Password Protected "RTF" Files Slipping Through

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Password Protected "RTF" Files Slipping Through

K Post
I've seen a bunch of supposedly encrypted RTF files slip through today.
The message body is typical spam, telling the user to open the important
file, but message also tells the user the password for the file.  I think
these are created using Office's password protection feature and either
renamed as RTF or saved as such (I didn't think you could do that)


Any chance that AFC can block these?

I didn't dare open a sample in Word, but I did inspect the file and see
this block towards the bottom:

<dataIntegrity
encryptedHmacKey="fgNjkbaoZe/R57CgZGuXNbVgkS3W+hN9AIn8Bfxo6qMRtjYe1YaOVCuJPrvlv09jssa4FPC9ibrjP3TcVaUhpg=="
encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/><keyEncryptors><keyEncryptor
uri="*http://schemas.microsoft.com/office/2006/
<http://schemas.microsoft.com/office/2006/>*keyEncryptor/password"><p:encryptedKey
spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64"
cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/></keyEncryptor></keyEncryptors></encryption>

VirusTotal has zero hits on the samples that I submitted, but if they're
encrypted, that explains why...

I just want to block ANY incoming encrypted document, including Office
documents.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

K Post
We're getting slammed with these now.  All of the files have
<keyEncryptors><keyEncryptor
uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password"> in
them.   Can we block based on content of a file??

I'm guessing this is a new Locky, but now encrypted to scanners don't catch
them.

On Tue, Oct 18, 2016 at 10:27 AM, K Post <[hidden email]> wrote:

> I've seen a bunch of supposedly encrypted RTF files slip through today.
> The message body is typical spam, telling the user to open the important
> file, but message also tells the user the password for the file.  I think
> these are created using Office's password protection feature and either
> renamed as RTF or saved as such (I didn't think you could do that)
>
>
> Any chance that AFC can block these?
>
> I didn't dare open a sample in Word, but I did inspect the file and see
> this block towards the bottom:
>
> <dataIntegrity encryptedHmacKey="fgNjkbaoZe/R57CgZGuXNbVgkS3W+
> hN9AIn8Bfxo6qMRtjYe1YaOVCuJPrvlv09jssa4FPC9ibrjP3TcVaUhpg=="
> encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ
> 2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/><keyEncryptors><keyEncryptor
> uri="*http://schemas.microsoft.com/office/2006/
> <http://schemas.microsoft.com/office/2006/>*keyEncryptor/password"><p:encryptedKey
> spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64"
> cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
> hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
> encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
> encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+
> s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
> encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/></
> keyEncryptor></keyEncryptors></encryption>
>
> VirusTotal has zero hits on the samples that I submitted, but if they're
> encrypted, that explains why...
>
> I just want to block ANY incoming encrypted document, including Office
> documents.
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

Colin
Can you stick it in bombRe for now to deal with it?

On Tue, Oct 18, 2016 at 3:50 PM, K Post <[hidden email]> wrote:

> We're getting slammed with these now.  All of the files have
> <keyEncryptors><keyEncryptor
> uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password"> in
> them.   Can we block based on content of a file??
>
> I'm guessing this is a new Locky, but now encrypted to scanners don't catch
> them.
>
> On Tue, Oct 18, 2016 at 10:27 AM, K Post <[hidden email]> wrote:
>
> > I've seen a bunch of supposedly encrypted RTF files slip through today.
> > The message body is typical spam, telling the user to open the important
> > file, but message also tells the user the password for the file.  I think
> > these are created using Office's password protection feature and either
> > renamed as RTF or saved as such (I didn't think you could do that)
> >
> >
> > Any chance that AFC can block these?
> >
> > I didn't dare open a sample in Word, but I did inspect the file and see
> > this block towards the bottom:
> >
> > <dataIntegrity encryptedHmacKey="fgNjkbaoZe/R57CgZGuXNbVgkS3W+
> > hN9AIn8Bfxo6qMRtjYe1YaOVCuJPrvlv09jssa4FPC9ibrjP3TcVaUhpg=="
> > encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ
> > 2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/
> ><keyEncryptors><keyEncryptor
> > uri="*http://schemas.microsoft.com/office/2006/
> > <http://schemas.microsoft.com/office/2006/>*keyEncryptor/
> password"><p:encryptedKey
> > spinCount="100000" saltSize="16" blockSize="16" keyBits="256"
> hashSize="64"
> > cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
> > hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
> > encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
> > encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+
> > s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
> > encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/></
> > keyEncryptor></keyEncryptors></encryption>
> >
> > VirusTotal has zero hits on the samples that I submitted, but if they're
> > encrypted, that explains why...
> >
> > I just want to block ANY incoming encrypted document, including Office
> > documents.
> >
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

