I've seen a bunch of supposedly encrypted RTF files slip through today.
The message body is typical spam, telling the user to open the important
file, but message also tells the user the password for the file.  I think
these are created using Office's password protection feature and either
renamed as RTF or saved as such (I didn't think you could do that)


Any chance that AFC can block these?

I didn't dare open a sample in Word, but I did inspect the file and see
this block towards the bottom:

<dataIntegrity
encryptedHmacKey="fgNjkbaoZe/R57CgZGuXNbVgkS3W+hN9AIn8Bfxo6qMRtjYe1YaOVCuJPrvlv09jssa4FPC9ibrjP3TcVaUhpg=="
encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/><keyEncryptors><keyEncryptor
uri="*http://schemas.microsoft.com/office/2006/
<http://schemas.microsoft.com/office/2006/>*keyEncryptor/password"><p:encryptedKey
spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64"
cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/></keyEncryptor></keyEncryptors></encryption>

VirusTotal has zero hits on the samples that I submitted, but if they're
encrypted, that explains why...

I just want to block ANY incoming encrypted document, including Office
documents.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to