Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Rupert Gallagher]

We study our logs and the abuse@ account for gray-zone items. If something 
"legitimate" occurs, we work on it. The gray-zone shows both genuine spam and 
legit email, mostly with broken message-ids and recipient domains other than 
own own.

Sent from ProtonMail Mobile

On Wed, Nov 1, 2017 at 4:37 PM, John Hardin  wrote:

> On Wed, 1 Nov 2017, Rupert Gallagher wrote: > We apply a no-nonsense policy, 
> mirroring paper mail policy. Both mail > and e-mail sent to undisclosed 
> recipients is either paid-for massmail or > spam. I'll grant "largely", but 
> there are legitimate uses for BCC. I hope you're only enforcing this policy 
> on email from the Internet... > A client, that used to be spammed 60 times 
> per day on each account and > wasted paid-for hours of employees work, called 
> us yesterday to thank > us. This month they received 3 junk mails only. The 
> problem with that policy is: how do they know how much *legitimate* email got 
> rejected? -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ 
> jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 
> 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 
> --- 
> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does 
> quite what I want. I wish Christopher Robin was here." -- Peter da Silva in 
> a.s.r --- 
> 4 days until Daylight Saving Time ends in U.S. - Fall Back

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[John Hardin]

On Wed, 1 Nov 2017, Rupert Gallagher wrote:

We apply a no-nonsense policy, mirroring paper mail policy. Both mail 
and e-mail sent to undisclosed recipients is either paid-for massmail or 
spam.


I'll grant "largely", but there are legitimate uses for BCC.

I hope you're only enforcing this policy on email from the Internet...

A client, that used to be spammed 60 times per day on each account and 
wasted paid-for hours of employees work, called us yesterday to thank 
us. This month they received 3 junk mails only.


The problem with that policy is: how do they know how much *legitimate* 
email got rejected?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 4 days until Daylight Saving Time ends in U.S. - Fall Back

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Rupert Gallagher]

We apply a no-nonsense policy, mirroring paper mail policy. Both mail and 
e-mail sent to undisclosed recipients is either paid-for massmail or spam. 
Paper junk and e-mail junk whose origin is verifiable and within legal domain 
goes to the lawyer, who sues the sender and gets an economic compensation for 
us. The remaining junk is automatically rejected. We are not 100% efficient on 
this, as we reject stuff that may go to the lawyer, but we are happy. A client, 
that used to be spammed 60 times per day on each account and wasted paid-for 
hours of employees work, called us yesterday to thank us. This month they 
received 3 junk mails only.

Full disclosure: no, we are not Protonmail.

On Wed, Nov 1, 2017 at 9:20 AM, LuKreme  wrote:

> On Nov 1, 2017, at 00:52, Rupert Gallagher wrote: @protonmail.com>

>> By local policy, we *reject* e-mail to undisclosed recipient, so this is not 
>> a problem for us. @protonmail.com>

> You are rejecting legitimate mail th...@protonmail.com>

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[LuKreme]

On Nov 1, 2017, at 00:52, Rupert Gallagher  wrote:
> By local policy, we *reject* e-mail to undisclosed recipient, so this is not 
> a problem for us. 

You are rejecting legitimate mail then.

-- 
This is my signature. There are many like it, but this one is mine.

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Rupert Gallagher]

Maybe they are reading this thread and trying to patch their setup, and we are 
reading them while they do it. This is not exactly a post-mortem.

Sent from ProtonMail Mobile

On Wed, Nov 1, 2017 at 4:07 AM, Bill Cole 
 wrote:

> On 31 Oct 2017, at 7:00 (-0400), Rupert Gallagher wrote: > Addenda: > >> 
> From: Invoicing  > >> unbound-host -rvD canadianchemistry.ca > 
> canadianchemistry.ca has address 168.144.155.97 (insecure) > 
> canadianchemistry.ca has no IPv6 address (insecure) > canadianchemistry.ca 
> mail is handled by 0 > canadianchemistry-ca.mail.protection.outlook.com. 
> (insecure) > >> Received: from  not from Microsoft > > SPF should fail 
> hard here. No. Assuming that the SMTP sender domain was canadianchemistry.ca, 
> there is no way to check SPF because it has two 'v=spf1' TXT records. -- Bill 
> Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many 
> *@billmail.scconsult.com addresses) Currently Seeking Steady Work: 
> https://linkedin.com/in/billcole @canadianchemistry.ca>

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Rupert Gallagher]

On Tue, Oct 31, 2017 at 8:38 PM, Alex  wrote:

> This will also hit undisc-recips mail,

By local policy, we *reject* e-mail to undisclosed recipient, so this is not a 
problem for us.

