Re: Recent spate of Malicious VB attachments II
On 02/19/2015 06:25 PM, Alex Regan wrote: Hi, I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? if you have enough trap traffic, MD5 hashes clamav signatures is a quick and dirty way of detecting them. also, Sophos is taking care of them, real nicely. I'm interested in knowing if you're running Sophos on fedora/centos with amavisd? Nope.. I use it to scan mail files before they're archived, not during mailflow. I used it years ago with sophie, but have been out-of-touch, and lost track of how to get it going these days. You'd have to use the SAVDI (SSSP protocol) interface which is in their OEM Integration kit (if their license permits)
RE: Recent spate of Malicious VB attachments II
Thank you all for your comments, very much appreciated Tony Date: Wed, 18 Feb 2015 12:28:11 -0700 From: ml-node+s1065346n114635...@n5.nabble.com To: tiar...@hotmail.com Subject: Re: Recent spate of Malicious VB attachments II On Wed, 18 Feb 2015 14:16:02 -0500 Joe Quinn [hidden email] wrote: On 2/18/2015 2:10 PM, Reindl Harald wrote: the source contains at least socket:// and heavy pulsating disk-IO noticed from the RAID10 as long the process was active - will give it a try in a isolated VM to look what it does the next spare time Or if there was an SA-style classifier for malware that scores files in addition to this is a keylogger. A lot of the samples we see heavily obfuscate the VB code. Example: Sub h() ds = 99 + Sgn(98) + Sgn(902) + Sgn(-5) USER = Module1.Travel(username) jks = ds PST2 = + a + do be ac d-u pd a te VBT2 = a + Chr(100) + o b ea cd-up da te VBTXP2 = a Chr(100) o be + ac d-u + pd + atex + p BART2 = a + Chr(100) o b e + ac d-up + date PST1 = PST2 + . + Chr(Asc(p)) + Chr(ds + 15) + 1 + VBT1 = VBT2 + . + Chr(118) + b + Chr(Asc(s)) + VBTXP = VBTXP2 + . + Chr(Asc(v)) + Chr(Asc(b)) + s + ... more of the same This makes a simple-minded strings inadequate. :( I've also seen highly-obfuscated Javascript code that builds up strings and then evaluates them as Javascript. Regards, David. If you reply to this email, your message will be added to the discussion below: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114635.html To unsubscribe from Recent spate of Malicious VB attachments II, click here. NAML -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114639.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Recent spate of Malicious VB attachments II
I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary qr'^\.(exe|lha|cab|dll)$', # banned file(1) types # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic Which results in my admin mailbox receiving messages like the following: =_1424346907-90515-0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: 7bit No viruses were found. Banned name: .exe,.exe-ms,in.exe Content type: Banned Internal reference code for the message is 90515-05/T9Uh2zuM5Ym6 First upstream SMTP client IP address: [23.113.51.23]:56334 23-113-51-23.lightspeed.irvnca.sbcglobal.net Received trace: ESMTP://[23.113.51.23]:56334 Return-Path: nycs...@csis.dk From: nycs...@csis.dk Message-ID: 048678970043189683240541243784...@csis.dk Subject: Attention csis The message has been quarantined as: banned-T9Uh2zuM5Ym6 The message WAS NOT relayed to: spamt...@ubefree.net: 250 2.7.0 ok, discarded, id=90515-05 - banned: .exe,.exe-ms,in.exe -Chad smime.p7s Description: S/MIME cryptographic signature
Re: Recent spate of Malicious VB attachments II
Am 19.02.2015 um 14:46 schrieb Chad M Stewart: I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary qr'^\.(exe|lha|cab|dll)$', # banned file(1) types # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic well, that can you achieve directly on the MTA but that won't help in case of emails containing MS office attachments with a Malicious VB script cat /etc/postfix/mime_header_checks.cf /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* = \s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) $1 (.rar because ClamAV can't scan the content on Fedora) signature.asc Description: OpenPGP digital signature
Re: Recent spate of Malicious VB attachments II
