Good afternoon,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,

Rolland Hanna

Your Customs Service

This content was so close to the UPS_Invoice one that it seems obvious it originates from the same source.

My parents were on holiday in France on July 9th (back home now) so this might just possibly have caught me out if I had not seen the previous variant and the wording was a bit less stilted (especially the signoff), and the sender had actually been spoofed as the customs service not some random .com company. I guess the people most likely to fall for this would be anyone who bought something online from France, or through eBay and maybe they are not 100% sure where their purchase is being shipped from.

This time the attachment was called Tax_Invoice.zip which expanded directly to the executable (no folders in between this time) which was called Tax_Invoice_________________________NHHDLS883298792929.exe . I guess the filename padding is a flimsy attempt to make the end part disappear from the view and show as the truncated name “Tax_Invoice_…” or similar. Like the previous ones, this has a crude MS Word icon which has rough edges and simply does not scale above “medium icons” view in Vista – any larger and it just shows the smaller one in a larger grey box.

This one has an MD5 hash of 8CEB0F61089D86C086DCC08D6A783015.

Since the first rash of these emails last week, things died down. Presumably as the world’s antivirus vendors caught up with this new malware outbreak, they were mainly being caught at the point of sending. I certainly received none for several days, then had two on Monday night / Tuesday morning with the same text as before:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

(one bizarrely missed the apostrophe from “recipient’s” and replaced it with a space)

Both had the same attachment UPS_INVOICE_978172.zip (47.9 KB or 49,110 bytes in size), which expanded to a 56KB (57,344 bytes) exe of the same name with MD5 checksum DA4B7EF93C588AD799F1A1C5AFB6CFAD.

Thursday’s pair were just called invoice_8712.zip (48 KB or 49,192 bytes) which held a 55.5 KB (56,832 bytes) file called INVOICE_8712.exe with MD5 digest of 9E2756F0A0AD988E149845B07216B181. All of this week’s emails had the subject “UPS Tracking Number nnn” with four different numbers: 1950761581, 8587187457, 7535113385, and 6853701924.

As Aaron Margosis points out, running anti-virus software which requires you to be a local administrator to work properly is fairly pointless. You have the rights required to turn off, disable and uninstall your AV, so any malware that gets past your defences can do this too, rendering the AV potentially useless. The same applies of course to running well-written anti-virus which does not require admin rights, but then running as admin anyway.

Recommendations for your business

I recommend to all my clients that they run some form of anti-virus software, as well as ensuring that they are set up to use non-admin user accounts. Ultimately, I can’t totally control their actions and stop them using an administrative account when they don’t need to, and despite my best advice they may inadvertently click on something, download something or otherwise put themselves at unnecessary risk. Anti-malware software adds a valuable layer in their “defence in depth” model. If I had complete control, or could always be on hand at a moment’s notice to answer their questions every time they get a prompt to install something, then they could perhaps loosen this approach. Frankly, for the small cost of a reasonable anti-virus solution, they get more protection, and greater peace of mind.

Whitelisting

Using software restriction policies to control what programs people use can help in the fight against malware by attacking the problem from the other end. By using a whitelist, you dictate what applications can be run on your network. To do this you have to make a list of all the ‘good’ programs, which is often easier, shorter and changes less frequently than the anti-malware approach of trying to list all the bad things out there, of which there are probably more, and this is certainly a moving target. However, I still don’t see businesses using whitelisting as a replacement for anti-virus, but as a useful complement in a managed environment.

What about those elephants?

Well, I met a guy on the bus the other day who was very carefully tearing small squares from his newspaper and throwing them out the window. I asked him why he was doing this, to which he replied “to keep away the wild elephants”.
When I pointed out that there are no wild elephants in the UK, he smiled and said “see – it’s working”.

Next time someone tells you that the AV product they use is better than some other one because they have never been infected, remind them of this story and ask how many times they have seen their anti-virus actually stop an infection and give them some kind of warning or log to show for it. In many cases you will find it is none. Thus proving that product X not only stops all known malware, but is equally effective at keeping away the elephants.

Share this post :

The obvious flaw in the traditional AV approach is the difficulty in keeping up with new malicious software rapidly enough to avoid infection. Whitelisting gives you a little more control but still takes substantial effort in a large environment, and is harder to delegate out to a third party without leaving so many loopholes as to render it pointless.

