endpoint Security and Control on the client.

'I very much doubt I am the only recipient of a 0 day virus. DRIDEX and variants are not new.'

DRIDEX may not be new, but the particular threat would be new. Even for a single variant such as Troj/DocDl-QH, where the QH signifies this as the 452nd variant (17x26+10, Q meaning the 17th set of 26 variants), each variant can have hundreds of different files (or hashes) associated with it, with new hashes being added on a daily basis as new threats emerge.

This was almost certainly a snowshoe spam campaign:

https://blogs.sophos.com/2014/11/21/snowshoe-spam-is-on-the-rise-what-can-be-done-about-it/

For the PureMessage product you can add additional protection by enabling the below Content scanning options within the 'On suspicious/restricted attachment' section:

Microsoft Excel Containing Macros
Microsoft Word Containing Macros

Note: It is advised to Quarantine these messages as you may receive valid documents containing macros

Below is a product statement providing more information on snowshoe spam:

Hello everyone, on behalf of the Product Teams and SophosLabs, I’’’’d like to provide you with an update on the snowshoe spam situation that has been affecting some customers recently.

In recent months we’’’’ve seen an increase in sophisticated spam campaigns that are evading our anti-spam engines. Techniques such as “Snowshoe” spread spam over many different IP addresses, in low volume bursts making it extremely difficult to proactively detect and block new variants quickly.  This is an industry wide challenge and is in no way unique to Sophos.
Our Labs and engineering teams are working actively to develop new techniques to stop these new campaigns and we will automatically roll-out these capabilities for our customers as they become available.
It’’’’s important to note that we are still achieving over a 99% catch rate for spam, and have been consistently running at 99.5% and higher for a very long time leading up to this. Until recently, customers have been accustomed to seeing very little spam, and many still are. This recent dip has therefore been particularly noticeable to customers and end users affected by these recent snowshoe campaigns.

More information on the snowshoe spam issue and what can be done about it, has been published in a recent blog article:  Snowshoe Spam is on the Rise – What can be done about it?

While we have been challenged by these new emerging spam techniques across our entire line of email products, the impact has been most noticeable for customers of PureMessage Exchange.  We would like to encourage PureMessage Exchange customers to consider adding one of our secure email gateway products such as the Sophos Email Appliance (SEA) or the Sophos UTM with Email Protection.  These gateway products can often provide better catch-rates as they operate on the edge of the company network with greater access to Live Internet look-ups and context, catching more spam before it hits the mail server.  For many customers, the SEA in virtual form is already included in their bundle license.  And those customers who just have an Endpoint Protection license should definitely consider upgrading to a bundle that includes email protection that includes the SEA, or  alternatively licensing our UTM.

Regards,

Reginald

Hi,

I'd like to follow up on two comments in this thread:

'being generated now.  Plus I cannot upload the file to virustotal anymore as endpoint detects as a virus.'

This indicates that SophosLabs did not have detection available at the time the viral email was received and that later it was added - so this detection problem would affect any product using the Sophos engine, both PureMessage and Sophos Endpoint Security and Control on the client.

'I very much doubt I am the only recipient of a 0 day virus. DRIDEX and variants are not new.'

DRIDEX may not be new, but the particular threat would be new. Even for a single variant such as Troj/DocDl-QH, where the QH signifies this as the 452nd variant (17x26+10, Q meaning the 17th set of 26 variants), each variant can have hundreds of different files (or hashes) associated with it, with new hashes being added on a daily basis as new threats emerge.

This was almost certainly a snowshoe spam campaign:

https://blogs.sophos.com/2014/11/21/snowshoe-spam-is-on-the-rise-what-can-be-done-about-it/

For the PureMessage product you can add additional protection by enabling the below Content scanning options within the 'On suspicious/restricted attachment' section:

Microsoft Excel Containing Macros
Microsoft Word Containing Macros

Note: It is advised to Quarantine these messages as you may receive valid documents containing macros

Below is a product statement providing more information on snowshoe spam:

Hello everyone, on behalf of the Product Teams and SophosLabs, I’’’’d like to provide you with an update on the snowshoe spam situation that has been affecting some customers recently.

In recent months we’’’’ve seen an increase in sophisticated spam campaigns that are evading our anti-spam engines. Techniques such as “Snowshoe” spread spam over many different IP addresses, in low volume bursts making it extremely difficult to proactively detect and block new variants quickly.  This is an industry wide challenge and is in no way unique to Sophos.
Our Labs and engineering teams are working actively to develop new techniques to stop these new campaigns and we will automatically roll-out these capabilities for our customers as they become available.
It’’’’s important to note that we are still achieving over a 99% catch rate for spam, and have been consistently running at 99.5% and higher for a very long time leading up to this. Until recently, customers have been accustomed to seeing very little spam, and many still are. This recent dip has therefore been particularly noticeable to customers and end users affected by these recent snowshoe campaigns.

More information on the snowshoe spam issue and what can be done about it, has been published in a recent blog article:  Snowshoe Spam is on the Rise – What can be done about it?

While we have been challenged by these new emerging spam techniques across our entire line of email products, the impact has been most noticeable for customers of PureMessage Exchange.  We would like to encourage PureMessage Exchange customers to consider adding one of our secure email gateway products such as the Sophos Email Appliance (SEA) or the Sophos UTM with Email Protection.  These gateway products can often provide better catch-rates as they operate on the edge of the company network with greater access to Live Internet look-ups and context, catching more spam before it hits the mail server.  For many customers, the SEA in virtual form is already included in their bundle license.  And those customers who just have an Endpoint Protection license should definitely consider upgrading to a bundle that includes email protection that includes the SEA, or  alternatively licensing our UTM.

Regards,

Reginald