Hello. I am just curious, since I am using SaneSecurity signatures too. According to: http://sanesecurity.com/usage/signatures/ some of the lists you mentioned have been classified with 'medium' to 'high' risk of false positives: foxhole_* spear / spearl Did you not get into trouble with those ones? Regards, Matteo On 19.02.2015 15:46, Reindl Harald wrote: Am 19.02.2015 um 15:43 schrieb David F. Skoll: On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan mysqlstud...@gmail.com wrote: [David Skoll] spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? No, because when I tried some of them, there were an unacceptably high number of FPs. I tried tweaking various sets of Sane Security signatures and they didn't work well for me looks you are using the wrong ones no problems with that ones blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb crdfam.clamav.hdb foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb malwarehash.hsb phish.ndb phishtank.ndb rogue.hdb sanesecurity.ftm scamnailer.ndb scam.ndb sigwhitelist.ign2 spearl.ndb spear.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb
Re: Recent spate of Malicious VB attachments II
Am 19.02.2015 um 16:13 schrieb Matteo Dessalvi: I am just curious, since I am using SaneSecurity signatures too. According to: http://sanesecurity.com/usage/signatures/ some of the lists you mentioned have been classified with 'medium' to 'high' risk of false positives: foxhole_* spear / spearl Did you not get into trouble with those ones? no, ClamAV don't see much mail at all because clamav-milter is running after spamass-milter and the filters in front are killing 99% at the envelope stage Blocked: 204540 SpamAssassin: 3292 Virus:68 the foxhole ar classified with 'high' because they don't care if it is a virus at all, they unpack the archive and reject if there is a file with a blocked extension unconditional On 19.02.2015 15:46, Reindl Harald wrote: Am 19.02.2015 um 15:43 schrieb David F. Skoll: On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan mysqlstud...@gmail.com wrote: [David Skoll] spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? No, because when I tried some of them, there were an unacceptably high number of FPs. I tried tweaking various sets of Sane Security signatures and they didn't work well for me looks you are using the wrong ones no problems with that ones blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb crdfam.clamav.hdb foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb malwarehash.hsb phish.ndb phishtank.ndb rogue.hdb sanesecurity.ftm scamnailer.ndb scam.ndb sigwhitelist.ign2 spearl.ndb spear.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb signature.asc Description: OpenPGP digital signature
Re: Recent spate of Malicious VB attachments II
On Thu, 19 Feb 2015, Reindl Harald wrote:
well, that can you achieve directly on the MTA but that won't help in case of
emails containing MS office attachments with a Malicious VB script
cat /etc/postfix/mime_header_checks.cf
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
\s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x
REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) $1
(.rar because ClamAV can't scan the content on Fedora)
Is that a politically inspired limitation? If you build ClamAV from source
it can scan RAR.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Recent spate of Malicious VB attachments II
Am 19.02.2015 um 15:43 schrieb David F. Skoll: On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan mysqlstud...@gmail.com wrote: [David Skoll] spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? No, because when I tried some of them, there were an unacceptably high number of FPs. I tried tweaking various sets of Sane Security signatures and they didn't work well for me looks you are using the wrong ones no problems with that ones blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb crdfam.clamav.hdb foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb malwarehash.hsb phish.ndb phishtank.ndb rogue.hdb sanesecurity.ftm scamnailer.ndb scam.ndb sigwhitelist.ign2 spearl.ndb spear.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb signature.asc Description: OpenPGP digital signature
Re: Recent spate of Malicious VB attachments II
On Thu, 19 Feb 2015, David F. Skoll wrote:
On Thu, 19 Feb 2015 07:46:16 -0600
Chad M Stewart c...@balius.com wrote:
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file containing an Excel spreadsheet
with a macro virus in it. ClamAV is essentially useless at detecting
viruses, so it's a real problem... any ideas?
I thought that ClamAV knew how to unpack zip/rar/tar/gzip/etc...
and scan the cruft inside them.
Are you saying that doesn't work or are you saying that the malware is
mutating fast enough that the ClamAV signatures aren't keeping up with it?
If the latter case, is there -any- AV kit that is?
Are the Sanesecurity add-in ClamAV signatures helpful?
