Re: Persistent phishing attacks with word/pdf macros

[Alex]

Hi,

On Fri, Oct 14, 2016 at 9:11 AM, Axb  wrote:
> On 10/14/2016 02:49 PM, Paul Stead wrote:
>>
>>
>> On 03/10/16 21:30, John Hardin wrote:
>>>
>>> ClamAV is probably the correct approach to macro-based malware, unless
>>> we want to do a MS Office document plugin with something like an eval
>>> for has_macros().
>>
>>
>> ClamAV does allow macro detection, but it depends on the MTA glue used
>> whether you can use this feature.
>>
>> With the feedback of Alex I've put together a plugin which detects the
>> presence of a MS Office Macro with a few other bits.
>>
>> Testing shows to be speedy and reliable enough, though seemingly lots of
>> legit emails have Macro attachments but this should help build
>> metas/help detection.
>>
>> https://github.com/fmbla/spamassassin-olemacro
>>
>> - Detects macros - both old and new style
>> - Basic 'malicious' macro detection
>> - Protected (encrypted) document detection
>>
>
> Paul,
> This looks like a fine pre-Xmas gift :)
>
> How's the performance. I know you run hi traffic sites.
> Have you felt a difference?

We also have not seen any noticeable performance issues.

Have you guys thought about appropriate meta's to create using these?

I was thinking about something involving bayes00 as a ham indicator,
but I really don't have an idea of what characteristics are common
among emails with actual macro viruses.

Re: Persistent phishing attacks with word/pdf macros

[Paul Stead]

On 14/10/16 14:44, Axb wrote:

On 10/14/2016 03:40 PM, Paul Stead wrote:

On 14/10/16 14:11, Axb wrote:

How's the performance. I know you run hi traffic sites.
Have you felt a difference?

Thanx

Axb


From the week or so of testing, things seem to be efficient and quick -
not to say there's not efficiencies that could be made with this code.
No discernible difference in scanning time, memory or CPU used.

Here's an example from HitFreqsRuleTiming:

TOLEMACRO_ZIP_PW0.01120.01121
TOLEMACRO_RENAME0.0.1
TOLEMACRO_MALICE0.0.1
T OLEMACRO_ENCRYPTED0.0.1
T   OLEMACRO0.0.1


sounds good.
running on a trap box with a nice traffic level.
Hoping to see hits soon

Axb



The above is an email with files that match for scanning - ie worst case
scenario. In most cases the files won't match for scanning - this looks
more like the following :

TOLEMACRO_ZIP_PW0.00020.00021
TOLEMACRO_RENAME0.0.1
TOLEMACRO_MALICE0.0.1
T OLEMACRO_ENCRYPTED0.0.1
T   OLEMACRO0.0.1

Ta
--
Paul Stead
Systems Engineer
Zen Internet

Re: Persistent phishing attacks with word/pdf macros

[Paul Stead]

On 14/10/16 14:11, Axb wrote:

How's the performance. I know you run hi traffic sites.
Have you felt a difference?

Thanx

Axb


From the week or so of testing, things seem to be efficient and quick -
not to say there's not efficiencies that could be made with this code.
No discernible difference in scanning time, memory or CPU used.

Here's an example from HitFreqsRuleTiming:

TOLEMACRO_ZIP_PW0.01120.01121
TOLEMACRO_RENAME0.0.1
TOLEMACRO_MALICE0.0.1
T OLEMACRO_ENCRYPTED0.0.1
T   OLEMACRO0.0.1

Paul
--
Paul Stead
Systems Engineer
Zen Internet

Re: Persistent phishing attacks with word/pdf macros

[Axb]

On 10/14/2016 03:40 PM, Paul Stead wrote:

On 14/10/16 14:11, Axb wrote:

How's the performance. I know you run hi traffic sites.
Have you felt a difference?

Thanx

Axb


From the week or so of testing, things seem to be efficient and quick -
not to say there's not efficiencies that could be made with this code.
No discernible difference in scanning time, memory or CPU used.

