[Assp-test] ClamAV and ASSP: Scan entire message?

[K Post]

With AFC enabled, should ClamAV be scanning the entire message ie: header &
body including attachments or is it just scanning attachments?

I've had files blocked with SaneSecurity sigs, but these tests:
http://sanesecurity.com/support/signature-testing/ ALL slip through.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

[K Post]

Thanks Bob for this research.  We should be safe, even if a user opened it
here, but yeah, it's possible that we wouldn't be

So the question remains, can we get AFC modified to reject
encrypted/password protected Office documents - or RTF office files -
altogether?  The reasoning is the same as rejecting encrypted zip files.


On Tue, Oct 18, 2016 at 3:24 PM, Robert K Coffman Jr. -Info From Data Corp.
 wrote:

> Ok, thanks to Doug and Ken for sending me a sample.
>
> This thing simply installs a Trojan (MBAM calls it "Trojan.Agent.VBS")
> and then connects to server(s) to download additional Malware, if the
> user opens it, enters the password (and has a version of Word that
> recognizes it) and then enables macros.  I'd like to think that series
> of events is unlikely, but I know better.
>
> Some IPs I saw this system connected to on my firewall.  Some of these
> may be legit and not malware relate (this is a re-imaged system and
> Office was trying to activate.)
>
> 23.35.18.164
> 8.253.32.142
> 184.51.112.8
> 184.51.112.154
> 13.107.4.50
> 184.51.112.8
> 134.170.53.30
> 23.96.212.225
> 191.237.218.239
> 23.96.212.225
>
>
> I haven't seen this thing hitting my mail server yet.
>
>
> - Bob
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

[Robert K Coffman Jr. -Info From Data Corp.]

Ok, thanks to Doug and Ken for sending me a sample.

This thing simply installs a Trojan (MBAM calls it "Trojan.Agent.VBS") 
and then connects to server(s) to download additional Malware, if the 
user opens it, enters the password (and has a version of Word that 
recognizes it) and then enables macros.  I'd like to think that series 
of events is unlikely, but I know better.

Some IPs I saw this system connected to on my firewall.  Some of these 
may be legit and not malware relate (this is a re-imaged system and 
Office was trying to activate.)

23.35.18.164
8.253.32.142
184.51.112.8
184.51.112.154
13.107.4.50
184.51.112.8
134.170.53.30
23.96.212.225
191.237.218.239
23.96.212.225


I haven't seen this thing hitting my mail server yet.


- Bob


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

[K Post]

We are using up to date clamav sigs.  The problem is that these files are
encrypted so they're not being detected.

On Tue, Oct 18, 2016 at 11:19 AM, Grayhat  wrote:

> :: On Tue, 18 Oct 2016 10:27:10 -0400
> :: 
> :: K Post  wrote:
>
> > VirusTotal has zero hits on the samples that I submitted, but if
> > they're encrypted, that explains why...
>
> I suppose that, since you're talking (ok, writing) about AFC, you're
> running ClamAV; now... are you using the extra signatures available
> from SaneSecurity ? I'm referring to
>
> http://sanesecurity.com/usage/signatures/
>
> to use them you'll need to schedule one of the update scripts available
> on Steve's (sanesecurity) site, depending from your OS to ensure your
> ClamAV will also use updated "extra" signatures; then, in case the AV
> doesn't catch the critters, you may submit samples to Steve and he'll
> add signatures on the fly so that you'll have them available in a
> really short time :)
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

[Grayhat]

:: On Tue, 18 Oct 2016 17:19:55 +0200
:: <20161018171955.3...@gmx.net>
:: Grayhat  wrote:

> :: On Tue, 18 Oct 2016 10:27:10 -0400
> ::
>  ::
> K Post  wrote:
> 
> > VirusTotal has zero hits on the samples that I submitted, but if
> > they're encrypted, that explains why...  
> 
> I suppose that, since you're talking (ok, writing) about AFC, you're
> running ClamAV; now... are you using the extra signatures available
> from SaneSecurity ? I'm referring to
> 
> http://sanesecurity.com/usage/signatures/
> 
> to use them you'll need to schedule one of the update scripts
> available on Steve's (sanesecurity) site, depending from your OS to
> ensure your ClamAV will also use updated "extra" signatures; then, in
> case the AV doesn't catch the critters, you may submit samples to
> Steve and he'll add signatures on the fly so that you'll have them
> available in a really short time :)

Forgot; since I'm at it, Thomas, if you're reading this, please have a
look at the script found here

http://sanesecurity.com/statistics/

I think it may be "added" to ASSP to generate AV stats ;-)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

[Doug Lytle]

>>> On Oct 18, 2016, at 11:20 AM, K Post nntp.p...@gmail.com wrote:
>>> Doug,
>>> So you're seeing this too!  Did it just start this morning?