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Recent spate of Malicious VB attachments II
Hi, I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? if you have enough trap traffic, MD5 hashes clamav signatures is a quick and dirty way of detecting them. also, Sophos is taking care of them, real nicely. I'm interested in knowing if you're running Sophos on fedora/centos with amavisd? I used it years ago with sophie, but have been out-of-touch, and lost track of how to get it going these days. Off-topic, I guess, but if anyone has any pointers on how to integrate sophos and clamav with amavisd on fedora, I'd be very appreciative. Googling only reveals ancient sources. Thanks, Alex
Re: Recent spate of Malicious VB attachments II
On Thu, 19 Feb 2015 07:46:16 -0600 Chad M Stewart c...@balius.com wrote: I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Regards, David.
Re: Recent spate of Malicious VB attachments II
On 02/19/2015 03:24 PM, David F. Skoll wrote: On Thu, 19 Feb 2015 07:46:16 -0600 Chad M Stewart c...@balius.com wrote: I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? if you have enough trap traffic, MD5 hashes clamav signatures is a quick and dirty way of detecting them. also, Sophos is taking care of them, real nicely.
Re: Recent spate of Malicious VB attachments II
On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan mysqlstud...@gmail.com wrote: [David Skoll] spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? No, because when I tried some of them, there were an unacceptably high number of FPs. I tried tweaking various sets of Sane Security signatures and they didn't work well for me. Just not responsive enough or doesn't have the technology to catch today's threats? It's not responsive enough. And I don't mean to pick on ClamAV; these macro viruses are slipping past a lot of signature-based AV products. What are the threats it doesn't catch? Pretty much 99% of the malware passing through our relays (mostly macro viruses nowadays.) Regards, David.
Re: Recent spate of Malicious VB attachments II
Hi, I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? You think it's useless using those as well? Just not responsive enough or doesn't have the technology to catch today's threats? What are the threats it doesn't catch? Thanks, Alex
Re: Recent spate of Malicious VB attachments II
Am 19.02.2015 um 15:47 schrieb Dave Funk: On Thu, 19 Feb 2015, Reindl Harald wrote: well, that can you achieve directly on the MTA but that won't help in case of emails containing MS office attachments with a Malicious VB script cat /etc/postfix/mime_header_checks.cf /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* = \s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) $1 (.rar because ClamAV can't scan the content on Fedora) Is that a politically inspired limitation? you can call it politically i blame the authors like the license change of JSON (https://bugs.php.net/bug.php?id=63520) https://fedoraproject.org/wiki/Licensing:Unrar?rd=Licensing/Unrar If you build ClamAV from source it can scan RAR i build already enough packages and my day has only 24 hours signature.asc Description: OpenPGP digital signature
Re: Recent spate of Malicious VB attachments II
On February 19, 2015 3:26:00 PM David F. Skoll d...@roaringpenguin.com wrote: Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? clamav foxhole rules, then in amavisd map this signatere to spam or how end user want it, problem is that amavisd is not a virus scanner, but a good interface to clamav :)
Re: Recent spate of Malicious VB attachments II
On Wed, 2015-02-18 at 06:18 -0700, Tonyata wrote: Thanks for your feedback, much appreciated We do regularly review our AV solution and are generally happy with what we have in place. The issue was and continues to be that this is new variant Malware so by the time the AV's catch-up we already have a number of mails received in the Userbase. Was kinda hoping for some clever spam rule trickery to combat this but maybe I should just reset my expectations :) But in any case, any further suggestions/comments are gratefully received. There are some solutions for re-scanning email which has been delivered (via imap, and possibly direct maildir access) so spam that's not initially in razor/pyzor type services gets caught. You could probably adapt one of those to also run a virus scanner at a later time with updated signatures to catch those, or even put together a quick shellscript to loop through your maildirs with a cli virus scanner (if you use maildir). Of course it won't address users that have read their email already, but certainly would help overall. Another option might be to add a virus scanner to your pop/imap server, so mail is re-scanned before being sent to the client? Jesse Cheers Tony __ Date: Wed, 18 Feb 