Re: Macro virus fun

2016-04-07 Thread Matt Garretson 
On 4/6/2016 3:23 PM, Alex wrote:
> Can you tell us more about the OLE2 result, and how you obtained it
> from clamav, in hopes I could do something similar with amavis?

IIRC, all you have to do is make sure your clamd.conf includes
these two settings:

ScanOLE2 yes
OLE2BlockMacros yes

Then, according to the clamd.conf manpage, 'OLE2 files with VBA
macros, which were not detected by signatures will be marked as
"Heuristics.OLE2.ContainsMacros".'

Since I call clam from mimedefang, I just pattern-match for that hit
string and act accordingly.

We are getting a bit OT from SA, but hopefully that can help you get going.

Re: Macro virus fun

2016-04-07 Thread David B Funk 

On Wed, 6 Apr 2016, Alex wrote:


Hi,

On Wed, Apr 6, 2016 at 3:12 AM,   wrote:

Alex skrev den 2016-04-06 02:40:


http://pastebin.com/FTzbQcHb

The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
but it's apparently not something that spamassassin can manipulate


change clamd to block this mail, or score this with highter score in
amavisd, but blocking only make sense if you use amavisd-milter so it would
reject if it contains macros, here i just use clamav-milter not amavisd

its not spam, its really malware, handle is so is suggested


This one may be spam/malware, but the vast majority of them are not.
Blocking all files with macros is an obvious solution, but not a good
one.

Is it even possible to use SA to create a rule based on whether it
contains an attachment that has macros? At least then we could create
more aggressive meta rules.


FWIW,

Your example hits on the Sanesecurity custom ClamAV defs (specifically 
Sanesecurity.Badmacro.Doc.objl.UNOFFICIAL).


I have two instances of ClamAV running;

 One with just the stock defs from ClamAV which I use in a front-end milter to 
outright SMTP-reject any detected viri.


 The second has all the algorithmic, PUAs, etc bells-&-whistles activated plus
a full set of 3'rd party "unofficial" defs (Sanesecurity, winnow, bofhland,
etc) that is just used thru the SA Clamav.pm plugin.
That adds a custom 'X-Spam-Clamav' header to the message that contains the name
of the def that fired. I then have SA rules to score against based upon that.

So for example, "Sanesecurity.Badmacro" can be used to trigger a rule
to hit messages which need to be quarantined, etc.

You could create a custom ClamAV def that would look for any kind of macro
inside the various popular documents (.doc, .rtf, .pdf, etc) (ClamAV is good
at knowing how to unpack/scan attachments, so use it as a scanning engine).
You could the craft special handling based upon the detection of said macros.
(delivery time quarantining etc).


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Macro virus fun

2016-04-06 Thread Alex 
Hi,

On Wed, Apr 6, 2016 at 12:14 PM, Matt Garretson
 wrote:
> On 4/5/2016 8:40 PM, Alex wrote:
>> These targeted macro viruses are killing us. I hoped someone would
>> [...]
>> What strategy are other people using to block zero-day macro viruses?
>
> I quarantine these before they get to SA with some logic in mimedefang
> that combines the OLE2 result from clamav with bogofilter scores and a
> couple arbitary pattern matches that i update as needed.

Can you tell us more about the OLE2 result, and how you obtained it
from clamav, in hopes I could do something similar with amavis?

Re: Macro virus fun

2016-04-06 Thread Alex 
Hi,

On Wed, Apr 6, 2016 at 11:39 AM, John Hardin  wrote:
> On Wed, 6 Apr 2016, Alex wrote:
>
>> Yes, blocking all .doc files would be tough for us. However, maybe a
>> rule that weights their existence them more heavily combined with
>> something involving finance+money+invoices would be helpful.
>
> Would blocking with whitelist exceptions for expected sources work for you?

Unfortunately not. It's a business with a lot of little vendors,
apparently. I'm surprised at just how many legitimate senders use junk
email addresses like jo...@cox.net to send actual invoices for
services.

Thanks,
Alex

Re: Macro virus fun

2016-04-06 Thread Matt Garretson 
On 4/5/2016 8:40 PM, Alex wrote:
> These targeted macro viruses are killing us. I hoped someone would
> [...]
> What strategy are other people using to block zero-day macro viruses?


I quarantine these before they get to SA with some logic in mimedefang
that combines the OLE2 result from clamav with bogofilter scores and a
couple arbitary pattern matches that i update as needed.

Re: Macro virus fun

2016-04-06 Thread John Hardin 

On Wed, 6 Apr 2016, Alex wrote:


Yes, blocking all .doc files would be tough for us. However, maybe a
rule that weights their existence them more heavily combined with
something involving finance+money+invoices would be helpful.


