Re: Persistent phishing attacks with word/pdf macros
Hi, On Fri, Oct 14, 2016 at 9:11 AM, Axbwrote: > On 10/14/2016 02:49 PM, Paul Stead wrote: >> >> >> On 03/10/16 21:30, John Hardin wrote: >>> >>> ClamAV is probably the correct approach to macro-based malware, unless >>> we want to do a MS Office document plugin with something like an eval >>> for has_macros(). >> >> >> ClamAV does allow macro detection, but it depends on the MTA glue used >> whether you can use this feature. >> >> With the feedback of Alex I've put together a plugin which detects the >> presence of a MS Office Macro with a few other bits. >> >> Testing shows to be speedy and reliable enough, though seemingly lots of >> legit emails have Macro attachments but this should help build >> metas/help detection. >> >> https://github.com/fmbla/spamassassin-olemacro >> >> - Detects macros - both old and new style >> - Basic 'malicious' macro detection >> - Protected (encrypted) document detection >> > > Paul, > This looks like a fine pre-Xmas gift :) > > How's the performance. I know you run hi traffic sites. > Have you felt a difference? We also have not seen any noticeable performance issues. Have you guys thought about appropriate meta's to create using these? I was thinking about something involving bayes00 as a ham indicator, but I really don't have an idea of what characteristics are common among emails with actual macro viruses.
Re: Persistent phishing attacks with word/pdf macros
On 14/10/16 14:44, Axb wrote: On 10/14/2016 03:40 PM, Paul Stead wrote: On 14/10/16 14:11, Axb wrote: How's the performance. I know you run hi traffic sites. Have you felt a difference? Thanx Axb From the week or so of testing, things seem to be efficient and quick - not to say there's not efficiencies that could be made with this code. No discernible difference in scanning time, memory or CPU used. Here's an example from HitFreqsRuleTiming: TOLEMACRO_ZIP_PW0.01120.01121 TOLEMACRO_RENAME0.0.1 TOLEMACRO_MALICE0.0.1 T OLEMACRO_ENCRYPTED0.0.1 T OLEMACRO0.0.1 sounds good. running on a trap box with a nice traffic level. Hoping to see hits soon Axb The above is an email with files that match for scanning - ie worst case scenario. In most cases the files won't match for scanning - this looks more like the following : TOLEMACRO_ZIP_PW0.00020.00021 TOLEMACRO_RENAME0.0.1 TOLEMACRO_MALICE0.0.1 T OLEMACRO_ENCRYPTED0.0.1 T OLEMACRO0.0.1 Ta -- Paul Stead Systems Engineer Zen Internet
Re: Persistent phishing attacks with word/pdf macros
On 14/10/16 14:11, Axb wrote: How's the performance. I know you run hi traffic sites. Have you felt a difference? Thanx Axb From the week or so of testing, things seem to be efficient and quick - not to say there's not efficiencies that could be made with this code. No discernible difference in scanning time, memory or CPU used. Here's an example from HitFreqsRuleTiming: TOLEMACRO_ZIP_PW0.01120.01121 TOLEMACRO_RENAME0.0.1 TOLEMACRO_MALICE0.0.1 T OLEMACRO_ENCRYPTED0.0.1 T OLEMACRO0.0.1 Paul -- Paul Stead Systems Engineer Zen Internet
Re: Persistent phishing attacks with word/pdf macros
On 10/14/2016 03:40 PM, Paul Stead wrote: On 14/10/16 14:11, Axb wrote: How's the performance. I know you run hi traffic sites. Have you felt a difference? Thanx Axb From the week or so of testing, things seem to be efficient and quick - not to say there's not efficiencies that could be made with this code. No discernible difference in scanning time, memory or CPU used. Here's an example from HitFreqsRuleTiming: TOLEMACRO_ZIP_PW0.01120.01121 TOLEMACRO_RENAME0.0.1 TOLEMACRO_MALICE0.0.1 T OLEMACRO_ENCRYPTED0.0.1 T OLEMACRO0.0.1 sounds good. running on a trap box with a nice traffic level. Hoping to see hits soon Axb
Re: Persistent phishing attacks with word/pdf macros
On 10/14/2016 02:49 PM, Paul Stead wrote: On 03/10/16 21:30, John Hardin wrote: ClamAV is probably the correct approach to macro-based malware, unless we want to do a MS Office document plugin with something like an eval for has_macros(). ClamAV does allow macro detection, but it depends on the MTA glue used whether you can use this feature. With the feedback of Alex I've put together a plugin which detects the presence of a MS Office Macro with a few other bits. Testing shows to be speedy and reliable enough, though seemingly lots of legit emails have Macro attachments but this should help build metas/help detection. https://github.com/fmbla/spamassassin-olemacro - Detects macros - both old and new style - Basic 'malicious' macro detection - Protected (encrypted) document detection Paul, This looks like a fine pre-Xmas gift :) How's the performance. I know you run hi traffic sites. Have you felt a difference? Thanx Axb
