Follow the link.
https://isc.sans.edu/diary/Locky%3A+JavaScript+Deobfuscation/20749
What assp sees and what is every time the same is the first example. Even
the first yellow statement can vary. The statements
string.prototype.
and
charAt
are the both, which are used in all these virus variants
Currently ASSP_AFC uses an 'OR' logic for both statements. This can be
changed to a 'AND' logic - but I think, this would not help, because both
statements are most times used together.
Thomas
Von: "Robert K Coffman Jr. -Info From Data Corp."
<bcoff...@infofromdata.com>
An: assp-test@lists.sourceforge.net
Datum: 01.08.2017 15:06
Betreff: Re: [Assp-test] Attachment from "good" list blocked
Thanks Thomas.
I agree with you. I would remove the killswitch from future versions of
the plugin.
I audited the last month of logs, and I found 11 domains for which this
locky test was triggered. All of them are financial companies like
banks and mortgage lenders. I did not find any that appeared to
actually be malicious, although it is possible, but unlikely, that some
may have spoofed the domains in question. I'd have to audit every
single email to be sure. One is a major bank, the rest are regional or
even local. They seem to be using a common (shared, not popular)
mechanism for sending secured emails that involves these html files with
embedded js.
My mail server is small (7700 emails/day) but it seems to me that I
should be seeing this test be triggered for email outside of the course
of normal business, but I am not.
I'm going to try to get samples of these attachments so we can see if
there is a way to fine tune this check.
- Bob
On 7/31/2017 11:09 AM, Thomas Eckardt wrote:
> >I've added it to "good" and I'll see what happens.
>
> Nothing changes! There is no 'good' check for executable attachments and
> embedded executable JS code.
>
> I released ASSP_AFC 4.56. It contains such a killswitch (general switch
> off). It is hidden AND IT IS NONSENSE to use it.
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
