Can you stick it in bombRe for now to deal with it?
On Tue, Oct 18, 2016 at 3:50 PM, K Post <nntp.p...@gmail.com> wrote:
> We're getting slammed with these now. All of the files have
> <keyEncryptors><keyEncryptor
> uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password";> in
> them. Can we block based on content of a file??
>
> I'm guessing this is a new Locky, but now encrypted to scanners don't catch
> them.
>
> On Tue, Oct 18, 2016 at 10:27 AM, K Post <nntp.p...@gmail.com> wrote:
>
> > I've seen a bunch of supposedly encrypted RTF files slip through today.
> > The message body is typical spam, telling the user to open the important
> > file, but message also tells the user the password for the file. I think
> > these are created using Office's password protection feature and either
> > renamed as RTF or saved as such (I didn't think you could do that)
> >
> >
> > Any chance that AFC can block these?
> >
> > I didn't dare open a sample in Word, but I did inspect the file and see
> > this block towards the bottom:
> >
> > <dataIntegrity encryptedHmacKey="fgNjkbaoZe/R57CgZGuXNbVgkS3W+
> > hN9AIn8Bfxo6qMRtjYe1YaOVCuJPrvlv09jssa4FPC9ibrjP3TcVaUhpg=="
> > encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ
> > 2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/
> ><keyEncryptors><keyEncryptor
> > uri="*http://schemas.microsoft.com/office/2006/
> > <http://schemas.microsoft.com/office/2006/>*keyEncryptor/
> password"><p:encryptedKey
> > spinCount="100000" saltSize="16" blockSize="16" keyBits="256"
> hashSize="64"
> > cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
> > hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
> > encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
> > encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+
> > s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
> > encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/></
> > keyEncryptor></keyEncryptors></encryption>
> >
> > VirusTotal has zero hits on the samples that I submitted, but if they're
> > encrypted, that explains why...
> >
> > I just want to block ANY incoming encrypted document, including Office
> > documents.
> >
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
