"Spanish" worms

These are old archives. They are kept for historic purposes only.
Post Reply
Guest

"Spanish" worms

Post by Guest »

Hi!
I'm an user of a Spanish net, and I tried to do a recopilation of the most frequent "spanish" worms... this is my configuration of the spamfilter in my net at the moment:

F cpq kill 0 17704 86400 Usuario_infectado_con_virus,_acuda_a_http://www.softonic.com,_baje_un_buen_antivirus,_desinféctese,_y_podrá_volver CoRLEoNe![email protected] http://interserv[0-9]+\.thefreebizhost\.com/.+
F q gline 0 17788 7200 Usuario_infectado_con_virus,_acuda_a_http://www.softonic.com,_baje_un_buen_antivirus,_desinféctese,_y_podrá_volver CoRLEoNe![email protected] http://interserv[0-9]+\.i-networx\.de/lolitasex\.avi
F cpq kill 0 196270 86400 Usuario_infectado_con_virus,_acuda_a_http://www.softonic.com,_baje_un_buen_antivirus,_desinféctese,_y_podrá_volver CoRLEoNe![email protected] http://www\.iespana\.es/interserv[0-9]+/psicosex\.jpg
F cpq kill 0 195626 86400 Usuario_infectado_con_virus,_acuda_a_http://www.softonic.com,_baje_un_buen_antivirus,_desinféctese,_y_podrá_volver CoRLEoNe![email protected] http://interserv[0-9]+\.t35\.com/money\.txt
F q gline 0 178336 7200 Usuario_infectado_con_virus,_acuda_a_http://www.softonic.com,_baje_un_buen_antivirus,_desinféctese,_y_podrá_volver CoRLEoNe![email protected] http://www\.powow\.com/mdm[0-9]+/index\.html
F p kill 0 115058 86400 Usuario_infectado_con_virus,_acuda_a_http://www.softonic.com,_baje_un_buen_antivirus,_desinféctese,_y_podrá_volver CoRLEoNe!~[email protected] http://interserv[0-9]+\.mysitespace\.com/fullmovies\.avi
F pq gline 0 95197 7200 Usuario_infectado_con_virus,_acuda_a_http://www.softonic.com,_baje_un_buen_antivirus,_desinféctese,_y_podrá_volver CoRLEoNe![email protected] http://members\.lycos\.co\.uk/iserver[0-9]+/playboy\.avi

(Ignore the reasons, I think the regexp is the most important thing ;)
Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat »

Thanks for sharing...
I hope you don't get too many false positives because your regexps contain only the URI...
thekey
Posts: 15
Joined: Fri Feb 18, 2005 11:48 pm

Post by thekey »

Dukat wrote:Thanks for sharing...
I hope you don't get too many false positives because your regexps contain only the URI...
I don't get any false positive. Most of those regexps contain "interserv", all the web spaces named interserv[0-9]+ are synonym of a trojan containing page. Don't worry, all of these pages have been tested :)
Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat »

What about people reporting the spammers?
Hello Operator, <someone> sent me http://members.lycos.co.uk/iserver1/playboy.avi, ban him!
thekey
Posts: 15
Joined: Fri Feb 18, 2005 11:48 pm

Post by thekey »

Dukat wrote:What about people reporting the spammers?
Hello Operator, <someone> sent me http://members.lycos.co.uk/iserver1/playboy.avi, ban him!
Hmm, yes, that seems to be a problem, but that's the same when an user tries to report that someone sent him a query and pastes all the query. The problem of that is that most of infected users send privmsgs to users, because of that I only set the "kill" action, for those who have a quit msg. annoucing the URL, I've set a gline for 2h.
I think the best sollution for that would be setting an entrymsg when every user connects to the net and advert them to not to directly paste something like that, and instead of that telling an oper that someone sent him/her a query with possible "spam" (but not pasting the URL). An oper could then send the user a DCC Chat, or tell him/her if he/she could paste the message on a forum, etc.
I think the best solution is prevention :D
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Also, we have set::spamfilter::except for exactly this problem ;).
(But prevention is indeed even better ;p)

Personally for matching reasons I'm not too worried about matching on urls only. Like if a (sub)domain or other thing is constant you can use that, which is harder to change than just a text (not to mention that you might have missed a variant with certain text).
For performance reasons however, it's usually better to match at the entire msg, so like if you know it starts with "Hello" (^Hello), and the text starts with "hey" then the regex lib already knows it can stop matching, while in case of an url it will have to search pretty much the entire string :P.
thekey
Posts: 15
Joined: Fri Feb 18, 2005 11:48 pm

Post by thekey »

Yes, I've thought about that, but these spam messages are all different, ex:

[00:30] <Sirope_girl> 4,1Fotos de Famosos y Famosas 8,1http://interserv2.freesites.ws/famous.avi

[19:06] <Sirope_girl> 5Mira esta foto, esta buena 8,1http://interserv2.freesites.ws/famous.avi

[22:16] <sirope^girl> 12Que y como piensa el sexo opuesto http://interserv2.freesites.ws/famous.avi

[18:24] <sirope^girl> 8,1Lo mejor del cine tv y demas entretenimiento http://interserv2.freesites.ws/famous.avi

I confess, this girl has about 300 trojans and all the matches before are from her :lol:

But of course there are not the only ones.

U can see that there's only common the "interserv" word, and I think that setting a spamfilter for this word could be very dangerous, so I better add the URLs.

Here goes another ones, I've just added them:

F cp kill 0 605 86400 Usuario_infectado_con_virus,_acuda_a_http://www.softonic.com,_baje_un_buen_antivirus,_desinféctese,_y_podrá_volver CoRLEoNe![email protected] http://interserv[0-9]+\.
freesites\.ws/.+

F cp kill 0 2 86400 Usuario_infectado_con_virus,_acuda_a_http://www.softonic.com,_baje_un_buen_antivirus,_desinféctese,_y_podrá_volver CoRLEoNe![email protected] http://n\.1asphost.com/interserv[0-9]+/.+
Post Reply