Quantcast

updated ASSP_AFC Plugin

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

updated ASSP_AFC Plugin

Thomas Eckardt/eck
Hi all,

I've just published ASSP_AFC.pm version 4.48 at SF-CVS.

This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.

Currently detected are:

- java script - most times this is requred by the virus to open and run any other embedded code
- ms office macros
- exe and com files
- wsh files

This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!

Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!
I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.

I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.

Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

K Post
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <[hidden email]> wrote:
Hi all,

I've just published ASSP_AFC.pm version 4.48 at SF-CVS.

This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.

Currently detected are:

- java script - most times this is requred by the virus to open and run any other embedded code
- ms office macros
- exe and com files
- wsh files

This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!

Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!
I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.

I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.

Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

K Post
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <[hidden email]> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <[hidden email]> wrote:
Hi all,

I've just published ASSP_AFC.pm version 4.48 at SF-CVS.

This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.

Currently detected are:

- java script - most times this is requred by the virus to open and run any other embedded code
- ms office macros
- exe and com files
- wsh files

This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!

Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!
I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.

I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.

Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

K Post
Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <[hidden email]> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <[hidden email]> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <[hidden email]> wrote:
Hi all,

I've just published ASSP_AFC.pm version 4.48 at SF-CVS.

This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.

Currently detected are:

- java script - most times this is requred by the virus to open and run any other embedded code
- ms office macros
- exe and com files
- wsh files

This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!

Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!
I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.

I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.

Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

Thomas Eckardt/eck
ASSP_AFC 4.48 was too weak
ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the ':PDF' switch

I'm just looking for a way to prevent false positives.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        19.05.2017 16:28
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin




Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <nntp.post@...> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <nntp.post@...> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <Thomas.Eckardt@...> wrote:
Hi all,

I've just published ASSP_AFC.pm version 4.48 at SF-CVS.


This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.


Currently detected are:


- java script - most times this is requred by the virus to open and run any other embedded code

- ms office macros

- exe and com files

- wsh files


This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!


Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!

I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.


I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.


Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

Thomas Eckardt/eck
In reply to this post by K Post
published ASSP_AFC 4.50

example results from the analyzer:

 URIBL check: 'OK'
• † • SuspiciousVirus: Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'

• attachment Invoice 07853327 05/17/2017.PDF is an executable 

 Not a Valid Format of HELO: '[<a href="javascript:void(0);">42.113.108.55]'

the following additionally exception switches are implemented:

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs (NOT recommended to be used, false positives are expected)
 :CERTPDF - certificate signed adobe PDF file
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files

Thomas


Von:        Thomas Eckardt <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        20.05.2017 07:17
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin




ASSP_AFC 4.48 was too weak
ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the ':PDF' switch


I'm just looking for a way to prevent false positives.


Thomas





Von:        
K Post <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
19.05.2017 16:28
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <
nntp.post@...> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <
nntp.post@...> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <
Thomas.Eckardt@...> wrote:
Hi all,


I've just published ASSP_AFC.pm version 4.48 at SF-CVS.


This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.


Currently detected are:


- java script - most times this is requred by the virus to open and run any other embedded code

- ms office macros

- exe and com files

- wsh files


This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!


Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!

I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.


I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.


Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]

https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

K Post
Thank you Thomas.  Question, you wrote:

the following additionally exception switches are implemented: 

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs (NOT recommended to be used, false positives are expected) 
 :CERTPDF - certificate signed adobe PDF file 
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined 
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files


 
I'm slightly confused by your red text though..  I take anything you suggest very seriously, especially so if it's in red.  There seems to be a bit of a double negative in your above comments.  

If we just use exe-bin as a level 1 block, that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?  If we do exe-bin|:PDF that will block exe's but NOT those that are PDF files with embedded executable code or microsoft office macros files, JavaScript and bad URIs right?  That seems to remove all of this new PDF blocking functionality or am I off base?  Then you said in red that this is not recommended.  I can't tell if you mean you recommend that we not use the :PDF exception (so don't so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best avoid false positives.  