Re: Persistent phishing attacks with word/pdf macros
On 03/10/16 21:30, John Hardin wrote: ClamAV is probably the correct approach to macro-based malware, unless we want to do a MS Office document plugin with something like an eval for has_macros(). ClamAV does allow macro detection, but it depends on the MTA glue used whether you can use this feature. With the feedback of Alex I've put together a plugin which detects the presence of a MS Office Macro with a few other bits. Testing shows to be speedy and reliable enough, though seemingly lots of legit emails have Macro attachments but this should help build metas/help detection. https://github.com/fmbla/spamassassin-olemacro - Detects macros - both old and new style - Basic 'malicious' macro detection - Protected (encrypted) document detection Paul -- Paul Stead Systems Engineer Zen Internet
Re: Persistent phishing attacks with word/pdf macros
Hi, >> These are a real concern. If you receive any kind of real mail volume, >> you're receiving these too, and they're not always being caught by >> RBLs or virus scanners. Or even our well-trained bayes. >> >> http://pastebin.com/YhLBqpKm >> >> I used to have some rules that would reliably block them, but they're >> not performing well now at all. >> >> I'm posting this in hopes someone has some other ideas, as well as to >> raise awareness about their existence. >> >> Ideas greatly appreciated. > > SA isn't the right tool to detect virus infected attachments > > This is an "offtopic" suggestion. > > disassemble the macro, write a HEX or YARA sig for ClamAV. > (not very hard) > For help with that, ask the ClamAV list. This is after the fact, and it's also already being done, but not very effectively. The people writing the virus sigs are much more capable and apparently still aren't able to stop them. PDFs are also a problem. I'm just looking for something to supplement that effort. Curiously, the pastebin has been removed, despite the captcha. Is this something people have experienced before?
Re: Persistent phishing attacks with word/pdf macros
On 10/4/2016 12:37 PM, Alex wrote: Hi Joe, do you recall more specifically the subject or location of this conversation regarding using perl and mimedefang to deal with word macros? I recall something from Feb 2015, but I don't know how to parlay that into something usable with amavis and perl... Keep replies on list. Having trouble finding it again, but I recognize the code in this: http://lists.roaringpenguin.com/pipermail/mimedefang/2016-February/037750.html It only detects macros in the old format, but .docm and similar are renamed zip files and all the macros are confined to one file that you can look for in the index.
Re: Persistent phishing attacks with word/pdf macros
On 10/3/2016 4:30 PM, John Hardin wrote: On Mon, 3 Oct 2016, Axb wrote: On 10/03/2016 09:03 PM, John Hardin wrote: On Mon, 3 Oct 2016, Axb wrote: > On 10/03/2016 07:46 PM, Alex wrote: > > Hi, > > > > These are a real concern. If you receive any kind of real mail > > volume, > > you're receiving these too, and they're not always being caught by > > RBLs or virus scanners. Or even our well-trained bayes. > > > > http://pastebin.com/YhLBqpKm > > > > I used to have some rules that would reliably block them, but they're > > not performing well now at all. > > > > I'm posting this in hopes someone has some other ideas, as well as to > > raise awareness about their existence. > > > > Ideas greatly appreciated. > > SA isn't the right tool to detect virus infected attachments Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam PDFs (which I am starting to see). John, That sample has an attached bulk_inquiry_317141.doc not a PDF. Yeah. I was (too) quickly responding to "phishing" and "PDF" in the subject line, and bayes not catching them. ClamAV is probably the correct approach to macro-based malware, unless we want to do a MS Office document plugin with something like an eval for has_macros(). I haven't looked at the spample doc in detail, but I will (again) plug my email sanitizer, which does document macro scanning and might be able to catch these: http://www.impsec.org/email-tools/procmail-security.html Some of the approaches there could probably be usefully extracted to SA plugins. There's been discussion on the MIMEDefang list about dealing with word macros, and some people have posted good perl snippets as well that you can add to your filters if you use it. If you just want to detect the presence of macros in any form, writing that in ClamAV's signature system would probably be doable, but far more annoying than just a bit of code.