Subscribing to some kind of global whitelist is only useful for making it easy to get the hashes for a bunch of apps, so you could say “let all the components of MS Office 2007 Premium run” without having to dig through them yourself. Delegating your entire rulebase to someone else does not make sense to me, as it would allow some apps to run for which you have no licenses and others which have no rightful place in your environment, such as spyware. Look at how many spyware ‘admin tools’ are not picked up by AV products due to threatened legislation, the same problem would hit whitelist suppliers.

With AV I am happy to accept that pretty much all the things they block are actually bad. I have never personally suffered from any real issue with a false positive. I don’t need to believe they do catch everything (that’s a different question) but I have great trust that what they do catch is right.

My own experience of whitelisting

Back when I was single-handedly running a network of about 100 Windows 98 machines I used policies to manage the environment (old school tattooing .pol file stuff before AD and proper Group Policies). I adopted a whitelisting approach to manage what was being used – anything not on the list simply could not be run by anyone on any machine.

The main point of this was not to stop accidental-malware (although it certainly helped) but to prevent employees installing unlicensed, unmanaged software including games or (potentially) spyware, keyloggers etc. In a 2000/XP/Vista world this would be less of a problem, but don’t forget there was no ‘admin’ in 98, all users had all the rights they wanted, by default. Setup.exe was not on the whitelist, of course.

Anything not on my whitelist could not be run – obviously there were ways round this but the vulnerability was minimised as far as possible. The firm had a couple of weeks of minor pain after rollout while we found all those odd little bits of software that one user in accounts had, or the receptionist, but after those two weeks we had a solid solution. Catching these oddities was also useful in terms of checking what was in place, were we licensed, where did these apps keep their data and was it backed up?

One user found that when he tried to eject his CD tray to play a music CD he was told by an error message that this was banned by admin! This turned out to be because he had a CD burning  program which got hooked by the eject operation. This was not on the list so he could not run it. About ten minutes later his machine had an exception for this program and we carried on happily for about six months.

We also ran ‘traditional’ Anti-virus software (enumerating badness) and used heuristic scanning options in some cases. This was partly because these old ’98 policies could not tell the difference between ‘good’ winword.exe in the right folder and ‘bad’ Virus calling itself winword.exe.

What stopped us in the end?

A dumb supplier of forms software who changed from having their new form templates downloaded as zips and made them self extracting executable files – named differently for every form and every version (once a month in some cases). At first we just weakened security for one or two users, then it became three or four who needed to do this and the rot set in. An impending merger and major upgrade were the final nails in the coffin of a project I was proud to have done and which had helped enormously in controlling the network, getting a better handle on our licenses and generally reducing support headaches.

What barriers do you have to overcome for a whitelisting approach to work?

You must have a tightly controlled environment in the first place – a standard build image in which you know what is installed. Change management processes to get things added to the build or to your deployment tool (GPSI, SMS, SpecOps Deploy etc) should tie into the whitelist too. The larger and more distributed your environment becomes, this obviously gets exponentially harder to achieve just because of the variety and complexity that brings.

These days, do not let normal users have admin rights. At all. Ever. I was at a Microsoft conference recently when someone asked about the Vista group policies for whitelisting via executable name and said that someone could just trivially rename “virus.exe” to “mspaint.exe” (or whatever) and get round it. This of course presumes they have admin rights to alter the names of things in Windows or Program Files, which they should not have. Using a Linux distro CD could also get round this, which is where encryption technologies such as BitLocker and/or EFS come in. Protecting the front door while leaving the back door open is a waste of time. Whitelisting only works as one part of a an overall security policy, not a reason to ignore all the other vectors of attack.

• Includes Sophos Anti-Virus Small Business Edition and Sophos Pure Message Small Business Edition
• Detects and disinfects viruses at every potential access point, ensuring networks are fully protected
• Blocks up to 98% of spam, keeping inboxes free of unsolicited bulk emails
• Updates automatically, providing a complete defence against the latest virus and spam threats

Review

This product is squarely aimed at the small business IT administrator who wants a neat, simple solution to address their concerns about viruses, and the issues caused by the ever-increasing volume of spam email.

The concept of an all-in one product sounds appealing, although some might argue that this may deviate from a “best of breed” approach (more on that later). Similarly, most administrators (of large and small networks) want to be able to set something up, configure it and then touch it as infrequently as possible. They need protection from all the nasty malware and want to avoid filling their email systems with undeleted spam, but at the same time do not have time to spend maintaining this level of service to their users. “Fire and forget” is the requirement here, and Sophos Small Business Suite delivers it.