Also, there can be MS office macros in a PDF??  And what kind of executable content is there in a PDF besides javascript?    Based on your description, clearly that's the case - and I'd think I would want to block them, but I can't figure out how to do that if you (might be) recommending that we do exe-bin|:PDF.

I'm clearly confused....

Thanks so much - this should make a big difference!

Ken



On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <[hidden email]> wrote:
published ASSP_AFC 4.50

example results from the analyzer:

 URIBL check: 'OK'
• † • SuspiciousVirus: Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'

• attachment Invoice 07853327 05/17/2017.PDF is an executable 

 Not a Valid Format of HELO: '[42.113.108.55]'

the following additionally exception switches are implemented:

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs (NOT recommended to be used, false positives are expected)
 :CERTPDF - certificate signed adobe PDF file
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files

Thomas


Von:        Thomas Eckardt <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        20.05.2017 07:17
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin




ASSP_AFC 4.48 was too weak
ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the ':PDF' switch


I'm just looking for a way to prevent false positives.


Thomas





Von:        
K Post <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
19.05.2017 16:28
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <
[hidden email]> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <
[hidden email]> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <
[hidden email]> wrote:
Hi all,


I've just published ASSP_AFC.pm version 4.48 at SF-CVS.


This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.


Currently detected are:


- java script - most times this is requred by the virus to open and run any other embedded code

- ms office macros

- exe and com files

- wsh files


This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!


Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!

I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.


I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.


Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]

https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

K Post
Another question: does that dinky PDF with the embedded javascript that I sent you show up as caught in your analyze report?  When I send it, even with 1.50 installed, it comes through, despite having exe-bin blocking enabled.  

On Sat, May 20, 2017 at 6:59 PM, K Post <[hidden email]> wrote:
Thank you Thomas.  Question, you wrote:

the following additionally exception switches are implemented: 

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs (NOT recommended to be used, false positives are expected) 
 :CERTPDF - certificate signed adobe PDF file 
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined 
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files


 
I'm slightly confused by your red text though..  I take anything you suggest very seriously, especially so if it's in red.  There seems to be a bit of a double negative in your above comments.  

If we just use exe-bin as a level 1 block, that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?  If we do exe-bin|:PDF that will block exe's but NOT those that are PDF files with embedded executable code or microsoft office macros files, JavaScript and bad URIs right?  That seems to remove all of this new PDF blocking functionality or am I off base?  Then you said in red that this is not recommended.  I can't tell if you mean you recommend that we not use the :PDF exception (so don't so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best avoid false positives.  

Also, there can be MS office macros in a PDF??  And what kind of executable content is there in a PDF besides javascript?    Based on your description, clearly that's the case - and I'd think I would want to block them, but I can't figure out how to do that if you (might be) recommending that we do exe-bin|:PDF.

I'm clearly confused....

Thanks so much - this should make a big difference!

Ken



On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <[hidden email]> wrote:
published ASSP_AFC 4.50

example results from the analyzer:

 URIBL check: 'OK'
• † • SuspiciousVirus: Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'

• attachment Invoice 07853327 05/17/2017.PDF is an executable 

 Not a Valid Format of HELO: '[42.113.108.55]'

the following additionally exception switches are implemented:

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs (NOT recommended to be used, false positives are expected)
 :CERTPDF - certificate signed adobe PDF file
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files

Thomas


Von:        Thomas Eckardt <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        20.05.2017 07:17
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin




ASSP_AFC 4.48 was too weak
ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the ':PDF' switch


I'm just looking for a way to prevent false positives.


Thomas





Von:        
K Post <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
19.05.2017 16:28
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <
[hidden email]> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <
[hidden email]> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <
[hidden email]> wrote:
Hi all,


I've just published ASSP_AFC.pm version 4.48 at SF-CVS.


This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.


Currently detected are:


- java script - most times this is requred by the virus to open and run any other embedded code

- ms office macros

- exe and com files

- wsh files


This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!


Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!

I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.


I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.


Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]

https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

Thomas Eckardt/eck
In reply to this post by K Post
I did not get any attachment from you.