Re: Persistent phishing attacks with word/pdf macros
On Mon, 3 Oct 2016, Axb wrote: On 10/03/2016 09:03 PM, John Hardin wrote: On Mon, 3 Oct 2016, Axb wrote: > On 10/03/2016 07:46 PM, Alex wrote: > > Hi, > > > > These are a real concern. If you receive any kind of real mail > > volume, > > you're receiving these too, and they're not always being caught by > > RBLs or virus scanners. Or even our well-trained bayes. > > > > http://pastebin.com/YhLBqpKm > > > > I used to have some rules that would reliably block them, but they're > > not performing well now at all. > > > > I'm posting this in hopes someone has some other ideas, as well as to > > raise awareness about their existence. > > > > Ideas greatly appreciated. > > SA isn't the right tool to detect virus infected attachments Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam PDFs (which I am starting to see). John, That sample has an attached bulk_inquiry_317141.doc not a PDF. Yeah. I was (too) quickly responding to "phishing" and "PDF" in the subject line, and bayes not catching them. ClamAV is probably the correct approach to macro-based malware, unless we want to do a MS Office document plugin with something like an eval for has_macros(). I haven't looked at the spample doc in detail, but I will (again) plug my email sanitizer, which does document macro scanning and might be able to catch these: http://www.impsec.org/email-tools/procmail-security.html Some of the approaches there could probably be usefully extracted to SA plugins. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Your mouse has moved. Your Windows Operating System must be relicensed due to this hardware change. Please contact Microsoft to obtain a new activation key. If this hardware change results in added functionality you may be subject to additional license fees. Your system will now shut down. Thank you for choosing Microsoft. --- 286 days since the first successful real return to launch site (SpaceX)
Re: Persistent phishing attacks with word/pdf macros
On 10/03/2016 09:03 PM, John Hardin wrote: On Mon, 3 Oct 2016, Axb wrote: On 10/03/2016 07:46 PM, Alex wrote: Hi, These are a real concern. If you receive any kind of real mail volume, you're receiving these too, and they're not always being caught by RBLs or virus scanners. Or even our well-trained bayes. http://pastebin.com/YhLBqpKm I used to have some rules that would reliably block them, but they're not performing well now at all. I'm posting this in hopes someone has some other ideas, as well as to raise awareness about their existence. Ideas greatly appreciated. SA isn't the right tool to detect virus infected attachments Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam PDFs (which I am starting to see). John, That sample has an attached bulk_inquiry_317141.doc not a PDF.
Re: Persistent phishing attacks with word/pdf macros
On Mon, 3 Oct 2016 12:02:15 -0700 (PDT) John Hardinwrote: > We need a PDF plugin that will extract text and URLs from PDF > attachments so that they can be scanned as if they were body text. We've written something for extracting URLs. I can't release the code, unfortunately, but you can look at "podofopdfinfo" and use that to extract URLs. libpodofo-utils ships with Debian. Regards, Dianne.
Re: Persistent phishing attacks with word/pdf macros
On Mon, 3 Oct 2016, Axb wrote: On 10/03/2016 07:46 PM, Alex wrote: Hi, These are a real concern. If you receive any kind of real mail volume, you're receiving these too, and they're not always being caught by RBLs or virus scanners. Or even our well-trained bayes. http://pastebin.com/YhLBqpKm I used to have some rules that would reliably block them, but they're not performing well now at all. I'm posting this in hopes someone has some other ideas, as well as to raise awareness about their existence. Ideas greatly appreciated. SA isn't the right tool to detect virus infected attachments Agreed, but *phishing* PDFs are appropriate to detect, as are 419 scam PDFs (which I am starting to see). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The philosophy of gun control: Teenagers are roaring through town at 90MPH, where the speed limit is 25. Your solution is to lower the speed limit to 20. -- Sam Cohen --- 286 days since the first successful real return to launch site (SpaceX)
Re: Persistent phishing attacks with word/pdf macros
On Mon, 3 Oct 2016, Alex wrote: Hi, These are a real concern. If you receive any kind of real mail volume, you're receiving these too, and they're not always being caught by RBLs or virus scanners. Or even our well-trained bayes. http://pastebin.com/YhLBqpKm I used to have some rules that would reliably block them, but they're not performing well now at all. I'm posting this in hopes someone has some other ideas, as well as to raise awareness about their existence. Ideas greatly appreciated. We need a PDF plugin that will extract text and URLs from PDF attachments so that they can be scanned as if they were body text. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The philosophy of gun control: Teenagers are roaring through town at 90MPH, where the speed limit is 25. Your solution is to lower the speed limit to 20. -- Sam Cohen --- 286 days since the first successful real return to launch site (SpaceX)
Re: Persistent phishing attacks with word/pdf macros
On 10/03/2016 07:46 PM, Alex wrote: Hi, These are a real concern. If you receive any kind of real mail volume, you're receiving these too, and they're not always being caught by RBLs or virus scanners. Or even our well-trained bayes. http://pastebin.com/YhLBqpKm I used to have some rules that would reliably block them, but they're not performing well now at all. I'm posting this in hopes someone has some other ideas, as well as to raise awareness about their existence. Ideas greatly appreciated. SA isn't the right tool to detect virus infected attachments This is an "offtopic" suggestion. disassemble the macro, write a HEX or YARA sig for ClamAV. (not very hard) For help with that, ask the ClamAV list.