Here's an example from HitFreqsRuleTiming:

TOLEMACRO_ZIP_PW0.01120.01121
TOLEMACRO_RENAME0.0.1
TOLEMACRO_MALICE0.0.1
T OLEMACRO_ENCRYPTED0.0.1
T   OLEMACRO0.0.1


sounds good.
running on a trap box with a nice traffic level.
Hoping to see hits soon

Axb

Re: Persistent phishing attacks with word/pdf macros

[Axb]

On 10/14/2016 02:49 PM, Paul Stead wrote:


On 03/10/16 21:30, John Hardin wrote:

ClamAV is probably the correct approach to macro-based malware, unless
we want to do a MS Office document plugin with something like an eval
for has_macros().


ClamAV does allow macro detection, but it depends on the MTA glue used
whether you can use this feature.

With the feedback of Alex I've put together a plugin which detects the
presence of a MS Office Macro with a few other bits.

Testing shows to be speedy and reliable enough, though seemingly lots of
legit emails have Macro attachments but this should help build
metas/help detection.

https://github.com/fmbla/spamassassin-olemacro

- Detects macros - both old and new style
- Basic 'malicious' macro detection
- Protected (encrypted) document detection



Paul,
This looks like a fine pre-Xmas gift :)

How's the performance. I know you run hi traffic sites.
Have you felt a difference?

Thanx

Axb

Re: Persistent phishing attacks with word/pdf macros

[Paul Stead]

On 03/10/16 21:30, John Hardin wrote:

ClamAV is probably the correct approach to macro-based malware, unless
we want to do a MS Office document plugin with something like an eval
for has_macros().


ClamAV does allow macro detection, but it depends on the MTA glue used
whether you can use this feature.

With the feedback of Alex I've put together a plugin which detects the
presence of a MS Office Macro with a few other bits.

Testing shows to be speedy and reliable enough, though seemingly lots of
legit emails have Macro attachments but this should help build
metas/help detection.

https://github.com/fmbla/spamassassin-olemacro

- Detects macros - both old and new style
- Basic 'malicious' macro detection
- Protected (encrypted) document detection

Paul
--
Paul Stead
Systems Engineer
Zen Internet

Re: Persistent phishing attacks with word/pdf macros

[Alex]

Hi,

>> These are a real concern. If you receive any kind of real mail volume,
>> you're receiving these too, and they're not always being caught by
>> RBLs or virus scanners. Or even our well-trained bayes.
>>
>> http://pastebin.com/YhLBqpKm
>>
>> I used to have some rules that would reliably block them, but they're
>> not performing well now at all.
>>
>> I'm posting this in hopes someone has some other ideas, as well as to
>> raise awareness about their existence.
>>
>> Ideas greatly appreciated.
>
> SA isn't the right tool to detect virus infected attachments
>
> This is an "offtopic" suggestion.
>
> disassemble the macro, write a HEX or YARA sig for ClamAV.
> (not very hard)
> For help with that, ask the ClamAV list.

This is after the fact, and it's also already being done, but not very
effectively. The people writing the virus sigs are much more capable
and apparently still aren't able to stop them. PDFs are also a
problem.

I'm just looking for something to supplement that effort.

Curiously, the pastebin has been removed, despite the captcha. Is this
something people have experienced before?

Re: Persistent phishing attacks with word/pdf macros

[Joe Quinn]

On 10/4/2016 12:37 PM, Alex wrote:

Hi Joe, do you recall more specifically the subject or location of
this conversation regarding using perl and mimedefang to deal with
word macros?

I recall something from Feb 2015, but I don't know how to parlay that
into something usable with amavis and perl...



Keep replies on list.

Having trouble finding it again, but I recognize the code in this:
http://lists.roaringpenguin.com/pipermail/mimedefang/2016-February/037750.html

It only detects macros in the old format, but .docm and similar are 
renamed zip files and all the macros are confined to one file that you 
can look for in the index.