>that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

right

:PDF switches all executable checks off for PDF files - it is NOT recommended to do this - because it will block any (possibly also regular) JavaScript defined using '/S/JavaScript/JS'

>There seems to be a bit of a double negative in your above comments.

yes - exe-bin is recommended - :PDF to exclude (1. not)  pdf scans - this is not (2. not) recommended
simple boolean operations should be not a problem for an IT prof :)

:PDF is a backward comp. switch - "use the old behavior"

>that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

An stream object can be anything in a PDF. The adobe suites will not support to create other executable objects. But it is possible to do this. Hackers will never use an adobe product to create a virus in a PDF!.

The nice ransomeware are doing the following for example:

1 2 obj
stream <.... binary docm anyhow encoded and encrypted ...>
endobj
....
10 11 obj
/Type/Filespec/test.docm .....
endobj
....
3 4 obj
/EmbeddedFile/test.docm/ ......<</JavaScript. ..../OpenAction .. load the docm in the JavaScript
endobj

If you use an outdated pdf reader, the reader will call/do an OLE to ms-word at the PDF-Open request - DONE- buy some bitcoins or restore!

A stream object <....> can be stored binary, hex encoded or octal - example hex:

<41424344454647>
which is 'ABCDEFG' - but abobe allows and ignores all white spaces included in this encoding. The following would be the same for the reader
<41    4243  44                           45 46                       47                          >

if more than 256 whitespaces are added, no antivirus will ever catch it.

Because assp does not need to read or process the attachment as a PDF reader (in ASSP_AFC), it decodes all streams to binary and removes all whitespaces (at any length) - even the binary result will be not 100% correct.
As long as I know, no antivirus ever decodes a PDF.

The combination docm and OLE and JavaScript - this is relatve easy to find. But it is also possible to define an encrypted and encoded  black/white (0/1) bitmap (picture), but instead to put executable code in it and to run this code as an open action.
Encyption is also used in PDF to prevent printing a document - so there is no password requied to encrypt data in a PDF.
I'm waiting for the first of those PDF files. The technology is known, but currently not used. How ever, JavaScript will be required to implement those viruses.We have a wappon - ASSP_AFC!


ASSP_AFC tries to ignore innocent JavaScript. For example used in a formular field definition for verification.
The stucture(s) that must be used to do malicous things in a PDF is known. ASSP_AFC is looking for those structures. For example: embedding any other executable code or use an URi to download those.
PDF's are commonly used and seen as a very secure way to provide information. And for 99% or even more, this is true. Doing anything too strict, will lead in to a large amount of false positives and BIG complaints will got to the IT dep.

The real problem is, that the adobe reader has enabled JavaScipt execution per default - blame on them. I recommend to disable JavaScript in all pdf readers. If a PDF contains JavaScript, the reader will warn the user, that the formular will not work unless it is enabled. But at this point, the user sees the PDF and knows where it comes from and if it is safe to allow JavaScript for this document.


So, this PDF scan in ASSP_AFC is somehow different from the other executable scans. NOT: "look in to, find and block" - MORE: "look in to, be smart, find malicous content and block".
To test this extenson, you need to try to do malicous things. Everything created with the adobe products should pass this check.

I'm currently not sure if the ':CertPDF' switch is a nice one. It assumes, that an attacker will not sign the virus PDF. But if a PDF is signed, no action will be taken by the PDF reader, until the certificate is verfied.

Thomas






Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        21.05.2017 01:01
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin




Thank you Thomas.  Question, you wrote:

the following additionally exception switches are implemented: 

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs (NOT recommended to be used, false positives are expected) 
 :CERTPDF - certificate signed adobe PDF file 
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined 
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files


 
I'm slightly confused by your red text though..  I take anything you suggest very seriously, especially so if it's in red.  There seems to be a bit of a double negative in your above comments.  

If we just use exe-bin as a level 1 block, that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?  If we do exe-bin|:PDF that will block exe's but NOT those that are PDF files with embedded executable code or microsoft office macros files, JavaScript and bad URIs right?  That seems to remove all of this new PDF blocking functionality or am I off base?  Then you said in red that this is not recommended.  I can't tell if you mean you recommend that we not use the :PDF exception (so don't so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best avoid false positives.  

that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?   Based on your description, clearly that's the case - and I'd think I would want to block them, but I can't figure out how to do that if you (might be) recommending that we do exe-bin|:PDF.