Yes and that it did.

Doug


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

[Grayhat]

:: On Tue, 18 Oct 2016 10:27:10 -0400
:: 
:: K Post  wrote:

> VirusTotal has zero hits on the samples that I submitted, but if
> they're encrypted, that explains why...

I suppose that, since you're talking (ok, writing) about AFC, you're
running ClamAV; now... are you using the extra signatures available
from SaneSecurity ? I'm referring to

http://sanesecurity.com/usage/signatures/

to use them you'll need to schedule one of the update scripts available
on Steve's (sanesecurity) site, depending from your OS to ensure your
ClamAV will also use updated "extra" signatures; then, in case the AV
doesn't catch the critters, you may submit samples to Steve and he'll
add signatures on the fly so that you'll have them available in a
really short time :)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

[Doug Lytle]

>>> On Oct 18, 2016, at 11:12 AM, K Post nntp.p...@gmail.com wrote:

>>> organizations (some really big ones too) are seeing this on their mail
>>> systems this morning too.

I took the hammer approach and temporarily put it in the blocked attachment 
list.

Doug

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

[cw]

Can you stick it in bombRe for now to deal with it?

On Tue, Oct 18, 2016 at 3:50 PM, K Post  wrote:

> We're getting slammed with these now.  All of the files have
>  uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password;> in
> them.   Can we block based on content of a file??
>
> I'm guessing this is a new Locky, but now encrypted to scanners don't catch
> them.
>
> On Tue, Oct 18, 2016 at 10:27 AM, K Post  wrote:
>
> > I've seen a bunch of supposedly encrypted RTF files slip through today.
> > The message body is typical spam, telling the user to open the important
> > file, but message also tells the user the password for the file.  I think
> > these are created using Office's password protection feature and either
> > renamed as RTF or saved as such (I didn't think you could do that)
> >
> >
> > Any chance that AFC can block these?
> >
> > I didn't dare open a sample in Word, but I did inspect the file and see
> > this block towards the bottom:
> >
> >  > encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ
> > 2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/
> > > uri="*http://schemas.microsoft.com/office/2006/
> > *keyEncryptor/
> password"> > spinCount="10" saltSize="16" blockSize="16" keyBits="256"
> hashSize="64"
> > cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
> > hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
> > encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
> > encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+
> > s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
> > encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/> > keyEncryptor>
> >
> > VirusTotal has zero hits on the samples that I submitted, but if they're
> > encrypted, that explains why...
> >
> > I just want to block ANY incoming encrypted document, including Office
> > documents.
> >
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

[K Post]

We're getting slammed with these now.  All of the files have
http://schemas.microsoft.com/office/2006/keyEncryptor/password;> in
them.   Can we block based on content of a file??

I'm guessing this is a new Locky, but now encrypted to scanners don't catch
them.

On Tue, Oct 18, 2016 at 10:27 AM, K Post  wrote:

> I've seen a bunch of supposedly encrypted RTF files slip through today.
> The message body is typical spam, telling the user to open the important
> file, but message also tells the user the password for the file.  I think
> these are created using Office's password protection feature and either
> renamed as RTF or saved as such (I didn't think you could do that)
>
>
> Any chance that AFC can block these?
>
> I didn't dare open a sample in Word, but I did inspect the file and see
> this block towards the bottom:
>
>  encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ
> 2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/> uri="*http://schemas.microsoft.com/office/2006/
> *keyEncryptor/password"> spinCount="10" saltSize="16" blockSize="16" keyBits="256" hashSize="64"
> cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
> hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
> encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
> encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+
> s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
> encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/> keyEncryptor>
>
> VirusTotal has zero hits on the samples that I submitted, but if they're
> encrypted, that explains why...
>
> I just want to block ANY incoming encrypted document, including Office
> documents.
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase Top Senders by IP useful info to ASSP?

[K Post]

Any value in using Senderbase's top senders by IP (assuming there's an API
or other method to access this info)?

http://www.senderbase.org/static/email/#tab=1

I've been thinking about looking at the top 100 senders for the day, only
considering the POOR reputation ones and having ASSP score that.

Senderbase in general is a great resource, but when you have shared
providers like Amazon AWS, who anyone can send from, it would be nice to
have Senderbase's opinion of the IP itself.  We could score the   Sure, we
already have DNSBL, but this would be another score to consider.

Or maybe I'm really just getting at using a senderbase poor reputation as a
scoring factor for ASSP vs only looking at the top senders:
http://www.senderbase.org/lookup/ip/?search_string=52.38.45.34
shows this specific IP as poor, really poor considering the increase in
volume, but AFAIK ASSP won't use that info unless that IP or AmazonAWS is
in BlackSenderbase right??

All of this of course is a moot point if ASSP can't access this info via a
DNS query or some other method.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test