K Post
That's what I'm going to do, but I don't know if BombRe mime decodes
attachments and scans inside of them.

FYI, this seems like a pretty bad outbreak.  Colleagues at other
organizations (some really big ones too) are seeing this on their mail
systems this morning too.

On Tue, Oct 18, 2016 at 10:59 AM, cw <[hidden email]> wrote:

> Can you stick it in bombRe for now to deal with it?
>
> On Tue, Oct 18, 2016 at 3:50 PM, K Post <[hidden email]> wrote:
>
> > We're getting slammed with these now.  All of the files have
> > <keyEncryptors><keyEncryptor
> > uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password"> in
> > them.   Can we block based on content of a file??
> >
> > I'm guessing this is a new Locky, but now encrypted to scanners don't
> catch
> > them.
> >
> > On Tue, Oct 18, 2016 at 10:27 AM, K Post <[hidden email]> wrote:
> >
> > > I've seen a bunch of supposedly encrypted RTF files slip through today.
> > > The message body is typical spam, telling the user to open the
> important
> > > file, but message also tells the user the password for the file.  I
> think
> > > these are created using Office's password protection feature and either
> > > renamed as RTF or saved as such (I didn't think you could do that)
> > >
> > >
> > > Any chance that AFC can block these?
> > >
> > > I didn't dare open a sample in Word, but I did inspect the file and see
> > > this block towards the bottom:
> > >
> > > <dataIntegrity encryptedHmacKey="fgNjkbaoZe/R57CgZGuXNbVgkS3W+
> > > hN9AIn8Bfxo6qMRtjYe1YaOVCuJPrvlv09jssa4FPC9ibrjP3TcVaUhpg=="
> > > encryptedHmacValue="KS8iQw1IXtV29p1ZMEMhndzwFlUlnJ
> > > 2dBKXJJHAS6OTssbkEGDzX7AMxUQwF4iehdDUWexzwfweMJ/vs8uPqZA=="/
> > ><keyEncryptors><keyEncryptor
> > > uri="*http://schemas.microsoft.com/office/2006/
> > > <http://schemas.microsoft.com/office/2006/>*keyEncryptor/
> > password"><p:encryptedKey
> > > spinCount="100000" saltSize="16" blockSize="16" keyBits="256"
> > hashSize="64"
> > > cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
> > > hashAlgorithm="SHA512" saltValue="1bTPB9+6jWsKar2JVCGrzQ=="
> > > encryptedVerifierHashInput="iY92nwFxE0RqpxsqOTDjsQ=="
> > > encryptedVerifierHashValue="VNnSx7QjFX7l8p+AlGK9mtNS0kWr72+
> > > s1qVz4IxPIphhAxyntu6QK8tQR+y7ACnZZtCg+rrKv663ZWtA4fp6iA=="
> > > encryptedKeyValue="cogHjHRCuBxn2wDeVN7z2jbiCX+XknXtEH8ZmjCaG90="/></
> > > keyEncryptor></keyEncryptors></encryption>
> > >
> > > VirusTotal has zero hits on the samples that I submitted, but if
> they're
> > > encrypted, that explains why...
> > >
> > > I just want to block ANY incoming encrypted document, including Office
> > > documents.
> > >
> >
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Assp-test mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

Doug Lytle
>>> On Oct 18, 2016, at 11:12 AM, K Post [hidden email] wrote:

>>> organizations (some really big ones too) are seeing this on their mail
>>> systems this morning too.

I took the hammer approach and temporarily put it in the blocked attachment list.