> bcc,

As above, Bccs are rejected by local policy.

Each e-mail must be explicitly addressed to us, and its origin must be 
verifiable. All the rest is happily rejected upfront.

> and some mailing lists.

The spam-flagged e-mail is accepted and further local or server-side filtering 
moves it from junk to a favorite folder.

Sent from ProtonMail Mobile

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Bill Cole]

On 31 Oct 2017, at 7:00 (-0400), Rupert Gallagher wrote:


Addenda:


From: Invoicing 



unbound-host -rvD canadianchemistry.ca

canadianchemistry.ca has address 168.144.155.97 (insecure)
canadianchemistry.ca has no IPv6 address (insecure)
canadianchemistry.ca mail is handled by 0 
canadianchemistry-ca.mail.protection.outlook.com. (insecure)



Received: from  not from Microsoft


SPF should fail hard here.


No.

Assuming that the SMTP sender domain was canadianchemistry.ca, there is 
no way to check SPF because it has two 'v=spf1' TXT records.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Alex]

Hi,

On Tue, Oct 31, 2017 at 6:49 AM, Rupert Gallagher  wrote:
> This is my reading of it.
>
> - You may have received an e-mail addressed to someone-else.
> I do not know your setup, but this is what it looks like from my seat.
> (Sent "To" @puffin.net, but "Received: from" futurequest.net.)
> We have a custom rule for this junk. In general, if you domain is
> example.com and your server receives e-mail to whatever.com,
> then you can reject it by local policy.
>
> header __LOCAL_DOMAIN To:raw =~ /\@yourdomain\.com/
> meta T_FD ( !__LOCAL_DOMAIN )
> describe T_FD To: foreign domain
> scoreT_FD 5.0

This will also hit undisc-recips mail, bcc, and some mailing lists.

We started seeing these yesterday afternoon. They continued through
2:30am this morning, then abruptly stopped. Thankfully every single
one was blocked with spamhaus or sorbs or another RBL.

"Chip" wrote:
> I need to do a _LOT_ more reading, but for now, I've added
> seat-of-my-pants rules for exact word matches on:
>DDE
>   instrText
>AUTO
>gfxdata

Where are you seeing this? In the body? The DDE I assume is the result
of something run on the attachment?

Have all the attachments contained "Invoice"?

I'm also still seeing those phishes with "invoice" or "payment" in the
URL that started like a month ago. Sometimes more than a thousand a
day, none of which are ever rejected outright by an RBL.

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Chip M.]

On Tue, Oct 31, 2017, David Jones  wrote: 
>Add the Lashback RBL.  I am trying to get this added to the default SA 
>rules.  See my post on 2017-10-17 in the following link and increase the 
>scores after some testing.

David, after your Lashback post, I had added it to my FP pipeline
(i.e. run from the desktop, NOT real-time) for evaluation, however
I had made a minor setup mistake.
Thanks for the reminder that prompted me to check and fix that. :)
If that proves useful, I'll add it to my post-gateway real-time
stack.

Thanks for your other suggestions. :)


Benny:
Thanks for the clamav submission page, however it did not work with
my browser (after NIMDA, I turned "off" all the whizbang security 
nightmare stuff). :(
You or anyone else is welcome to submit it there or anywhere. :)

"Rupert":
That was one of 30 that passed gateway RBL testing and
(plain vanilla) ClamAV.
It was _NOT_ "addressed to someone-else".
If you do a bit of DNS analysis on the Received headers, it will be
clearer.
You are correct that it failed SPF. :)
I checked all the others, and they too failed, which is somewhat
unusual.


*** All:
*** Clarification: 100% of these are being caught by my filters.
I posted to share a live sample, since there's lots of technical
analysis articles but I have not yet seen complete samples of all
the file vectors that are possible.