Would blocking with whitelist exceptions for expected sources work for 
you?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Tea Party wants to remove the Crony from Crony Capitalism.
  OWS wants to remove Capitalism from Crony Capitalism.
-- Astaghfirullah
---
 7 days until Thomas Jefferson's 273rd Birthday

Re: Macro virus fun

2016-04-06 Thread Alex 
Hi,

On Wed, Apr 6, 2016 at 9:56 AM, Reindl Harald  wrote:
> Am 06.04.2016 um 15:53 schrieb RW:
>>
>> On Tue, 5 Apr 2016 20:40:20 -0400
>> Alex wrote:
>>
>>> These targeted macro viruses are killing us. I hoped someone would
>>> like to take a shot at suggestions on how to stop these.
>>>
>>> http://pastebin.com/FTzbQcHb
>>>
>>> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
>>> but it's apparently not something that spamassassin can manipulate
>>> once it's been added. In other words, it can't be used in a meta or to
>>> make spam/ham decisions, only add to the existing score.
>>
>>
>> Do you need to allow attachments with a .doc extension?
>>
>> The last version of word that saved in this format was in Office 2003
>> and the last version of wordpad was in XP. Both have been out of
>> mainstream support for 7 years and stopped getting security updates 2
>> years ago
>
>
> sadly in the real world if it comes to business customers you don't get rid
> of .doc in a near future, be it because outdated office versions or in the
> past changed defaults to save in teh old formats to ensure others with older
> (at that moment supported versions) can open your documents

Yes, blocking all .doc files would be tough for us. However, maybe a
rule that weights their existence them more heavily combined with
something involving finance+money+invoices would be helpful.

Re: Macro virus fun

2016-04-06 Thread Reindl Harald 



Am 06.04.2016 um 15:53 schrieb RW:

On Tue, 5 Apr 2016 20:40:20 -0400
Alex wrote:


These targeted macro viruses are killing us. I hoped someone would
like to take a shot at suggestions on how to stop these.

http://pastebin.com/FTzbQcHb

The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
but it's apparently not something that spamassassin can manipulate
once it's been added. In other words, it can't be used in a meta or to
make spam/ham decisions, only add to the existing score.


Do you need to allow attachments with a .doc extension?

The last version of word that saved in this format was in Office 2003
and the last version of wordpad was in XP. Both have been out of
mainstream support for 7 years and stopped getting security updates 2
years ago


sadly in the real world if it comes to business customers you don't get 
rid of .doc in a near future, be it because outdated office versions or 
in the past changed defaults to save in teh old formats to ensure others 
with older (at that moment supported versions) can open your documents


as mailadmin you are hardly in the position to educate all the outside 
world sending mails to your customers




signature.asc
Description: OpenPGP digital signature

Re: Macro virus fun

2016-04-06 Thread RW 
On Tue, 5 Apr 2016 20:40:20 -0400
Alex wrote:

> Hi all,
> 
> These targeted macro viruses are killing us. I hoped someone would
> like to take a shot at suggestions on how to stop these.
> 
> http://pastebin.com/FTzbQcHb
> 
> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
> but it's apparently not something that spamassassin can manipulate
> once it's been added. In other words, it can't be used in a meta or to
> make spam/ham decisions, only add to the existing score.

Do you need to allow attachments with a .doc extension? 

The last version of word that saved in this format was in Office 2003
and the last version of wordpad was in XP. Both have been out of
mainstream support for 7 years and stopped getting security updates 2
years ago.

Re: Macro virus fun

2016-04-06 Thread Alex 
Hi,

On Wed, Apr 6, 2016 at 3:12 AM,   wrote:
> Alex skrev den 2016-04-06 02:40:
>
>> http://pastebin.com/FTzbQcHb
>>
>> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
>> but it's apparently not something that spamassassin can manipulate
>
> change clamd to block this mail, or score this with highter score in
> amavisd, but blocking only make sense if you use amavisd-milter so it would
> reject if it contains macros, here i just use clamav-milter not amavisd
>
> its not spam, its really malware, handle is so is suggested

This one may be spam/malware, but the vast majority of them are not.
Blocking all files with macros is an obvious solution, but not a good
one.

Is it even possible to use SA to create a rule based on whether it
contains an attachment that has macros? At least then we could create
more aggressive meta rules.

Thanks,
Alex

Re: Macro virus fun

2016-04-06 Thread me 

Alex skrev den 2016-04-06 02:40:


http://pastebin.com/FTzbQcHb

The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
but it's apparently not something that spamassassin can manipulate


change clamd to block this mail, or score this with highter score in 
amavisd, but blocking only make sense if you use amavisd-milter so it 
would reject if it contains macros, here i just use clamav-milter not 
amavisd


its not spam, its really malware, handle is so is suggested

Macro virus fun

2016-04-05 Thread Alex 
Hi all,

These targeted macro viruses are killing us. I hoped someone would
like to take a shot at suggestions on how to stop these.

http://pastebin.com/FTzbQcHb

The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
but it's apparently not something that spamassassin can manipulate
once it's been added. In other words, it can't be used in a meta or to
make spam/ham decisions, only add to the existing score.

Is there a spamassassin rule that identifies attachments with macros in them?

What strategy are other people using to block zero-day macro viruses?

You'll notice the attachment still isn't being detected by clamav
proper (no surprise, really), and was only just now submitted to Steve
at sanesecurity.

It appears some companies are quarantining any files with macros in
them for some period of time until they can be deconstructed and
analyzed (sandbox, etc). Are any SA users doing that?

I'm sure I could build a body rule, but that's kind of playing
whack-a-mole. I wondered what more general solutions people had that
might detect/block these. Body rules are also welcomed, of course.

Thanks,
Alex