Doug

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

GrayHat
In reply to this post by K Post
:: On Tue, 18 Oct 2016 10:27:10 -0400
:: <[hidden email]>
:: K Post <[hidden email]> wrote:

> VirusTotal has zero hits on the samples that I submitted, but if
> they're encrypted, that explains why...

I suppose that, since you're talking (ok, writing) about AFC, you're
running ClamAV; now... are you using the extra signatures available
from SaneSecurity ? I'm referring to

http://sanesecurity.com/usage/signatures/

to use them you'll need to schedule one of the update scripts available
on Steve's (sanesecurity) site, depending from your OS to ensure your
ClamAV will also use updated "extra" signatures; then, in case the AV
doesn't catch the critters, you may submit samples to Steve and he'll
add signatures on the fly so that you'll have them available in a
really short time :)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

K Post
In reply to this post by Doug Lytle
Doug,

So you're seeing this too!  Did it just start this morning?

I thought of blocking RTF altogether, but the problem is that we have a
couple antiquated partner organizations who regularly send us legitimate
RTF files.  I don't think that BombRe is doing anything and the body of the
messages aren't all that spammy - and vary quite a bit.





On Tue, Oct 18, 2016 at 11:15 AM, Doug Lytle <[hidden email]> wrote:

> >>> On Oct 18, 2016, at 11:12 AM, K Post [hidden email] wrote:
>
> >>> organizations (some really big ones too) are seeing this on their mail
> >>> systems this morning too.
>
> I took the hammer approach and temporarily put it in the blocked
> attachment list.
>
> Doug
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

Doug Lytle
>>> On Oct 18, 2016, at 11:20 AM, K Post [hidden email] wrote:
>>> Doug,
>>> So you're seeing this too!  Did it just start this morning?

Yes and that it did.

Doug


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

GrayHat
In reply to this post by GrayHat
:: On Tue, 18 Oct 2016 17:19:55 +0200
:: <[hidden email]>
:: Grayhat <[hidden email]> wrote:

> :: On Tue, 18 Oct 2016 10:27:10 -0400
> ::
> <[hidden email]> ::
> K Post <[hidden email]> wrote:
>
> > VirusTotal has zero hits on the samples that I submitted, but if
> > they're encrypted, that explains why...  
>
> I suppose that, since you're talking (ok, writing) about AFC, you're
> running ClamAV; now... are you using the extra signatures available
> from SaneSecurity ? I'm referring to
>
> http://sanesecurity.com/usage/signatures/
>
> to use them you'll need to schedule one of the update scripts
> available on Steve's (sanesecurity) site, depending from your OS to
> ensure your ClamAV will also use updated "extra" signatures; then, in
> case the AV doesn't catch the critters, you may submit samples to
> Steve and he'll add signatures on the fly so that you'll have them
> available in a really short time :)

Forgot; since I'm at it, Thomas, if you're reading this, please have a
look at the script found here

http://sanesecurity.com/statistics/

I think it may be "added" to ASSP to generate AV stats ;-)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

K Post
In reply to this post by GrayHat
We are using up to date clamav sigs.  The problem is that these files are
encrypted so they're not being detected.

On Tue, Oct 18, 2016 at 11:19 AM, Grayhat <[hidden email]> wrote:

> :: On Tue, 18 Oct 2016 10:27:10 -0400
> :: <[hidden email]>
> :: K Post <[hidden email]> wrote:
>
> > VirusTotal has zero hits on the samples that I submitted, but if
> > they're encrypted, that explains why...
>
> I suppose that, since you're talking (ok, writing) about AFC, you're
> running ClamAV; now... are you using the extra signatures available
> from SaneSecurity ? I'm referring to
>
> http://sanesecurity.com/usage/signatures/
>
> to use them you'll need to schedule one of the update scripts available
> on Steve's (sanesecurity) site, depending from your OS to ensure your
> ClamAV will also use updated "extra" signatures; then, in case the AV
> doesn't catch the critters, you may submit samples to Steve and he'll
> add signatures on the fly so that you'll have them available in a
> really short time :)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

Robert K Coffman Jr. -Info From Data Corp.
Ok, thanks to Doug and Ken for sending me a sample.