I'm mainly interested in insights into CONTENT based rules,
and more diverse samples. :)

For example, after the first wave of news, I added a word match rule
for "DDEAUTO", which has _NOT_ yet triggered.  That does trigger if
I change it to a gappy-word rule, after de-tagging these XML pairs:
DDE
AUTO
I had not expected that.

I particularly want to see an .ics sample.
Has anybody else seen much/any DDE attack variants?
- "Chip"

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Rupert Gallagher]

yes, again

Sent from ProtonMail Mobile

On Tue, Oct 31, 2017 at 1:36 PM, David Jones  wrote:

>> On Tue, Oct 31, 2017 at 12:00 PM, Rupert Gallagher > wrote: >> Addenda: >> 
>> >> > From: Invoicing > > >> >> SPF should fail hard here. How do you know 
>> what the envelope-from domain is from that sample? SPF uses the 
>> envelope-from not the From: header. The OP may need to install a milter 
>> depending on the MTA in use to add headers that SA can use for SPF checks. I 
>> am using policyd-spf and opendmarc to give SA more information from the MTA. 
>> >>> -  Body: attachment without introductory text >>> I do not have a rule 
>> for this, yet. >>> >>> The default SA returns the following: >>> 0.0 
>> TVD_SPACE_RATIONo description available. >>> 0.0 
>> TVD_SPACE_RATIO_MINFP  Space ratio >>> >>> Our SA returns a big fat spam 
>> flag. >>> >>> RG >>> My SA scores 18.7 but some of that could have been 
>> after-the-fact RBL additions since some time has passed. I have some custom 
>> local rules that add a few points for "invoice" related words in the 
>> subject. >>> >>>  In all cases, the domain matches the domain in the 
>> From header.   So far, the From has always been in the form:  
>> Invoicing invoic...@example.com    The only SA rules that they're 
>> all hitting are:  TVD_SPACE_RATIO  TVD_SPACE_RATIO_MINFP  
>> Install the KAM.cf rules and schedule updates a few times a day. Install DCC 
>> if not installed and active. Make sure you are getting DCC hits in your mail 
>> logs. Add the Lashback RBL. I am trying to get this added to the default SA 
>> rules. See my post on 2017-10-17 in the following link and increase the 
>> scores after some testing. 
>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6372 Add the 
>> score.senderscore.com RBL to the MTA or SA. This IP has a score of 15 out of 
>> 100 so I add 5.0 points for poor reputation. See the SA mailing list 
>> archives for details. -- David Jones @example.com> @canadianchemistry.ca> 
>> @canadianchemistry.ca> @protonmail.com> @protonmail.com>

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[David Jones]

On Tue, Oct 31, 2017 at 12:00 PM, Rupert Gallagher > wrote:

Addenda:

> From: Invoicing >


SPF should fail hard here.


How do you know what the envelope-from domain is from that sample?  SPF 
uses the envelope-from not the From: header.


The OP may need to install a milter depending on the MTA in use to add 
headers that SA can use for SPF checks.  I am using policyd-spf and 
opendmarc to give SA more information from the MTA.



-  Body: attachment without introductory text
I do not have a rule for this, yet.

The default SA returns the following:
0.0 TVD_SPACE_RATIO    No description available.
0.0 TVD_SPACE_RATIO_MINFP  Space ratio

Our SA returns a big fat spam flag.

RG



My SA scores 18.7 but some of that could have been after-the-fact RBL 
additions since some time has passed.  I have some custom local rules 
that add a few points for "invoice" related words in the subject.






In all cases, the domain matches the domain in the From header.

So far, the From has always been in the form:
Invoicing invoic...@example.com 

The only SA rules that they're all hitting are:
TVD_SPACE_RATIO
TVD_SPACE_RATIO_MINFP



Install the KAM.cf rules and schedule updates a few times a day.

Install DCC if not installed and active.  Make sure you are getting DCC 
hits in your mail logs.