I'm clearly confused....

Thanks so much - this should make a big difference!

Ken



On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <Thomas.Eckardt@...> wrote:
published ASSP_AFC 4.50

example results from the analyzer:


 URIBL check: 'OK'
• † • SuspiciousVirus: Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'

• attachment Invoice 07853327 05/17/2017.PDF is an executable 

 Not a Valid Format of HELO: '[42.113.108.55]'

the following additionally exception switches are implemented:


 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs
(NOT recommended to be used, false positives are expected)
 :CERTPDF - certificate signed adobe PDF file

 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined

 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files


Thomas



Von:        
Thomas Eckardt <Thomas.Eckardt@...>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
20.05.2017 07:17
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




ASSP_AFC 4.48 was too weak

ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the ':PDF' switch


I'm just looking for a way to prevent false positives.


Thomas






Von:        
K Post <nntp.post@...>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
19.05.2017 16:28
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <

nntp.post@...> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <

nntp.post@...> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <

Thomas.Eckardt@...> wrote:
Hi all,


I've just published ASSP_AFC.pm version 4.48 at SF-CVS.



This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.



Currently detected are:


- java script - most times this is requred by the virus to open and run any other embedded code


- ms office macros

- exe and com files

- wsh files


This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!



Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!


I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.


I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.



Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

K Post
Thank you for that very detailed and informative additional explanation.  Clears things up nicely.
And that explains why my sample PDF with javascript is getting through: it just fills in a date into a field, nothing questionable.

I suggest making a change to the AFC plugin documentation in the GUI to state that:
1. javascript scanning is intelligent, attempting to allow non-malicious javascript through.
2. That using the :PDF exception is not recommended as this will disable all PDF executable scanning.  (leaving out the bit about false positives)

Of note: when I try to do an analyze with that sample PDF's message file (the PDF with the basic javascript that I sent you), ASSP crashes - completely - the service needs to be started again.  Win32.    I've never seen that happen before.  If I disable the AFC plugin, analyze works.



On Sun, May 21, 2017 at 2:39 AM, Thomas Eckardt <[hidden email]> wrote:
I did not get any attachment from you.

>that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

right

:PDF switches all executable checks off for PDF files - it is NOT recommended to do this - because it will block any (possibly also regular) JavaScript defined using '/S/JavaScript/JS'

>There seems to be a bit of a double negative in your above comments.

yes - exe-bin is recommended - :PDF to exclude (1. not)  pdf scans - this is not (2. not) recommended
simple boolean operations should be not a problem for an IT prof :)

:PDF is a backward comp. switch - "use the old behavior"

>that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

An stream object can be anything in a PDF. The adobe suites will not support to create other executable objects. But it is possible to do this. Hackers will never use an adobe product to create a virus in a PDF!.

The nice ransomeware are doing the following for example:

1 2 obj
stream <.... binary docm anyhow encoded and encrypted ...>
endobj
....
10 11 obj
/Type/Filespec/test.docm .....
endobj
....
3 4 obj
/EmbeddedFile/test.docm/ ......<</JavaScript. ..../OpenAction .. load the docm in the JavaScript
endobj

If you use an outdated pdf reader, the reader will call/do an OLE to ms-word at the PDF-Open request - DONE- buy some bitcoins or restore!

A stream object <....> can be stored binary, hex encoded or octal - example hex:

<41424344454647>
which is 'ABCDEFG' - but abobe allows and ignores all white spaces included in this encoding. The following would be the same for the reader
<41    4243  44                           45 46                       47                          >

if more than 256 whitespaces are added, no antivirus will ever catch it.

Because assp does not need to read or process the attachment as a PDF reader (in ASSP_AFC), it decodes all streams to binary and removes all whitespaces (at any length) - even the binary result will be not 100% correct.
As long as I know, no antivirus ever decodes a PDF.