2015 06:08:30 -0700 From: [hidden email] To: [hidden email] Subject: Re: Recent spate of Malicious VB attachments II On 02/18/2015 01:09 PM, Tonyata wrote: Posting again as the original post didn't hit the mailing list - Hi Guys, Last week my company received a noticeable increase in emails containing MS office attachments with a Malicious VB script which downloaded something nasty. For example Subj - Remittance [Report ID:54400-2187772], attachments were 10 random chars.xls or Subj - PURCHASE ORDER (34663), attachments 2600_001.doc In all cases we receive a couple of thousand emails across the customer base over a couple of hours, sometimes originating from the same sender (in which case I blacklist) but more often differing senders/IP's. Historically I add a rule to pick up on the obvious characteristics - Subj, attachment name etc and because they are pretty short-lived campaigns it's generally sufficient. What I'd like to know is - a) Did any of you see similar? yes! b) Do you have any suggestions in order to detect this kind of stuff more efficiently and on a more generic basis but without introducing FP risk? Get a decent AV. Test samples at https://virustotal.com The results will probably help you make a decision as to which AV product meets your expectations. If you don't want to spend on AV the you'll have to look into free ClamAV signatures : http://sanesecurity.com/ and others. -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 14:16:02 -0500 Joe Quinn jqu...@pccc.com wrote: On 2/18/2015 2:10 PM, Reindl Harald wrote: the source contains at least socket:// and heavy pulsating disk-IO noticed from the RAID10 as long the process was active - will give it a try in a isolated VM to look what it does the next spare time Or if there was an SA-style classifier for malware that scores files in addition to this is a keylogger. A lot of the samples we see heavily obfuscate the VB code. Example: Sub h() ds = 99 + Sgn(98) + Sgn(902) + Sgn(-5) USER = Module1.Travel(username) jks = ds PST2 = + a + do be ac d-u pd a te VBT2 = a + Chr(100) + o b ea cd-up da te VBTXP2 = a Chr(100) o be + ac d-u + pd + atex + p BART2 = a + Chr(100) o b e + ac d-up + date PST1 = PST2 + . + Chr(Asc(p)) + Chr(ds + 15) + 1 + VBT1 = VBT2 + . + Chr(118) + b + Chr(Asc(s)) + VBTXP = VBTXP2 + . + Chr(Asc(v)) + Chr(Asc(b)) + s + ... more of the same This makes a simple-minded strings inadequate. :( I've also seen highly-obfuscated Javascript code that builds up strings and then evaluates them as Javascript. Regards, David.
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015, David F. Skoll wrote: On Wed, 18 Feb 2015 09:56:56 -0700 Jesse Norell je...@kci.net wrote: Another option might be to add a virus scanner to your pop/imap server, so mail is re-scanned before being sent to the client? I wrote some Perl to try to detect MS Office documents with macros in them. I'm not sure it's 100% successful, but it does seem to detect a large percentage of them. Unfortunately, I found out to my dismay that quite a few legitimate MS Office documents have macros, so you can only use this to add points, not to reject. Macros are not inherently evil. Macros that dig around in the registry or try to retrieve stuff over the network are evil. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Insofar as the police deter by their presence, they are very, very good. Criminals take great pains not to commit a crime in front of them. -- Jeffrey Snyder --- 4 days until George Washington's 283rd Birthday
Re: Recent spate of Malicious VB attachments II
On 2/18/2015 2:10 PM, Reindl Harald wrote: Am 18.02.2015 um 20:00 schrieb David F. Skoll: On Wed, 18 Feb 2015 10:52:49 -0800 (PST) John Hardin jhar...@impsec.org wrote: Macros are not inherently evil. No, they're not, but AutoRun macros are guilty until proven otherwise, IMO. (And adding the ability for MS Office macros to execute external programs and fetch content over the Internet *is* inherently evil and MS should be soundly slapped for that.) it would be nice when SA adds a *low score* in case of documents containing macros - that may make the difference in a milter setup in combination with other rules and bayes to reject or not ___ well, and as a sidenote: i had today a jar-malware (java) in a mail and instead to unpack it for inspection because the same icon as archives i managed to run that damned thing - luckily realized that 30 seconds later, pulled the network cables and restored the complete machine from a nightly backup the source contains at least socket:// and heavy pulsating disk-IO noticed from the RAID10 as long the process was active - will give it a try in a isolated VM to look what it does the next spare time Or if there was an SA-style classifier for malware that scores files in addition to this is a keylogger.