Re: Persistent phishing attacks with word/pdf macros

[Joe Quinn]

On 10/3/2016 4:30 PM, John Hardin wrote:

On Mon, 3 Oct 2016, Axb wrote:


On 10/03/2016 09:03 PM, John Hardin wrote:

 On Mon, 3 Oct 2016, Axb wrote:

>  On 10/03/2016 07:46 PM, Alex wrote:
> >   Hi,
> > > >   These are a real concern. If you receive any kind of real 
mail > >   volume,
> >   you're receiving these too, and they're not always being 
caught by

> >   RBLs or virus scanners. Or even our well-trained bayes.
> > > >   http://pastebin.com/YhLBqpKm
> > > >   I used to have some rules that would reliably block them, 
but they're

> >   not performing well now at all.
> > > >   I'm posting this in hopes someone has some other ideas, as 
well as to

> >   raise awareness about their existence.
> > > >   Ideas greatly appreciated.
> >  SA isn't the right tool to detect virus infected attachments

 Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam
 PDFs (which I am starting to see).


John,

That sample has an attached bulk_inquiry_317141.doc
not a PDF.


Yeah. I was (too) quickly responding to "phishing" and "PDF" in the 
subject line, and bayes not catching them.


ClamAV is probably the correct approach to macro-based malware, unless 
we want to do a MS Office document plugin with something like an eval 
for has_macros().


I haven't looked at the spample doc in detail, but I will (again) plug 
my email sanitizer, which does document macro scanning and might be 
able to catch these:


   http://www.impsec.org/email-tools/procmail-security.html

Some of the approaches there could probably be usefully extracted to 
SA plugins.



There's been discussion on the MIMEDefang list about dealing with word 
macros, and some people have posted good perl snippets as well that you 
can add to your filters if you use it. If you just want to detect the 
presence of macros in any form, writing that in ClamAV's signature 
system would probably be doable, but far more annoying than just a bit 
of code.

Re: Persistent phishing attacks with word/pdf macros

[John Hardin]

On Mon, 3 Oct 2016, Axb wrote:


On 10/03/2016 09:03 PM, John Hardin wrote:

 On Mon, 3 Oct 2016, Axb wrote:

>  On 10/03/2016 07:46 PM, Alex wrote:
> >   Hi,
> > 
> >   These are a real concern. If you receive any kind of real mail 
> >   volume,

> >   you're receiving these too, and they're not always being caught by
> >   RBLs or virus scanners. Or even our well-trained bayes.
> > 
> >   http://pastebin.com/YhLBqpKm
> > 
> >   I used to have some rules that would reliably block them, but they're

> >   not performing well now at all.
> > 
> >   I'm posting this in hopes someone has some other ideas, as well as to

> >   raise awareness about their existence.
> > 
> >   Ideas greatly appreciated.
> 
>  SA isn't the right tool to detect virus infected attachments


 Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam
 PDFs (which I am starting to see).


John,

That sample has an attached bulk_inquiry_317141.doc
not a PDF.


Yeah. I was (too) quickly responding to "phishing" and "PDF" in the 
subject line, and bayes not catching them.


ClamAV is probably the correct approach to macro-based malware, unless we 
want to do a MS Office document plugin with something like an eval for 
has_macros().


I haven't looked at the spample doc in detail, but I will (again) plug my 
email sanitizer, which does document macro scanning and might be able to 
catch these:


   http://www.impsec.org/email-tools/procmail-security.html

Some of the approaches there could probably be usefully extracted to SA 
plugins.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Your mouse has moved. Your Windows Operating System must be
  relicensed due to this hardware change. Please contact Microsoft
  to obtain a new activation key. If this hardware change results in
  added functionality you may be subject to additional license fees.
  Your system will now shut down. Thank you for choosing Microsoft.
---
 286 days since the first successful real return to launch site (SpaceX)

Re: Persistent phishing attacks with word/pdf macros

[Axb]

On 10/03/2016 09:03 PM, John Hardin wrote:

On Mon, 3 Oct 2016, Axb wrote:


On 10/03/2016 07:46 PM, Alex wrote:

 Hi,

 These are a real concern. If you receive any kind of real mail volume,
 you're receiving these too, and they're not always being caught by
 RBLs or virus scanners. Or even our well-trained bayes.

 http://pastebin.com/YhLBqpKm

 I used to have some rules that would reliably block them, but they're
 not performing well now at all.

