Re: [clamav-users] Is there anything to do about encrypted viruses?
Since the password has to be included for the victim to be able to decrypt, it ought to be possible to automatically find the password in the email. Of course, eventually the criminals will start hiding the password in some way that a human can easily find it, but non-AI automation can't. On Tue, 22 Dec 2020 03:46:13 -0800 Al Varnell via clamav-users wrote: > When you submit it, be sure to include the password so that the ClamAV > signature team can properly asses it and provide a hash signature for the zip > file. > > -Al- > > > On Dec 22, 2020, at 03:32, Alessandro Vesely via clamav-users > > wrote: > > > > Hi all, > > > > > > today I received a message with an encrypted zip attachment. I saved the > > attachment and loaded it to VirusTotal, where no scanner detected anything: > > https://www.virustotal.com/gui/file/2cef2c979e60c1e2892e6a494814dd65db14c2076102279e6e74737d36c115a5/detection > > > > Then I unzipped the file using the password given in the message text, > > uploaded the only extracted file and got plenty of VBA / W97M malware: > > https://www.virustotal.com/gui/file/99b352442e1351334d5e68e7f12469dc7f2790e6ae44b05be7dcd03739211f1f/detection > > > > I spare reporting this malware to ClamAV, as it seems hopeless to me. Am I > > wrong? > > > > > > Best > > Ale ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Is there anything to do about encrypted viruses?
Hi there, On Tue, 22 Dec 2020, Alessandro Vesely via clamav-users wrote: Is there anything to do about encrypted viruses? Yes, indeed there is and it isn't too difficult. today I received a message with an encrypted zip attachment. I saved the attachment and loaded it to VirusTotal, where no scanner detected anything: https://www.virustotal.com/gui/file/2cef2c979e60c1e2892e6a494814dd65db14c2076102279e6e74737d36c115a5/detection Then I unzipped the file using the password given in the message text, uploaded the only extracted file and got plenty of VBA / W97M malware: https://www.virustotal.com/gui/file/99b352442e1351334d5e68e7f12469dc7f2790e6ae44b05be7dcd03739211f1f/detection I spare reporting this malware to ClamAV, as it seems hopeless to me. Am I wrong? With current decryption technology it isn't feasible, in a reasonable time, to reliably decrypt any sanely encrypted message if you don't have the encryption key. So we can have Internet banking. Oh, goody. Criminals abuse this lack of capability by sending encrypted malware in mail which contains a plaintext key in the covering note. They do this millions of times every day so they don't need a big hit rate to steal serious quantitites of money when some sucker opens the archive. It's automated. They have bots which create accounts with most of the large free email service providers, bots to steal genuine credentials, bots which do all sorts of other things - just to get their cr@p sent. It's trivial to produce a *different* encrypted zip file for each and every mail message which is sent out, so that signature-based methods of detecting the encrypted file are faced with an overwhelming task. So yes, it's kind of hopeless to report every message to a signature provider _if_ the messages are being individually crafted. It's not necessarily hopeless if they aren't, but even so there will still be a heck of a lot of them so doing all this manually isn't very rewarding. What beats me is why anybody thesedays would ever accept the messages. Block all encypted archives. Better still, block all archives except those which are sent by prior arrangement - which is almost what I do. The criminals will send these messages to anybody who's daft enough to accept them. They send quite a lot to addresses here that don't exist for example and all of them get reported at a bare minimum to SpamCop, Abuseipdb and as required the third party ClamAV signature providers. Actually I tempfail, then report. When the incontinent provider sees a tempfail, almost immediately it tries to send the message from one of its other IPs - and so on, until it's tried them all. As a result senders like gmal, protection.outluck and yaboo get every IP of their entire spam-spewing server farm reported, instead of just the one that tried to send the cr@p first. It's a clear indictment of all those senders who have in their control resources vastly more extensive and capable than anything I have here, that I can almost trivially catch and report all their cr@p while they simply don't bother doing anything about it. Obviously it's making them money, or they wouldn't do it, so when it comes to the big providers I'm on the hanging bench. You could make a reasonable case for blocking everything that they try to send. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Is there anything to do about encrypted viruses?
When you submit it, be sure to include the password so that the ClamAV signature team can properly asses it and provide a hash signature for the zip file. -Al- > On Dec 22, 2020, at 03:32, Alessandro Vesely via clamav-users > wrote: > > Hi all, > > > today I received a message with an encrypted zip attachment. I saved the > attachment and loaded it to VirusTotal, where no scanner detected anything: > https://www.virustotal.com/gui/file/2cef2c979e60c1e2892e6a494814dd65db14c2076102279e6e74737d36c115a5/detection > > Then I unzipped the file using the password given in the message text, > uploaded the only extracted file and got plenty of VBA / W97M malware: > https://www.virustotal.com/gui/file/99b352442e1351334d5e68e7f12469dc7f2790e6ae44b05be7dcd03739211f1f/detection > > I spare reporting this malware to ClamAV, as it seems hopeless to me. Am I > wrong? > > > Best > Ale smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Is there anything to do about encrypted viruses?
Hi all, today I received a message with an encrypted zip attachment. I saved the attachment and loaded it to VirusTotal, where no scanner detected anything: https://www.virustotal.com/gui/file/2cef2c979e60c1e2892e6a494814dd65db14c2076102279e6e74737d36c115a5/detection Then I unzipped the file using the password given in the message text, uploaded the only extracted file and got plenty of VBA / W97M malware: https://www.virustotal.com/gui/file/99b352442e1351334d5e68e7f12469dc7f2790e6ae44b05be7dcd03739211f1f/detection I spare reporting this malware to ClamAV, as it seems hopeless to me. Am I wrong? Best Ale -- ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml