Change logs, NY traffic tickets, UPS shipments...

[craigt]

Same old trash over and over again -- these wingnuts need to come up with something new to make sorting through their carp at least a little entertaining!

[Farelf]

Those are with trojan attachments, I assume. An interesting exercise (if you can do it safely) and one supporting the "public good", is to submit those to VirusTotal (or similar) which scans them with multiple AV engines.

• It is interesting how few recognize the threat
  
• some of those AVs (apparently/maybe) use the data to update their definitions/methods
  
• it is interesting to see how many more recognize the threat after a week or so (re-run scan)
  
• the VirusTotal results are publicly available information for others to utilize.
  

[craigt]

Just ran one of the "UPS" ones through and it was detected by 13/43 -- not too good of a record

[Farelf]

Just ran one of the "UPS" ones through and it was detected by 13/43 -- not too good of a record

If that was a fresh one, it's not too bad actually (meaning it was a relatively ineffectual exploit). I've seen them as low as 3 detections (maybe some time ago now) - perhaps more of the AVs/AMs are getting smarter, maybe more of them are getting better about keeping up to the pace or more of them are not just relying on a hash "signature" for the whole file.

The ultimate is to get a zero detection from the combined scanner array for an actual exploit vector (though, for most of us, that means a wait of some days to see if it gets classified and so confirm its badness) - that would mean you've been the first alarm-raiser. But that's probably not (quite) possible these days. Doesn't matter, you might still be the first confirmer of a new signature/code-string "in the wild" even with a few/some detections - and that (potentially) informs multiple AV/AMs.

It is perfectly trivial for the bad guys to keep changing non-operational parts of the exploit downloader files they distribute, those are built to be mutable with great ease so to defeat simple stores of known signatures and evidently that is (still) enough to evade detection by most AV/AM scanners, most of the time - at the start of their run. The (would-be) exploiters' "creativity" is mostly confined to or focussed on finding ways to motivate people to open those attachments in a plausible fake scenario (to overcome whatever caution they might have).

The bad news is, if the ones you are seeing are so stereotyped then "they" are still getting enough "return on investment" to keep limping along. But it is actually easier to jag that "plausible scenario" when they hit a small or medium-sized business (even if the AV/AM defences and awareness of those are - generally or hopefully - a little bit better than those found in the average residential premises).

Much more likely then, in the business environment, that the recipient will actually be expecting a change log, UPS shipment or whatever - or, just a cog in the wheel, not be surprised to receive one. Or perhaps it goes to a boss who forwards it to an underling whose inherent paranoia/scepticism would then be greatly lowered. Also the "motivational" factor is not elemental - whereas for residential victims it is critical pretty-much limited to either or both of greed and curiosity (yes, yes, so 10^th millennium BP but still those work nicely).

Where the would-be exploiters (collectively) fall down is their own greed (or desperation) when they over-work the field - sending multiple times over a short period, with the same "fingerprints" (sender, network, subject, "style", any or all of those) or even the "exact" same message and attachment to the same person or others in the same workgroup. Without that, there would certainly be more business victims.

Looked at in that light, perhaps not quite so boring? And yes, reporters can still do much good - on several fronts if they've a mind to.