 I'm posting this in hopes someone has some other ideas, as well as to
 raise awareness about their existence.

 Ideas greatly appreciated.


SA isn't the right tool to detect virus infected attachments


Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam
PDFs (which I am starting to see).


John,

That sample has an attached bulk_inquiry_317141.doc
not a PDF.

Re: Persistent phishing attacks with word/pdf macros

[Dianne Skoll]

On Mon, 3 Oct 2016 12:02:15 -0700 (PDT)
John Hardin  wrote:

> We need a PDF plugin that will extract text and URLs from PDF
> attachments so that they can be scanned as if they were body text.

We've written something for extracting URLs.  I can't release the
code, unfortunately, but you can look at "podofopdfinfo" and use that
to extract URLs.

libpodofo-utils ships with Debian.

Regards,

Dianne.

Re: Persistent phishing attacks with word/pdf macros

[John Hardin]

On Mon, 3 Oct 2016, Axb wrote:


On 10/03/2016 07:46 PM, Alex wrote:

 Hi,

 These are a real concern. If you receive any kind of real mail volume,
 you're receiving these too, and they're not always being caught by
 RBLs or virus scanners. Or even our well-trained bayes.

 http://pastebin.com/YhLBqpKm

 I used to have some rules that would reliably block them, but they're
 not performing well now at all.

 I'm posting this in hopes someone has some other ideas, as well as to
 raise awareness about their existence.

 Ideas greatly appreciated.


SA isn't the right tool to detect virus infected attachments


Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam 
PDFs (which I am starting to see).


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The philosophy of gun control: Teenagers are roaring through
  town at 90MPH, where the speed limit is 25. Your solution is to
  lower the speed limit to 20.   -- Sam Cohen
---
 286 days since the first successful real return to launch site (SpaceX)

Re: Persistent phishing attacks with word/pdf macros

[John Hardin]

On Mon, 3 Oct 2016, Alex wrote:


Hi,

These are a real concern. If you receive any kind of real mail volume,
you're receiving these too, and they're not always being caught by
RBLs or virus scanners. Or even our well-trained bayes.

http://pastebin.com/YhLBqpKm

I used to have some rules that would reliably block them, but they're
not performing well now at all.

I'm posting this in hopes someone has some other ideas, as well as to
raise awareness about their existence.

Ideas greatly appreciated.


We need a PDF plugin that will extract text and URLs from PDF attachments 
so that they can be scanned as if they were body text.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The philosophy of gun control: Teenagers are roaring through
  town at 90MPH, where the speed limit is 25. Your solution is to
  lower the speed limit to 20.   -- Sam Cohen
---
 286 days since the first successful real return to launch site (SpaceX)

Re: Persistent phishing attacks with word/pdf macros

[Axb]

On 10/03/2016 07:46 PM, Alex wrote:

Hi,

These are a real concern. If you receive any kind of real mail volume,
you're receiving these too, and they're not always being caught by
RBLs or virus scanners. Or even our well-trained bayes.

http://pastebin.com/YhLBqpKm

I used to have some rules that would reliably block them, but they're
not performing well now at all.

I'm posting this in hopes someone has some other ideas, as well as to
raise awareness about their existence.

Ideas greatly appreciated.


SA isn't the right tool to detect virus infected attachments

This is an "offtopic" suggestion.

disassemble the macro, write a HEX or YARA sig for ClamAV.
(not very hard)
For help with that, ask the ClamAV list.