Add the Lashback RBL.  I am trying to get this added to the default SA 
rules.  See my post on 2017-10-17 in the following link and increase the 
scores after some testing.


https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6372

Add the score.senderscore.com RBL to the MTA or SA.  This IP has a score 
of 15 out of 100 so I add 5.0 points for poor reputation.  See the SA 
mailing list archives for details.


--
David Jones

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Rupert Gallagher]

correct!

Sent from ProtonMail Mobile

On Tue, Oct 31, 2017 at 12:57 PM, Benny Pedersen  wrote:

> Rupert Gallagher skrev den 2017-10-31 12:00: >> From: Invoicing  >> Received: 
> from  not from Microsoft > SPF should fail hard here. from: header is not 
> envelope sender as spf is testing, so that domain is only usable to test dkim 
> if it was signed @canadianchemistry.ca>

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Benny Pedersen]

Rupert Gallagher skrev den 2017-10-31 12:00:


From: Invoicing 
Received: from  not from Microsoft

SPF should fail hard here.


from: header is not envelope sender as spf is testing, so that domain is 
only usable to test dkim if it was signed

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Rupert Gallagher]

Addenda:

> From: Invoicing 

>unbound-host -rvD canadianchemistry.ca
canadianchemistry.ca has address 168.144.155.97 (insecure)
canadianchemistry.ca has no IPv6 address (insecure)
canadianchemistry.ca mail is handled by 0 
canadianchemistry-ca.mail.protection.outlook.com. (insecure)

> Received: from  not from Microsoft

SPF should fail hard here.

RG

Sent with [ProtonMail](https://protonmail.com) Secure Email.

>  Original Message 
> Subject: Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)
> Local Time: 31 October 2017 11:49 AM
> UTC Time: 31 October 2017 10:49
> From: r...@protonmail.com
> To: Chip M. 
> users@spamassassin.apache.org 
>
> This is my reading of it.
>
> - You may have received an e-mail addressed to someone-else.
> I do not know your setup, but this is what it looks like from my seat.
> (Sent "To" [@puffin.net](mailto:bait_sa_e3npnogbtq1d4...@puffin.net), but 
> "Received: from" futurequest.net.)
> We have a custom rule for this junk. In general, if you domain is
> example.com and your server receives e-mail to whatever.com,
> then you can reject it by local policy.
>
> header __LOCAL_DOMAIN To:raw =~ /\@yourdomain\.com/
> meta T_FD ( !__LOCAL_DOMAIN )
> describe T_FD To: foreign domain
> scoreT_FD 5.0
>
> - From:domain mismatches Received:domain
> - Return-Path: missing header
> These are not a hard symptom of spam, but we give them a 0.5 penalty anyway.
>
> - Received: from domain literal
> Well-behaved servers, with state-of-the-art DNS and well implemented
> SPF, DKIM and DMARC, they have domain name. They also cut out
> the first hop, from the client to the server.
> We give a full 1.0 penalty here.
>
> -  Body: attachment without introductory text
> I do not have a rule for this, yet.
>
> The default SA returns the following:
> 0.0 TVD_SPACE_RATIONo description available.
> 0.0 TVD_SPACE_RATIO_MINFP  Space ratio
>
> Our SA returns a big fat spam flag.
>
> RG
>
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>
>>  Original Message 
>> Subject: spample: Microsoft Office DDE exploit (in OpenXML attachment)
>> Local Time: 31 October 2017 7:10 AM
>> UTC Time: 31 October 2017 06:10
>> From: sa_c...@iowahoneypot.com
>> To: users@spamassassin.apache.org
>>
>> Starting Monday late pm (Iowa time), I've been seeing my first DDE
>> exploits, with significant volume.
>> Here's a spample, with only the account part of the To header munged:
>> http://puffin.net/software/spam/samples/0056_dde_auto.txt
>>
>> The MIME part Content Types are all of the same form, with only the
>> nine (9) digit long invoice number being different (same as used in
>> the Subject). The date part is changing correctly.
>> So far, there's enough consistency there that it may be worth some
>> quick rules.
>>
>> Here's a few of the Message-IDs:
>> adr12896529648910347634474919b240d844eabec6a20f80...@canadianchemistry.ca
>> adr7620524563497929668713350304233e03d64b1f8e8170...@rapidtest.ca
>> adr68345885946016552575674219fe1b08f91debc7cfbb00...@allaharassociates.com
>> adr876830136506609450916689649c89a27b537895370760...@imed-deltona.com
>> adr426090832862978264036549945af7e4fe88b447543d90...@nationaleducationcouncil.com
>> adr99440411731938631057549731c1c2a892fde297bf3f20...@wmacsolutions.com
>> adr81956121236541247090766988290f5afbfdda13822ad0...@sofiamartindecoracion.es
>> adr67473153783778389876391568ca7d883cc6de0610e100...@radiantsolutions.net
>> adr26027147591253901902363379be430bba9cf219fd34a0...@aard.nl
>> adr131945596038997342794846233353a6ec4959eaf2ab90...@zwart-holding.nl
>> adr9656904421970779346632739481be4f2cff28e0788560...@edusophia.org
>> adr73468520213265525945855867cfcfcd9887a98f9244f0...@osasgranitbutik.se
>> In all cases, the domain matches the domain in the From header.
>>
>> So far, the From has always been in the form:
>> Invoicing invoic...@example.com
>>
>> The only SA rules that they're all hitting are:
>> TVD_SPACE_RATIO
>> TVD_SPACE_RATIO_MINFP
>>
>> Internally, these were NOT as I was expecting.
>> When the buzz about DDE first broke, I was expecting old style doc,
>> rtf, and ics (calendar) files, and restricted my rules to those.
>> Today's wave are all OpenXML, and the payload is in file
>> "word/document.xml".
>>
>> If you take a close look at just the contents of ""
>> tag pairs, it appears they can easily obfuscate the payload. :(
>>
>> I need to do a LOT more reading, but for now, I've added
&