The combination docm and OLE and JavaScript - this is relatve easy to find. But it is also possible to define an encrypted and encoded  black/white (0/1) bitmap (picture), but instead to put executable code in it and to run this code as an open action.
Encyption is also used in PDF to prevent printing a document - so there is no password requied to encrypt data in a PDF.
I'm waiting for the first of those PDF files. The technology is known, but currently not used. How ever, JavaScript will be required to implement those viruses.We have a wappon - ASSP_AFC!


ASSP_AFC tries to ignore innocent JavaScript. For example used in a formular field definition for verification.
The stucture(s) that must be used to do malicous things in a PDF is known. ASSP_AFC is looking for those structures. For example: embedding any other executable code or use an URi to download those.
PDF's are commonly used and seen as a very secure way to provide information. And for 99% or even more, this is true. Doing anything too strict, will lead in to a large amount of false positives and BIG complaints will got to the IT dep.

The real problem is, that the adobe reader has enabled JavaScipt execution per default - blame on them. I recommend to disable JavaScript in all pdf readers. If a PDF contains JavaScript, the reader will warn the user, that the formular will not work unless it is enabled. But at this point, the user sees the PDF and knows where it comes from and if it is safe to allow JavaScript for this document.


So, this PDF scan in ASSP_AFC is somehow different from the other executable scans. NOT: "look in to, find and block" - MORE: "look in to, be smart, find malicous content and block".
To test this extenson, you need to try to do malicous things. Everything created with the adobe products should pass this check.

I'm currently not sure if the ':CertPDF' switch is a nice one. It assumes, that an attacker will not sign the virus PDF. But if a PDF is signed, no action will be taken by the PDF reader, until the certificate is verfied.

Thomas






Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        21.05.2017 01:01
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin




Thank you Thomas.  Question, you wrote:

the following additionally exception switches are implemented: 

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs (NOT recommended to be used, false positives are expected) 
 :CERTPDF - certificate signed adobe PDF file 
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined 
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files


 
I'm slightly confused by your red text though..  I take anything you suggest very seriously, especially so if it's in red.  There seems to be a bit of a double negative in your above comments.  

If we just use exe-bin as a level 1 block, that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?  If we do exe-bin|:PDF that will block exe's but NOT those that are PDF files with embedded executable code or microsoft office macros files, JavaScript and bad URIs right?  That seems to remove all of this new PDF blocking functionality or am I off base?  Then you said in red that this is not recommended.  I can't tell if you mean you recommend that we not use the :PDF exception (so don't so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best avoid false positives.  

that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?   Based on your description, clearly that's the case - and I'd think I would want to block them, but I can't figure out how to do that if you (might be) recommending that we do exe-bin|:PDF.

I'm clearly confused....

Thanks so much - this should make a big difference!

Ken



On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <[hidden email]> wrote:
published ASSP_AFC 4.50

example results from the analyzer:


 URIBL check: 'OK'
• † • SuspiciousVirus: Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'

• attachment Invoice 07853327 05/17/2017.PDF is an executable 

 Not a Valid Format of HELO: '[42.113.108.55]'

the following additionally exception switches are implemented:


 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs
(NOT recommended to be used, false positives are expected)
 :CERTPDF - certificate signed adobe PDF file

 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined

 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files


Thomas



Von:        
Thomas Eckardt <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
20.05.2017 07:17
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




ASSP_AFC 4.48 was too weak

ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the ':PDF' switch


I'm just looking for a way to prevent false positives.


Thomas






Von:        
K Post <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
19.05.2017 16:28
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <

[hidden email]> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <

[hidden email]> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <

[hidden email]> wrote:
Hi all,


I've just published ASSP_AFC.pm version 4.48 at SF-CVS.



This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.



Currently detected are:


- java script - most times this is requred by the virus to open and run any other embedded code


- ms office macros

- exe and com files

- wsh files


This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!



Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!


I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.


I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.



Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

Thomas Eckardt/eck
>ASSP crashes - completely

This no longer happens using ASSP_AFC 4.51 (available at SF-CVS)

Thomas



Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        21.05.2017 17:29
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin




Thank you for that very detailed and informative additional explanation.  Clears things up nicely.
And that explains why my sample PDF with javascript is getting through: it just fills in a date into a field, nothing questionable.