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 20:10:46 +0100 Reindl Harald h.rei...@thelounge.net wrote: it would be nice when SA adds a *low score* in case of documents containing macros - that may make the difference in a milter setup in combination with other rules and bayes to reject or not Yeah, that's what we do. We add 3.7 points for files containing macros. Regards, David.
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 09:56:56 -0700
Jesse Norell je...@kci.net wrote:
Another option might be to add a virus scanner to your pop/imap
server, so mail is re-scanned before being sent to the client?
I wrote some Perl to try to detect MS Office documents with macros in
them. I'm not sure it's 100% successful, but it does seem to detect
a large percentage of them. Unfortunately, I found out to my dismay
that quite a few legitimate MS Office documents have macros, so you can
only use this to add points, not to reject.
The code fragment is below (it's not a complete solution, but it gives
you the gist). It's not a SpamAssassin plugin (because it's part
of our MIMEDefang framework) but it shouldn't be too hard to adapt.
The essential part is to look for the two strings $marker1 and $marker2
in the document.
Regards,
David.
==
# These markers were documented at:
#
http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message
my $marker1 = \xd0\xcf\x11\xe0;
my $marker2 = \x00\x41\x74\x74\x72\x69\x62\x75\x74\x00;
sub contains_office_macros
{
my ($self, $entity) = @_;
my @parts = $entity-parts();
if (scalar(@parts) 0) {
foreach my $part (@parts) {
if ($self-contains_office_macros($part)) {
return 1;
}
}
return 0;
}
my $is_msoffice_extension = 0;
foreach my $attr_name (qw( Content-Disposition.filename
Content-Type.name) ) {
my $possible = $entity-head-mime_attr($attr_name);
$possible = decode_mimewords($possible);
if ($possible =~ /\.(doc|docx)$/i) {
$is_msoffice_extension = 1;
last;
}
}
return 0 unless $is_msoffice_extension;
return 0 unless defined($entity-bodyhandle)
defined($entity-bodyhandle-path);
my $fp;
if (!open($fp, ':raw', $entity-bodyhandle-path)) {
return 0;
}
my $contents;
{
local $/;
$contents = $fp;
close($fp);
}
if (index($contents, $marker1) -1
index($contents, $marker2) -1) {
return 1;
}
return 0;
}
Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 10:52:49 -0800 (PST) John Hardin jhar...@impsec.org wrote: Macros are not inherently evil. No, they're not, but AutoRun macros are guilty until proven otherwise, IMO. (And adding the ability for MS Office macros to execute external programs and fetch content over the Internet *is* inherently evil and MS should be soundly slapped for that.) Regards, David.
Re: Recent spate of Malicious VB attachments II
Am 18.02.2015 um 20:00 schrieb David F. Skoll: On Wed, 18 Feb 2015 10:52:49 -0800 (PST) John Hardin jhar...@impsec.org wrote: Macros are not inherently evil. No, they're not, but AutoRun macros are guilty until proven otherwise, IMO. (And adding the ability for MS Office macros to execute external programs and fetch content over the Internet *is* inherently evil and MS should be soundly slapped for that.) it would be nice when SA adds a *low score* in case of documents containing macros - that may make the difference in a milter setup in combination with other rules and bayes to reject or not ___ well, and as a sidenote: i had today a jar-malware (java) in a mail and instead to unpack it for inspection because the same icon as archives i managed to run that damned thing - luckily realized that 30 seconds later, pulled the network cables and restored the complete machine from a nightly backup the source contains at least socket:// and heavy pulsating disk-IO noticed from the RAID10 as long the process was active - will give it a try in a isolated VM to look what it does the next spare time signature.asc Description: OpenPGP digital signature
RE: Recent spate of Malicious VB attachments II
Thanks for your feedback, much appreciated We do regularly review our AV solution and are generally happy with what we have in place. The issue was and continues to be that this is new variant Malware so by the time the AV's catch-up we already have a number of mails received in the Userbase. Was kinda hoping for some clever spam rule trickery to combat this but maybe I should just reset my expectations :) But in any case, any further suggestions/comments are gratefully received. Cheers Tony Date: Wed, 18 Feb 2015 06:08:30 -0700 From: ml-node+s1065346n114622...@n5.nabble.com To: tiar...