This thing simply installs a Trojan (MBAM calls it "Trojan.Agent.VBS")
and then connects to server(s) to download additional Malware, if the
user opens it, enters the password (and has a version of Word that
recognizes it) and then enables macros.  I'd like to think that series
of events is unlikely, but I know better.

Some IPs I saw this system connected to on my firewall.  Some of these
may be legit and not malware relate (this is a re-imaged system and
Office was trying to activate.)

23.35.18.164
8.253.32.142
184.51.112.8
184.51.112.154
13.107.4.50
184.51.112.8
134.170.53.30
23.96.212.225
191.237.218.239
23.96.212.225


I haven't seen this thing hitting my mail server yet.


- Bob


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

K Post
Thanks Bob for this research.  We should be safe, even if a user opened it
here, but yeah, it's possible that we wouldn't be....

So the question remains, can we get AFC modified to reject
encrypted/password protected Office documents - or RTF office files -
altogether?  The reasoning is the same as rejecting encrypted zip files.


On Tue, Oct 18, 2016 at 3:24 PM, Robert K Coffman Jr. -Info From Data Corp.
<[hidden email]> wrote:

> Ok, thanks to Doug and Ken for sending me a sample.
>
> This thing simply installs a Trojan (MBAM calls it "Trojan.Agent.VBS")
> and then connects to server(s) to download additional Malware, if the
> user opens it, enters the password (and has a version of Word that
> recognizes it) and then enables macros.  I'd like to think that series
> of events is unlikely, but I know better.
>
> Some IPs I saw this system connected to on my firewall.  Some of these
> may be legit and not malware relate (this is a re-imaged system and
> Office was trying to activate.)
>
> 23.35.18.164
> 8.253.32.142
> 184.51.112.8
> 184.51.112.154
> 13.107.4.50
> 184.51.112.8
> 134.170.53.30
> 23.96.212.225
> 191.237.218.239
> 23.96.212.225
>
>
> I haven't seen this thing hitting my mail server yet.
>
>
> - Bob
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

GrayHat
In reply to this post by K Post
:: On Tue, 18 Oct 2016 11:29:44 -0400
:: <[hidden email]>
:: K Post <[hidden email]> wrote:

> > I suppose that, since you're talking (ok, writing) about AFC, you're
> > running ClamAV; now... are you using the extra signatures available
> > from SaneSecurity ? I'm referring to
> >
> > http://sanesecurity.com/usage/signatures/

> We are using up to date clamav sigs.  The problem is that these files
> are encrypted so they're not being detected.

Ok for the sigs being up-to-date; but my point was about the "extra"
signatures offered by SaneSecurity, not the regular ones; I found that
the regular signatures are often "behind" while the ones offered by
SaneSecurity are faster to catch-up, so my suggestion was to add those
signatures to your ClamAV scanner to help improve its efficiency; I've
been using a number of signatures from SaneSecurity along with the
regular clamav signatures and I found them to be quite effective at
blocking "junk" (spam, malware and so on) that's why I'm suggesting to
give them a spin

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

GrayHat
:: On Wed, 19 Oct 2016 09:14:44 +0200
:: <[hidden email]>
:: Grayhat <[hidden email]> wrote:

> Ok for the sigs being up-to-date; but my point was about the "extra"
> signatures offered by SaneSecurity, not the regular ones; I found that
> the regular signatures are often "behind" while the ones offered by
> SaneSecurity are faster to catch-up, so my suggestion was to add those
> signatures to your ClamAV scanner to help improve its efficiency; I've
> been using a number of signatures from SaneSecurity along with the
> regular clamav signatures and I found them to be quite effective at
> blocking "junk" (spam, malware and so on) that's why I'm suggesting to
> give them a spin

just in case, here's the list of additional signatures I'm using;
notice that it's important to always include the first two since they
allow to quickly fix false-positives issues (if any, by the way) and to
improve the scanner performances