I suggest making a change to the AFC plugin documentation in the GUI to state that:
1. javascript scanning is intelligent, attempting to allow non-malicious javascript through.
2. That using the :PDF exception is not recommended as this will disable all PDF executable scanning.  (leaving out the bit about false positives)

Of note: when I try to do an analyze with that sample PDF's message file (the PDF with the basic javascript that I sent you), ASSP crashes - completely - the service needs to be started again.  Win32.    I've never seen that happen before.  If I disable the AFC plugin, analyze works.




On Sun, May 21, 2017 at 2:39 AM, Thomas Eckardt <Thomas.Eckardt@...> wrote:
I did not get any attachment from you.

>
that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

right


:PDF switches all executable checks off for PDF files - it is NOT recommended to do this - because it will block any (possibly also regular) JavaScript defined using '/S/JavaScript/JS'


>
There seems to be a bit of a double negative in your above comments.

yes - exe-bin is recommended - :PDF to exclude (1. not)  pdf scans - this is not (2. not) recommended

simple boolean operations should be not a problem for an IT prof :)


:PDF is a backward comp. switch - "use the old behavior"


>
that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

An stream object can be anything in a PDF. The adobe suites will not support to create other executable objects. But it is possible to do this. Hackers will never use an adobe product to create a virus in a PDF!.


The nice ransomeware are doing the following for example:


1 2 obj

stream <.... binary docm anyhow encoded and encrypted ...>

endobj

....

10 11 obj

/Type/Filespec/test.docm .....

endobj

....

3 4 obj

/EmbeddedFile/test.docm/ ......<</JavaScript. ..../OpenAction .. load the docm in the JavaScript

endobj


If you use an outdated pdf reader, the reader will call/do an OLE to ms-word at the PDF-Open request - DONE- buy some bitcoins or restore!


A stream object <....> can be stored binary, hex encoded or octal - example hex:


<41424344454647>

which is 'ABCDEFG' - but abobe allows and ignores all white spaces included in this encoding. The following would be the same for the reader

<41    4243  44                           45 46                       47                          >


if more than 256 whitespaces are added, no antivirus will ever catch it.


Because assp does not need to read or process the attachment as a PDF reader (in ASSP_AFC), it decodes all streams to binary and removes all whitespaces (at any length) - even the binary result will be not 100% correct.

As long as I know, no antivirus ever decodes a PDF.


The combination docm and OLE and JavaScript - this is relatve easy to find. But it is also possible to define an encrypted and encoded  black/white (0/1) bitmap (picture), but instead to put executable code in it and to run this code as an open action.

Encyption is also used in PDF to prevent printing a document - so there is no password requied to encrypt data in a PDF.

I'm waiting for the first of those PDF files. The technology is known, but currently not used. How ever, JavaScript will be required to implement those viruses.We have a wappon - ASSP_AFC!



ASSP_AFC tries to ignore innocent JavaScript. For example used in a formular field definition for verification.

The stucture(s) that must be used to do malicous things in a PDF is known. ASSP_AFC is looking for those structures. For example: embedding any other executable code or use an URi to download those.

PDF's are commonly used and seen as a very secure way to provide information. And for 99% or even more, this is true. Doing anything too strict, will lead in to a large amount of false positives and BIG complaints will got to the IT dep.


The real problem is, that the adobe reader has enabled JavaScipt execution per default - blame on them. I recommend to disable JavaScript in all pdf readers. If a PDF contains JavaScript, the reader will warn the user, that the formular will not work unless it is enabled. But at this point, the user sees the PDF and knows where it comes from and if it is safe to allow JavaScript for this document.



So, this PDF scan in ASSP_AFC is somehow different from the other executable scans. NOT: "look in to, find and block" - MORE: "look in to, be smart, find malicous content and block".

To test this extenson, you need to try to do malicous things. Everything created with the adobe products should pass this check.