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Rupert Gallagher]

This is my reading of it.

- You may have received an e-mail addressed to someone-else.
I do not know your setup, but this is what it looks like from my seat.
(Sent "To" [@puffin.net](mailto:bait_sa_e3npnogbtq1d4...@puffin.net), but 
"Received: from" futurequest.net.)
We have a custom rule for this junk. In general, if you domain is
example.com and your server receives e-mail to whatever.com,
then you can reject it by local policy.

header __LOCAL_DOMAIN To:raw =~ /\@yourdomain\.com/
meta T_FD ( !__LOCAL_DOMAIN )
describe T_FD To: foreign domain
scoreT_FD 5.0

- From:domain mismatches Received:domain
- Return-Path: missing header
These are not a hard symptom of spam, but we give them a 0.5 penalty anyway.

- Received: from domain literal
Well-behaved servers, with state-of-the-art DNS and well implemented
SPF, DKIM and DMARC, they have domain name. They also cut out
the first hop, from the client to the server.
We give a full 1.0 penalty here.

-  Body: attachment without introductory text
I do not have a rule for this, yet.

The default SA returns the following:
0.0 TVD_SPACE_RATIONo description available.
0.0 TVD_SPACE_RATIO_MINFP  Space ratio

Our SA returns a big fat spam flag.

RG

Sent with [ProtonMail](https://protonmail.com) Secure Email.