@hotmail.com Subject: Re: Recent spate of Malicious VB attachments II On 02/18/2015 01:09 PM, Tonyata wrote: Posting again as the original post didn't hit the mailing list - Hi Guys, Last week my company received a noticeable increase in emails containing MS office attachments with a Malicious VB script which downloaded something nasty. For example Subj - Remittance [Report ID:54400-2187772], attachments were 10 random chars.xls or Subj - PURCHASE ORDER (34663), attachments 2600_001.doc In all cases we receive a couple of thousand emails across the customer base over a couple of hours, sometimes originating from the same sender (in which case I blacklist) but more often differing senders/IP's. Historically I add a rule to pick up on the obvious characteristics - Subj, attachment name etc and because they are pretty short-lived campaigns it's generally sufficient. What I'd like to know is - a) Did any of you see similar? yes! b) Do you have any suggestions in order to detect this kind of stuff more efficiently and on a more generic basis but without introducing FP risk? Get a decent AV. Test samples at https://virustotal.com The results will probably help you make a decision as to which AV product meets your expectations. If you don't want to spend on AV the you'll have to look into free ClamAV signatures : http://sanesecurity.com/ and others. If you reply to this email, your message will be added to the discussion below: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114622.html To unsubscribe from Recent spate of Malicious VB attachments II, click here. NAML -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114623.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Recent spate of Malicious VB attachments II
On 02/18/2015 01:09 PM, Tonyata wrote: Posting again as the original post didn't hit the mailing list - Hi Guys, Last week my company received a noticeable increase in emails containing MS office attachments with a Malicious VB script which downloaded something nasty. For example Subj - Remittance [Report ID:54400-2187772], attachments were 10 random chars.xls or Subj - PURCHASE ORDER (34663), attachments 2600_001.doc In all cases we receive a couple of thousand emails across the customer base over a couple of hours, sometimes originating from the same sender (in which case I blacklist) but more often differing senders/IP's. Historically I add a rule to pick up on the obvious characteristics - Subj, attachment name etc and because they are pretty short-lived campaigns it's generally sufficient. What I'd like to know is - a) Did any of you see similar? yes! b) Do you have any suggestions in order to detect this kind of stuff more efficiently and on a more generic basis but without introducing FP risk? Get a decent AV. Test samples at https://virustotal.com The results will probably help you make a decision as to which AV product meets your expectations. If you don't want to spend on AV the you'll have to look into free ClamAV signatures : http://sanesecurity.com/ and others.
RE: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015, Tonyata wrote: Thanks for your feedback, much appreciated We do regularly review our AV solution and are generally happy with what we have in place. The issue was and continues to be that this is new variant Malware so by the time the AV's catch-up we already have a number of mails received in the Userbase. Was kinda hoping for some clever spam rule trickery to combat this but maybe I should just reset my expectations :) But in any case, any further suggestions/comments are gratefully received. plug type=shamelesshttp://impsec.org/email-tools/procmail-security.html/plug Not signature-based. I believe the current dev version (1.152pre8) catches the current VB download scripting. Feel free to forward me some samples if you like. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The most glaring example of the cognitive dissonance on the left is the concept that human beings are inherently good, yet at the same time cannot be trusted with any kind of weapon, unless the magic fairy dust of government authority gets sprinkled upon them. -- Moshe Ben-David --- 4 days until George Washington's 283rd Birthday
Recent spate of Malicious VB attachments II
Posting again as the original post didn't hit the mailing list - Hi Guys, Last week my company received a noticeable increase in emails containing MS office attachments with a Malicious VB script which downloaded something nasty. For example Subj - Remittance [Report ID:54400-2187772], attachments were 10 random chars.xls or Subj - PURCHASE ORDER (34663), attachments 2600_001.doc In all cases we receive a couple of thousand emails across the customer base over a couple of hours, sometimes originating from the same sender (in which case I blacklist) but more often differing senders/IP's. Historically I add a rule to pick up on the obvious characteristics - Subj, attachment name etc and because they are pretty short-lived campaigns it's generally sufficient. What I'd like to know is - a) Did any of you see similar? b) Do you have any suggestions in order to detect this kind of stuff more efficiently and on a more generic basis but without introducing FP risk? Thanks in advance ata -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