rsync://rsync.sanesecurity.net/sanesecurity/sanesecurity.ftm
rsync://rsync.sanesecurity.net/sanesecurity/sigwhitelist.ign2
rsync://rsync.sanesecurity.net/sanesecurity/junk.ndb
rsync://rsync.sanesecurity.net/sanesecurity/jurlbla.ndb
rsync://rsync.sanesecurity.net/sanesecurity/lott.ndb
rsync://rsync.sanesecurity.net/sanesecurity/phish.ndb
rsync://rsync.sanesecurity.net/sanesecurity/rogue.hdb
rsync://rsync.sanesecurity.net/sanesecurity/scam.ndb
rsync://rsync.sanesecurity.net/sanesecurity/spam.ldb
rsync://rsync.sanesecurity.net/sanesecurity/spamimg.hdb
rsync://rsync.sanesecurity.net/sanesecurity/spamattach.hdb
rsync://rsync.sanesecurity.net/sanesecurity/blurl.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_cracked_URL.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_malware_URL.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_phishing_URL.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_malware_attach.hdb
rsync://rsync.sanesecurity.net/sanesecurity/scamnailer.ndb
rsync://rsync.sanesecurity.net/sanesecurity/crdfam.clamav.hdb
rsync://rsync.sanesecurity.net/sanesecurity/porcupine.ndb
rsync://rsync.sanesecurity.net/sanesecurity/phishtank.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware_links.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_phish_complete.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow.complex.patterns.ldb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_spam_complete.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow.attachments.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_extended_malware.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_bad_cw.hdb
rsync://rsync.sanesecurity.net/sanesecurity/foxhole_generic.cdb
rsync://rsync.sanesecurity.net/sanesecurity/foxhole_filename.cdb
rsync://rsync.sanesecurity.net/sanesecurity/malwarehash.cdb

HTH


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

Thomas Eckardt/eck
In reply to this post by K Post
>So the question remains, can we get AFC modified to reject
>encrypted/password protected Office documents - or RTF office files -
>altogether?  The reasoning is the same as rejecting encrypted zip files.

1. you'll need a sponsor

2. even if regular office documents are encrypted - assp/afc will detect
macros in there
so - it is still safe to let pass encryped office documents without macros

3. I'm unable to create RTF files with macros (tried office 2003, XP,
2013) - macros are removed

4. I'm unable to password protect RTF files  (tried office 2003, XP, 2013)
- password is removed

3.and 4 may be possible using another software. It would be nice to have
such RTF files.

Thomas





Von:    K Post <[hidden email]>
An:     ASSP development mailing list <[hidden email]>
Datum:  19.10.2016 02:20
Betreff:        Re: [Assp-test] Password Protected "RTF" Files Slipping
Through



Thanks Bob for this research.  We should be safe, even if a user opened it
here, but yeah, it's possible that we wouldn't be....

So the question remains, can we get AFC modified to reject
encrypted/password protected Office documents - or RTF office files -
altogether?  The reasoning is the same as rejecting encrypted zip files.


On Tue, Oct 18, 2016 at 3:24 PM, Robert K Coffman Jr. -Info From Data
Corp.
<[hidden email]> wrote:

> Ok, thanks to Doug and Ken for sending me a sample.
>
> This thing simply installs a Trojan (MBAM calls it "Trojan.Agent.VBS")
> and then connects to server(s) to download additional Malware, if the
> user opens it, enters the password (and has a version of Word that
> recognizes it) and then enables macros.  I'd like to think that series
> of events is unlikely, but I know better.
>
> Some IPs I saw this system connected to on my firewall.  Some of these
> may be legit and not malware relate (this is a re-imaged system and
> Office was trying to activate.)
>
> 23.35.18.164
> 8.253.32.142
> 184.51.112.8
> 184.51.112.154
> 13.107.4.50
> 184.51.112.8
> 134.170.53.30
> 23.96.212.225
> 191.237.218.239
> 23.96.212.225
>
>
> I haven't seen this thing hitting my mail server yet.
>
>
> - Bob
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

Robert K Coffman Jr. -Info From Data Corp.
> 4. I'm unable to password protect RTF files  (tried office 2003, XP, 2013)
> - password is removed

I suspect the .RTF file is simply a renamed .docx.  Word opens and
recognizes the format and doesn't acknowledge the mismatched extension.