>  Original Message ----
> Subject: spample: Microsoft Office DDE exploit (in OpenXML attachment)
> Local Time: 31 October 2017 7:10 AM
> UTC Time: 31 October 2017 06:10
> From: sa_c...@iowahoneypot.com
> To: users@spamassassin.apache.org
>
> Starting Monday late pm (Iowa time), I've been seeing my first DDE
> exploits, with significant volume.
> Here's a spample, with only the account part of the To header munged:
> http://puffin.net/software/spam/samples/0056_dde_auto.txt
>
> The MIME part Content Types are all of the same form, with only the
> nine (9) digit long invoice number being different (same as used in
> the Subject). The date part is changing correctly.
> So far, there's enough consistency there that it may be worth some
> quick rules.
>
> Here's a few of the Message-IDs:
> adr12896529648910347634474919b240d844eabec6a20f80...@canadianchemistry.ca
> adr7620524563497929668713350304233e03d64b1f8e8170...@rapidtest.ca
> adr68345885946016552575674219fe1b08f91debc7cfbb00...@allaharassociates.com
> adr876830136506609450916689649c89a27b537895370760...@imed-deltona.com
> adr426090832862978264036549945af7e4fe88b447543d90...@nationaleducationcouncil.com
> adr99440411731938631057549731c1c2a892fde297bf3f20...@wmacsolutions.com
> adr81956121236541247090766988290f5afbfdda13822ad0...@sofiamartindecoracion.es
> adr67473153783778389876391568ca7d883cc6de0610e100...@radiantsolutions.net
> adr26027147591253901902363379be430bba9cf219fd34a0...@aard.nl
> adr131945596038997342794846233353a6ec4959eaf2ab90...@zwart-holding.nl
> adr9656904421970779346632739481be4f2cff28e0788560...@edusophia.org
> adr73468520213265525945855867cfcfcd9887a98f9244f0...@osasgranitbutik.se
> In all cases, the domain matches the domain in the From header.
>
> So far, the From has always been in the form:
> Invoicing invoic...@example.com
>
> The only SA rules that they're all hitting are:
> TVD_SPACE_RATIO
> TVD_SPACE_RATIO_MINFP
>
> Internally, these were NOT as I was expecting.
> When the buzz about DDE first broke, I was expecting old style doc,
> rtf, and ics (calendar) files, and restricted my rules to those.
> Today's wave are all OpenXML, and the payload is in file
> "word/document.xml".
>
> If you take a close look at just the contents of ""
> tag pairs, it appears they can easily obfuscate the payload. :(
>
> I need to do a LOT more reading, but for now, I've added
> seat-of-my-pants rules for exact word matches on:
> DDE
> instrText
> AUTO
> gfxdata
>
> So far, using an older (v3.4.1) plain vanilla SA setup, my
> killrate with Bayes is 48% (without Bayes, it would have been
> about 30.4%).
>
> My post SA filter has been killing them all, but that's due to my
> aggressive rules and a bit of luck.
> I've asked one of my people with less aggressive rules and more
> diverse ham to run some ham-only MassChecks using the above rules.
> I'll share the results.
>
> Has anyone seen the RTF or Calendar/.ics forms of this exploit?
> If so, please-please-please post a spample.
> - "Chip"

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Benny Pedersen]

Chip M. skrev den 2017-10-31 07:10:


http://puffin.net/software/spam/samples/0056_dde_auto.txt


send it here

https://www.clamav.net/reports/malware

so far bitdefender and dr-web detect it as malware

spample: Microsoft Office DDE exploit (in OpenXML attachment)

[Chip M.]

Starting Monday late pm (Iowa time), I've been seeing my first DDE
exploits, with significant volume.
Here's a spample, with only the account part of the To header munged:
http://puffin.net/software/spam/samples/0056_dde_auto.txt

The MIME part Content Types are all of the same form, with only the 
nine (9) digit long invoice number being different (same as used in
the Subject).  The date part is changing correctly.
So far, there's enough consistency there that it may be worth some
quick rules.

Here's a few of the Message-IDs:


















In all cases, the domain matches the domain in the From header.

So far, the From has always been in the form:
Invoicing 

The only SA rules that they're all hitting are:
TVD_SPACE_RATIO
TVD_SPACE_RATIO_MINFP

Internally, these were _NOT_ as I was expecting.
When the buzz about DDE first broke, I was expecting old style doc,
rtf, and ics (calendar) files, and restricted my rules to those.
Today's wave are all OpenXML, and the payload is in file
"word/document.xml".

If you take a close look at just the contents of ""
tag pairs, it appears they can easily obfuscate the payload. :(

I need to do a _LOT_ more reading, but for now, I've added 
seat-of-my-pants rules for exact word matches on:
DDE
instrText
AUTO
gfxdata

So far, using an older (v3.4.1) plain vanilla SA setup, my 
killrate with Bayes is 48% (without Bayes, it would have been 
about 30.4%).

My post SA filter has been killing them all, but that's due to my
aggressive rules and a bit of luck.
I've asked one of my people with less aggressive rules and more 
diverse ham to run some ham-only MassChecks using the above rules.
I'll share the results.

Has anyone seen the RTF or Calendar/.ics forms of this exploit?
If so, please-please-please post a spample.
- "Chip"