Before I look at the product itself, some background information about the versions and licensing, since these are key factors in deciding between similar products.
The current version of Sophos Anti-Virus Small Business Edition is v.1.0.2, which has been around since 2004, although of course like any anti-virus (AV) product it is regularly updated to tackle new types of malware and specific definitions of known viruses. This is the part of the suite which covers “traditional” AV for desktops and servers (such as file servers).

The other half of the suite is PureMessage, which provides anti-virus scanning for SMTP and NNTP traffic as well as within an existing Exchange information store. It also includes a flexible anti-spam solution for The version of Sophos PureMessage Small Business Edition which was shipped with this is also v.1.0.2, but a newer version has been released in January 2006 (v2.5.1) which is available as a download for registered customers, so existing users can benefit for free. This also highlights a key stage for the product’s development – the version numbering is being brought into line with the enterprise-class Sophos PureMessage solution because it includes the same feature set as that edition.

Features

Sophos Anti-virus Small Business Suite provides a number of tools to enable network administrators to better protect their systems, including:

• Anti-virus software for servers and desktops
• Central management console to deploy AV and updates to machines, and check on status
• Anti-virus and spam filtering for email – SMTP and existing message stores
• Messages can be deleted, quarantined or flagged according to customised rules

Software details

Publisher: Sophos

Supported Operating systems: Windows 98 / ME / 2000 / 2003 / XP Home / XP Pro / Mac OSX 10.2+

Supported email servers: Exchange 2000 / 2003 on Windows 2000 / 2003 with IIS

Like most such products, Sophos SBE comes with subscription options from one to five years which include not only virus definition updates, but real version upgrades and unlimited 24/7 support. This is where you can make good savings by making a long-term commitment, since 2 years will be just 1.5 times the one year price with similar discount levels through to 5 years at only 3 times. Similarly you make a saving of 20% buying the suite rather than the separate products. Recommended pricing for SBE suite is £449 / US$639 for ten users for one year, you will find slightly cheaper deals depending on your reseller or online vendor, and as mentioned, you should pay attention to the subscription length as that has the biggest effect on the cost. You don’t have to pay an inflated price for servers, either (as with some corporate AV), they are just ‘regular’ seats as long as they do not represent more than 10% of the installed base (or a single server), and in the type of environment this product is aimed at that is likely to be more than adequate.

Installation

The anti-virus and message management components of the suite are installed separately. While this may be a little long-winded for firms using an all-in-one solution such as Windows Small Business Server, it makes sense since the configuration options are entirely different due to the nature of the products. I had no real difficulties installing on both Windows Server 2000 Standard, and SBS 2003.

During installation it creates two service accounts – you get a prompt when it does this but no assistance to explain exactly what they are used for or what rights or group memberships will be assigned to them. Personally I have some issues with this, as I feel I should not have to dig through the documentation to see what possible holes are being created in system security. I realise, however, that in the target market for this there will be those who just want to get on with it and not worry about such details, so it is arguably a reasonable approach to take.

The Sophos Control Center for managing your clients is started at the end of the installation and a wizard takes you through the initial stages of configuring update options then discovering clients on the network, choosing which ones to install to and then remotely deploying the client software and the update agent depending on the configuration choices you make.

The Pure Message component is similarly very easy to install, although there is much less “prompting” of how to configure it (through a wizard showing you all the areas to consider). The basics are there so you would have AV protection and basic, unconfigured Spam filtering from the outset. I wonder how many people may leave everything at defaults and wonder why this is not giving them the results they expect.

Usability for administration

The Control Center can be installed on an admin desktop as well as having it on the server which runs the updating service, to make daily checking or maintenance easier. A nice colour coded system is used to show machines which are fully up to date, out of date or not managed, and any specific alerts for each machine are shown in a bottom pane. You are also shown whether the on-access scanner is currently running or not. You can easily force an immediate update to one or more machines you choose (for example if you know there is a new update which you urgently require to counter an outbreak). Overall this is a well-laid out and simple tool to use, and for the time-pressed admin is an easy daily check – all green is good.

One of the nicer features of the update method (configured during initial installation but easy to get at from the console) is that you can specify alternative download locations for clients, including going directly to Sophos when your server is unavailable, such as for users working from home.