- Bob


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

GrayHat
In reply to this post by Thomas Eckardt/eck
:: On Wed, 19 Oct 2016 13:31:55 +0200
::
<[hidden email]> ::
Thomas Eckardt <[hidden email]> wrote:

> 4. I'm unable to password protect RTF files  (tried office 2003, XP,
> 2013) - password is removed

I suspect it isn't a real RTF file but a passworded zip with a modified
extension; basically whoever builds such kind of trash creates a
script, adds it to a passworded "zip" and renames it to "rtf"



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

Thomas Eckardt/eck
Hmm - OK - and where is the problem?

- has AFC not detected doc(xm)?
- has AFC not detected MS macros?

Thomas




Von:    Grayhat <[hidden email]>
An:     [hidden email]
Datum:  19.10.2016 14:46
Betreff:        Re: [Assp-test] Password Protected "RTF" Files Slipping
Through



:: On Wed, 19 Oct 2016 13:31:55 +0200
::
<[hidden email]>
::
Thomas Eckardt <[hidden email]> wrote:

> 4. I'm unable to password protect RTF files  (tried office 2003, XP,
> 2013) - password is removed

I suspect it isn't a real RTF file but a passworded zip with a modified
extension; basically whoever builds such kind of trash creates a
script, adds it to a passworded "zip" and renames it to "rtf"



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

K Post
In reply to this post by GrayHat
Greyhat:  I do have the extra Sane sigs going.  No help with these, though
we haven't seen any hit after adding bombre based on the body.

I've looked at these, they're not passworded zip files, they're Word
documents.  The rtf extension opens in Word.  Don't know the malicious
point of not just calling it a docx.

Whatever the case, I really think we need the option to block passworded
office documents. This problem isn't going away...

On Wed, Oct 19, 2016 at 8:44 AM, Grayhat <[hidden email]> wrote:

> :: On Wed, 19 Oct 2016 13:31:55 +0200
> ::
> <tITC.5100c8291e.OF60D37E1D.88ADFE1F-ONC1258051.00266BD8-
> [hidden email]> ::
> Thomas Eckardt <[hidden email]> wrote:
>
> > 4. I'm unable to password protect RTF files  (tried office 2003, XP,
> > 2013) - password is removed
>
> I suspect it isn't a real RTF file but a passworded zip with a modified
> extension; basically whoever builds such kind of trash creates a
> script, adds it to a passworded "zip" and renames it to "rtf"
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Password Protected "RTF" Files Slipping Through

Thomas Eckardt/eck
>we haven't seen any hit after adding bombre based on the body.

You can't get hits with bombre on attachments (except text based and PTF
with OCR).

>The rtf extension opens in Word

This is caused by a windows setting in HKR: RTF => WORD.EXE

>Don't know the malicious point of not just calling it a docx.

If an application blocks by file name extension (doc,docx,docm .....), it
will not hit.

>I really think we need the option to block passworded office documents

No, there is not really a need to do this. ASSP_AFC will detect Office
macros also in password protected documents.
But if you want, have a look in to the thread 'custom extension to
ASSP_AFC'

Thomas



Von:    K Post <[hidden email]>
An:     ASSP development mailing list <[hidden email]>
Datum:  20.10.2016 02:33
Betreff:        Re: [Assp-test] Password Protected "RTF" Files Slipping
Through



Greyhat:  I do have the extra Sane sigs going.  No help with these, though
we haven't seen any hit after adding bombre based on the body.

I've looked at these, they're not passworded zip files, they're Word
documents.  The rtf extension opens in Word.  Don't know the malicious
point of not just calling it a docx.

Whatever the case, I really think we need the option to block passworded
office documents. This problem isn't going away...

On Wed, Oct 19, 2016 at 8:44 AM, Grayhat <[hidden email]> wrote:

> :: On Wed, 19 Oct 2016 13:31:55 +0200
> ::
> <tITC.5100c8291e.OF60D37E1D.88ADFE1F-ONC1258051.00266BD8-
> [hidden email]> ::
> Thomas Eckardt <[hidden email]> wrote:
>
> > 4. I'm unable to password protect RTF files  (tried office 2003, XP,
> > 2013) - password is removed
>
> I suspect it isn't a real RTF file but a passworded zip with a modified
> extension; basically whoever builds such kind of trash creates a
> script, adds it to a passworded "zip" and renames it to "rtf"
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test