I'm currently not sure if the ':
CertPDF' switch is a nice one. It assumes, that an attacker will not sign the virus PDF. But if a PDF is signed, no action will be taken by the PDF reader, until the certificate is verfied.

Thomas







Von:        
K Post <nntp.post@...>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
21.05.2017 01:01
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Thank you Thomas.  Question, you wrote:

the following additionally exception switches are implemented:
 

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs
 (NOT recommended to be used, false positives are expected) 
 :CERTPDF - certificate signed adobe PDF file
 
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined
 
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files



 

I'm slightly confused by your red text though..  I take anything you suggest very seriously, especially so if it's in red.  There seems to be a bit of a double negative in your above comments.  


If we just use exe-bin as a level 1 block, that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?  If we do exe-bin|:PDF that will block exe's but NOT those that are PDF files with embedded executable code or microsoft office macros files, JavaScript and bad URIs right?  That seems to remove all of this new PDF blocking functionality or am I off base?  Then you said in red that this is not recommended.  I can't tell if you mean you recommend that we not use the :PDF exception (so don't so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best avoid false positives.  


that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?   Based on your description, clearly that's the case - and I'd think I would want to block them, but I can't figure out how to do that if you (might be) recommending that we do exe-bin|:PDF.


I'm clearly confused....


Thanks so much - this should make a big difference!


Ken




On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <
Thomas.Eckardt@...> wrote:
published ASSP_AFC 4.50


example results from the analyzer:


 URIBL check: 'OK'
• † • SuspiciousVirus: Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'

• attachment Invoice 07853327 05/17/2017.PDF is an executable 

 Not a Valid Format of HELO: '[42.113.108.55]'

the following additionally exception switches are implemented:


 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs
(NOT recommended to be used, false positives are expected)
 :CERTPDF - certificate signed adobe PDF file

 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined

 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files

Thomas



Von:        
Thomas Eckardt <Thomas.Eckardt@...>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
20.05.2017 07:17
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




ASSP_AFC 4.48 was too weak

ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the ':PDF' switch


I'm just looking for a way to prevent false positives.


Thomas






Von:        
K Post <nntp.post@...>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
19.05.2017 16:28
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <

nntp.post@...> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <

nntp.post@...> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <

Thomas.Eckardt@...> wrote:
Hi all,


I've just published ASSP_AFC.pm version 4.48 at SF-CVS.



This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.



Currently detected are:


- java script - most times this is requred by the virus to open and run any other embedded code


- ms office macros

- exe and com files


- wsh files


This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!



Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!


I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.



I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.



Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

Thomas Eckardt/eck
In reply to this post by K Post
>1. javascript scanning is intelligent, attempting to allow non-malicious javascript through.

This is more a wish than it is reality
- it will block the well known bad
- it will let pass the known good (or those are not detected for any reason)
- BUT - it will block all other JavaScripts, even they are innocent

The time will show, how we can improve the JavaScript scanning.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        21.05.2017 17:29
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin




Thank you for that very detailed and informative additional explanation.  Clears things up nicely.
And that explains why my sample PDF with javascript is getting through: it just fills in a date into a field, nothing questionable.

I suggest making a change to the AFC plugin documentation in the GUI to state that:
1. javascript scanning is intelligent, attempting to allow non-malicious javascript through.
2. That using the :PDF exception is not recommended as this will disable all PDF executable scanning.  (leaving out the bit about false positives)

Of note: when I try to do an analyze with that sample PDF's message file (the PDF with the basic javascript that I sent you), ASSP crashes - completely - the service needs to be started again.  Win32.    I've never seen that happen before.  If I disable the AFC plugin, analyze works.




On Sun, May 21, 2017 at 2:39 AM, Thomas Eckardt <Thomas.Eckardt@...> wrote:
I did not get any attachment from you.

>
that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

right


:PDF switches all executable checks off for PDF files - it is NOT recommended to do this - because it will block any (possibly also regular) JavaScript defined using '/S/JavaScript/JS'


>
There seems to be a bit of a double negative in your above comments.

yes - exe-bin is recommended - :PDF to exclude (1. not)  pdf scans - this is not (2. not) recommended

simple boolean operations should be not a problem for an IT prof :)


:PDF is a backward comp. switch - "use the old behavior"


>
that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

An stream object can be anything in a PDF. The adobe suites will not support to create other executable objects. But it is possible to do this. Hackers will never use an adobe product to create a virus in a PDF!.


