RE: Recent spate of Malicious VB attachments II
Thank you all for your comments, very much appreciated Tony Date: Wed, 18 Feb 2015 12:28:11 -0700 From: ml-node+s1065346n114635...@n5.nabble.com To: tiar...@hotmail.com Subject: Re: Recent spate of Malicious VB attachments II On Wed, 18 Feb 2015 14:16:02 -0500 Joe Quinn [hidden email] wrote: On 2/18/2015 2:10 PM, Reindl Harald wrote: the source contains at least socket:// and heavy pulsating disk-IO noticed from the RAID10 as long the process was active - will give it a try in a isolated VM to look what it does the next spare time Or if there was an SA-style classifier for malware that scores files in addition to this is a keylogger. A lot of the samples we see heavily obfuscate the VB code. Example: Sub h() ds = 99 + Sgn(98) + Sgn(902) + Sgn(-5) USER = Module1.Travel(username) jks = ds PST2 = + a + do be ac d-u pd a te VBT2 = a + Chr(100) + o b ea cd-up da te VBTXP2 = a Chr(100) o be + ac d-u + pd + atex + p BART2 = a + Chr(100) o b e + ac d-up + date PST1 = PST2 + . + Chr(Asc(p)) + Chr(ds + 15) + 1 + VBT1 = VBT2 + . + Chr(118) + b + Chr(Asc(s)) + VBTXP = VBTXP2 + . + Chr(Asc(v)) + Chr(Asc(b)) + s + ... more of the same This makes a simple-minded strings inadequate. :( I've also seen highly-obfuscated Javascript code that builds up strings and then evaluates them as Javascript. Regards, David. If you reply to this email, your message will be added to the discussion below: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114635.html To unsubscribe from Recent spate of Malicious VB attachments II, click here. NAML -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Recent-spate-of-Malicious-VB-attachments-II-tp114621p114639.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Phishing dropbox/google systems
Hi, I've seen quite a few what I believe are phishing attack emails today that I haven't seen before: http://pastebin.com/tKEBH16e It uses a bit.ly address to point the user to what looks like an alternative way to login to Google Drive or any other cloud service in one spot. Seriously evil stuff. It's also obviously from a hacked account normally known and trusted by the recipients. Thanks, Alex
Bogus day old domains from RRPPROXY.NET
Lately we've been getting slammed by spam. The bulk of it (no pun intended) is coming from new domains (many just a day or two old) which originate from key-systems gmbh, and all use RRPPROXY.NET as their name servers such as this snippet from whois: Domain Name: WATTSMINDANDBODYLAB.COM Registrar: KEY-SYSTEMS GMBH Sponsoring Registrar IANA ID: 269 Whois Server: whois.rrpproxy.net Referral URL: http://www.key-systems.net Name Server: NS1.RRPPROXY.NET Name Server: NS2.RRPPROXY.NET Name Server: NS3.RRPPROXY.NET Status: ok http://www.icann.org/epp#OK Updated Date: 19-feb-2015 Creation Date: 19-feb-2015 Expiration Date: 19-feb-2016 The Day Old Bread rules don't seem to catch them. The message is posted in pastebin: http://pastebin.com/9FhgEiwa My scores for this are: SpamAssassin Score: 4.71 Spam Report: Score Matching Rule Description cached score=4.711 5 required -0.00 BAYES_20 Bayesian spam probability is 5 to 20% 2.50CBJ_DementiaMail with dementia 1.50CBJ_SickoDisease related spam 0.00HTML_MESSAGEHTML included in message 0.72MIME_HTML_ONLY Message only has text/html MIME parts -0.00 SPF_HELO_PASS SPF: HELO matches SPF record -0.00 SPF_PASSSPF: sender matches SPF record -0.01 T_RP_MATCHES_RCVD Is there a way to reject or up the score on anything that is served up by that name server or registar? I was thinking maybe putting the rrproxy.net nameserver in my dns as 127.0.0.1, on the theory that if it doesn't resolve the message will be rejected at the MTA level. It would be nice to have a bit more control over it, just in case however. Any pearls of wisdom? Thanks... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
Re: Recent spate of Malicious VB attachments II
I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary qr'^\.(exe|lha|cab|dll)$', # banned file(1) types # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic Which results in my admin mailbox receiving messages like the following: =_1424346907-90515-0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: 7bit No viruses were found. Banned name: .exe,.exe-ms,in.exe Content type: Banned Internal reference code for the message is 90515-05/T9Uh2zuM5Ym6 First upstream SMTP client IP address: [23.113.51.23]:56334 23-113-51-23.lightspeed.irvnca.sbcglobal.net Received trace: ESMTP://[23.113.51.23]:56334 Return-Path: nycs...@csis.dk From: nycs...@csis.dk Message-ID: 048678970043189683240541243784...@csis.dk Subject: Attention csis The message has been quarantined as: banned-T9Uh2zuM5Ym6 The message WAS NOT relayed to: spamt...@ubefree.net: 250 2.7.0 ok, discarded, id=90515-05 - banned: .exe,.exe-ms,in.exe -Chad smime.p7s Description: S/MIME cryptographic signature
Re: Recent spate of Malicious VB attachments II
Am 19.02.2015 um 14:46 schrieb Chad M Stewart: I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary qr'^\.(exe|lha|cab|dll)$', # banned file(1) types # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic well, that can you achieve directly on the MTA but that won't help in case of emails containing MS office attachments with a Malicious VB script cat /etc/postfix/mime_header_checks.cf /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* = \s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) $1 (.rar because ClamAV can't scan the content on Fedora) signature.asc Description: OpenPGP digital signature
Backup of bayes database failed