If you use Windows Firewall (or any other client-side software of this type) you will have to configure it to allow the update service (RouterNT.exe) to fetch updates, otherwise it will install the AV product OK and run the on-access scanner but won’t update – such machines will show in the console as “unmanaged”. I was slightly disappointed that the advice on Sophos’ support pages for dealing with this only describes how to do this manually on each machine, and does not even hint at the possibility that this can be done centrally using Group Policy. While I realise a step-by-step for configuring GP would be impractical since all AD environments differ, some mention of the principle, and of where to find the relevant GP settings would have been a useful pointer for the typical admin in this market who may not be familiar with these ideas.

The console for Pure Message is an MMC, although there are a couple of oddities to this such as the “apply” and “reset” buttons right at the bottom of the screen. These are very easy to overlook, especially if using a remote desktop session to check or change the configuration (as is fairly common practice for a lot of system administrators). This is especially problematic since you can change tabs and it remembers the changed settings on a previous page, but they are not yet applied, you can still reset back to the current running configuration, but this undoes changes on every tab and this is definitely not obvious. Closing the console applies the changes without any further prompt, which I think is risky. For the target market, this needs to be made more ‘fiddle-proof’. If an inexperienced admin has changed some things and is not sure what he has done, it is quite possible they would close the console thinking “at least I did not apply the changes so it will be OK”. Maybe an MMC is not the right platform for this tool and a more interactive application which prompts on exit would make sense.

Usability for users

If your users do not have admin rights to their machines then they cannot change or configure the on-access (background) scanner nor schedule scans periodically, which is probably no bad thing. They can launch the Sophos AV software locally and run an immediate scan – by default this would be for Local fixed disks, but they can also choose other drives such as CD’s or browse to just scan a particular folder. While they can configure certain options such as whether to scan inside archives, they cannot change centrally managed things such as the list of extensions to include, or files / folders to exclude from scanning. I was surprised to find this was not initiated through a more user-orientated right-click context menu for explorer such as a “Scan this folder with Sophos Anti-Virus” option, since some of this is non-obvious for users, but with the on-access scanner running there should be little need for them to use this very often. However, it is useful for a desktop support person to be able to get at this easily without having to log on as admin.

A quick note about the executable extensions list. There are two key factors which help Sophos to detect viruses regardless of this list – firstly, you can choose to detect that a file is executable based on its content rather than its (possibly fake) file extension. Also, it seems very good at doing this within a variety of archive files, even when nested. Renaming an archive file to the wrong extension does not make much difference either, so Sophos give you more peace of mind that it is very hard for any malicious files to get past your defences using these sort of techniques.

Spam filtering

The Pure Message spam filtering function is very flexible, allowing you to alter the levels at which it will mark emails as suspected Spam or definite Spam. You can choose whether or not to indicate this in the subject line of the email (to enable users to filter them into folders for example, or to take more care when opening). The filtering of email and viruses is customisable to determine whether mails are deleted, quarantined and / or delivered. All of this customisation is great, and is far beyond most other products in this class.

However, the big problem is that for all this customisation it does not seem to stop or even to suspect some mails which seem quite obvious Spam, whereas Outlook 2003 happily picks them out without breaking stride. These are mainly emails with subjects like “TheMicroCapJournal revaporize darii nasalization” with body text in gibberish (“hippoglosinae unaffirmation engastrimythic cantankerous unwarlikeness thamnium”) and the “real” part of the mail embedded in an image. This is certainly not a new technique, and I would have hoped that these would be easy enough to spot, when this particular example only received a “spam score” of 32%. Maybe checking the average word length would help – in English usage something over 10 like this one should be obviously trying to fool a Bayesian filter. Bringing the levels down to include all these mails would increase the false-positives too much (I tried with levels of 20% and 70% for a week).

On the plus side then, when the filtering works it does what you need: gets rid of obvious stuff completely and gets the rest out of the way, either to quarantine or into users’ folders. It just needs some improvements in the engine to be a little smarter.

Conclusion

Overall, as a suite of products this performs very well and is ideal for the target market. Essentially it does what is designed to do and keeps it simple to ensure it is easy to set up correctly.
It allows an administrator to centrally manage their virus protection for both email and desktops, including remote workers. It is only let down by the variable performance of the spam filter and by still having two consoles for management which makes it ‘feel’ like two separate products. Despite these minor things, I would highly recommend this as a great solution for small businesses, and this software suite gets a well-deserved 8/10.

This review is © Adam Vero 2006 and was first published on Security-Forums Dot Com.
It may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.