Hi i want backup the bayes database of my spamassassin server but impossible. On all server, that's finish at : locker: safe_unlock: lock on /var/spool/spamassassin/bayes.lock was lost due to expiry at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/Locker/UnixNFSSafe.pm line 200. and the backup.txt file stop: -rw-r--r-- 1 root root 1563977214 2015-02-19 09:18 backup.txt ll /var/spool/spamassassin/ -rw-rw-rw- 1 qscand qscand 74568 2015-02-19 09:26 bayes_journal -rw-rw-rw- 1 root root 2749222912 2015-02-19 09:25 bayes_seen -rw-rw-rw- 1 qscand qscand4636672 2015-02-19 09:25 bayes_toks i want export for import after on a new server with SQL Database. anyone know this problems ? regards olivier
Re: Backup of bayes database failed
On Thu, 19 Feb 2015 09:27:12 +0100 Olivier CALVANO wrote: Hi i want backup the bayes database of my spamassassin server but impossible. On all server, that's finish at : locker: safe_unlock: lock on /var/spool/spamassassin/bayes.lock was lost due to expiry at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/Locker/UnixNFSSafe.pm line 200. and the backup.txt file stop: -rw-r--r-- 1 root root 1563977214 2015-02-19 09:18 backup.txt ll /var/spool/spamassassin/ -rw-rw-rw- 1 qscand qscand 74568 2015-02-19 09:26 bayes_journal -rw-rw-rw- 1 root root 2749222912 2015-02-19 09:25 bayes_seen -rw-rw-rw- 1 qscand qscand4636672 2015-02-19 09:25 bayes_toks I'm guessing the problem is due to the huge size of bayes_seen. You could try copying the bayes_toks to a new location and dumping that. bayes_seen is only need for reversing the training of mistrained mail.
Re: Recent spate of Malicious VB attachments II
Hello. I am just curious, since I am using SaneSecurity signatures too. According to: http://sanesecurity.com/usage/signatures/ some of the lists you mentioned have been classified with 'medium' to 'high' risk of false positives: foxhole_* spear / spearl Did you not get into trouble with those ones? Regards, Matteo On 19.02.2015 15:46, Reindl Harald wrote: Am 19.02.2015 um 15:43 schrieb David F. Skoll: On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan mysqlstud...@gmail.com wrote: [David Skoll] spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? No, because when I tried some of them, there were an unacceptably high number of FPs. I tried tweaking various sets of Sane Security signatures and they didn't work well for me looks you are using the wrong ones no problems with that ones blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb crdfam.clamav.hdb foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb malwarehash.hsb phish.ndb phishtank.ndb rogue.hdb sanesecurity.ftm scamnailer.ndb scam.ndb sigwhitelist.ign2 spearl.ndb spear.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb
Re: Recent spate of Malicious VB attachments II
Am 19.02.2015 um 16:13 schrieb Matteo Dessalvi: I am just curious, since I am using SaneSecurity signatures too. According to: http://sanesecurity.com/usage/signatures/ some of the lists you mentioned have been classified with 'medium' to 'high' risk of false positives: foxhole_* spear / spearl Did you not get into trouble with those ones? no, ClamAV don't see much mail at all because clamav-milter is running after spamass-milter and the filters in front are killing 99% at the envelope stage Blocked: 204540 SpamAssassin: 3292 Virus:68 the foxhole ar classified with 'high' because they don't care if it is a virus at all, they unpack the archive and reject if there is a file with a blocked extension unconditional On 19.02.2015 15:46, Reindl Harald wrote: Am 19.02.2015 um 15:43 schrieb David F. Skoll: On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan mysqlstud...@gmail.com wrote: [David Skoll] spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? No, because when I tried some of them, there were an unacceptably high number of FPs. I tried tweaking various sets of Sane Security signatures and they didn't work well for me looks you are using the wrong ones no problems with that ones blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb crdfam.clamav.hdb foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb malwarehash.hsb phish.ndb phishtank.ndb rogue.hdb sanesecurity.ftm scamnailer.ndb scam.ndb sigwhitelist.ign2 spearl.ndb spear.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb signature.asc Description: OpenPGP digital signature
Re: Recent spate of Malicious VB attachments II
On Thu, 19 Feb 2015, Reindl Harald wrote:
well, that can you achieve directly on the MTA but that won't help in case of
emails containing MS office attachments with a Malicious VB script
cat /etc/postfix/mime_header_checks.cf
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
\s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x
REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) $1
(.rar because ClamAV can't scan the content on Fedora)
Is that a politically inspired limitation? If you build ClamAV from source
it can scan RAR.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Recent spate of Malicious VB attachments II
Am 19.02.2015 um 15:43 schrieb David F. Skoll: On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan mysqlstud...@gmail.com wrote: [David Skoll] spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? No, because when I tried some of them, there were an unacceptably high number of FPs. I tried tweaking various sets of Sane Security signatures and they didn't work well for me looks you are using the wrong ones no problems with that ones blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb crdfam.clamav.hdb foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb malwarehash.hsb phish.ndb phishtank.ndb rogue.hdb sanesecurity.ftm scamnailer.ndb scam.ndb sigwhitelist.ign2 spearl.ndb spear.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb signature.asc Description: OpenPGP digital signature
Re: Recent spate of Malicious VB attachments II
On Thu, 19 Feb 2015, David F. Skoll wrote:
On Thu, 19 Feb 2015 07:46:16 -0600
Chad M Stewart c...@balius.com wrote:
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file containing an Excel spreadsheet
with a macro virus in it. ClamAV is essentially useless at detecting
viruses, so it's a real problem... any ideas?
I thought that ClamAV knew how to unpack zip/rar/tar/gzip/etc...
and scan the cruft inside them.
Are you saying that doesn't work or are you saying that the malware is
mutating fast enough that the ClamAV signatures aren't keeping up with it?
If the latter case, is there -any- AV kit that is?
Are the Sanesecurity add-in ClamAV signatures helpful?
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Recent spate of Malicious VB attachments II
Hi, I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? if you have enough trap traffic, MD5 hashes clamav signatures is a quick and dirty way of detecting them. also, Sophos is taking care of them, real nicely. I'm interested in knowing if you're running Sophos on fedora/centos with amavisd? I used it years ago with sophie, but have been out-of-touch, and lost track of how to get it going these days. Off-topic, I guess, but if anyone has any pointers on how to integrate sophos and clamav with amavisd on fedora, I'd be very appreciative. Googling only reveals ancient sources. Thanks, Alex
Re: Recent spate of Malicious VB attachments II
On Thu, 19 Feb 2015 07:46:16 -0600 Chad M Stewart c...@balius.com wrote: I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Regards, David.
Re: Recent spate of Malicious VB attachments II
On 02/19/2015 03:24 PM, David F. Skoll wrote: On Thu, 19 Feb 2015 07:46:16 -0600 Chad M Stewart c...@balius.com wrote: I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? if you have enough trap traffic, MD5 hashes clamav signatures is a quick and dirty way of detecting them. also, Sophos is taking care of them, real nicely.
Re: Recent spate of Malicious VB attachments II
On Thu, 19 Feb 2015 09:34:28 -0500 Alex Regan mysqlstud...@gmail.com wrote: [David Skoll] spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? No, because when I tried some of them, there were an unacceptably high number of FPs. I tried tweaking various sets of Sane Security signatures and they didn't work well for me. Just not responsive enough or doesn't have the technology to catch today's threats? It's not responsive enough. And I don't mean to pick on ClamAV; these macro viruses are slipping past a lot of signature-based AV products. What are the threats it doesn't catch? Pretty much 99% of the malware passing through our relays (mostly macro viruses nowadays.) Regards, David.
Re: Recent spate of Malicious VB attachments II
Hi, I use amavis-new and block based on file type. My users should never get legit executables via email, so they are sent to a quarantine. Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? Useless? Are you using the third-party patterns? You think it's useless using those as well? Just not responsive enough or doesn't have the technology to catch today's threats? What are the threats it doesn't catch? Thanks, Alex
Re: Recent spate of Malicious VB attachments II
Am 19.02.2015 um 15:47 schrieb Dave Funk: On Thu, 19 Feb 2015, Reindl Harald wrote: well, that can you achieve directly on the MTA but that won't help in case of emails containing MS office attachments with a Malicious VB script cat /etc/postfix/mime_header_checks.cf /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* = \s*?(.*?(\.|=2E)(386|acm|ade|adp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)??\s*(;|$)/x REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) $1 (.rar because ClamAV can't scan the content on Fedora) Is that a politically inspired limitation? you can call it politically i blame the authors like the license change of JSON (https://bugs.php.net/bug.php?id=63520) https://fedoraproject.org/wiki/Licensing:Unrar?rd=Licensing/Unrar If you build ClamAV from source it can scan RAR i build already enough packages and my day has only 24 hours signature.asc Description: OpenPGP digital signature
Re: Recent spate of Malicious VB attachments II
On February 19, 2015 3:26:00 PM David F. Skoll d...@roaringpenguin.com wrote: Unfortunately, we're finding those simple-minded rules are running out of gas. :( We've seen a zip file containing an Excel spreadsheet with a macro virus in it. ClamAV is essentially useless at detecting viruses, so it's a real problem... any ideas? clamav foxhole rules, then in amavisd map this signatere to spam or how end user want it, problem is that amavisd is not a virus scanner, but a good interface to clamav :)