The nice ransomeware are doing the following for example:


1 2 obj

stream <.... binary docm anyhow encoded and encrypted ...>

endobj

....

10 11 obj

/Type/Filespec/test.docm .....

endobj

....

3 4 obj

/EmbeddedFile/test.docm/ ......<</JavaScript. ..../OpenAction .. load the docm in the JavaScript

endobj


If you use an outdated pdf reader, the reader will call/do an OLE to ms-word at the PDF-Open request - DONE- buy some bitcoins or restore!


A stream object <....> can be stored binary, hex encoded or octal - example hex:


<41424344454647>

which is 'ABCDEFG' - but abobe allows and ignores all white spaces included in this encoding. The following would be the same for the reader

<41    4243  44                           45 46                       47                          >


if more than 256 whitespaces are added, no antivirus will ever catch it.


Because assp does not need to read or process the attachment as a PDF reader (in ASSP_AFC), it decodes all streams to binary and removes all whitespaces (at any length) - even the binary result will be not 100% correct.

As long as I know, no antivirus ever decodes a PDF.


The combination docm and OLE and JavaScript - this is relatve easy to find. But it is also possible to define an encrypted and encoded  black/white (0/1) bitmap (picture), but instead to put executable code in it and to run this code as an open action.

Encyption is also used in PDF to prevent printing a document - so there is no password requied to encrypt data in a PDF.

I'm waiting for the first of those PDF files. The technology is known, but currently not used. How ever, JavaScript will be required to implement those viruses.We have a wappon - ASSP_AFC!



ASSP_AFC tries to ignore innocent JavaScript. For example used in a formular field definition for verification.

The stucture(s) that must be used to do malicous things in a PDF is known. ASSP_AFC is looking for those structures. For example: embedding any other executable code or use an URi to download those.

PDF's are commonly used and seen as a very secure way to provide information. And for 99% or even more, this is true. Doing anything too strict, will lead in to a large amount of false positives and BIG complaints will got to the IT dep.


The real problem is, that the adobe reader has enabled JavaScipt execution per default - blame on them. I recommend to disable JavaScript in all pdf readers. If a PDF contains JavaScript, the reader will warn the user, that the formular will not work unless it is enabled. But at this point, the user sees the PDF and knows where it comes from and if it is safe to allow JavaScript for this document.



So, this PDF scan in ASSP_AFC is somehow different from the other executable scans. NOT: "look in to, find and block" - MORE: "look in to, be smart, find malicous content and block".

To test this extenson, you need to try to do malicous things. Everything created with the adobe products should pass this check.


I'm currently not sure if the ':
CertPDF' switch is a nice one. It assumes, that an attacker will not sign the virus PDF. But if a PDF is signed, no action will be taken by the PDF reader, until the certificate is verfied.

Thomas







Von:        
K Post <nntp.post@...>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
21.05.2017 01:01
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Thank you Thomas.  Question, you wrote:

the following additionally exception switches are implemented:
 

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs
 (NOT recommended to be used, false positives are expected) 
 :CERTPDF - certificate signed adobe PDF file
 
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined
 
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files



 

I'm slightly confused by your red text though..  I take anything you suggest very seriously, especially so if it's in red.  There seems to be a bit of a double negative in your above comments.  


If we just use exe-bin as a level 1 block, that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?  If we do exe-bin|:PDF that will block exe's but NOT those that are PDF files with embedded executable code or microsoft office macros files, JavaScript and bad URIs right?  That seems to remove all of this new PDF blocking functionality or am I off base?  Then you said in red that this is not recommended.  I can't tell if you mean you recommend that we not use the :PDF exception (so don't so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best avoid false positives.  


that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?   Based on your description, clearly that's the case - and I'd think I would want to block them, but I can't figure out how to do that if you (might be) recommending that we do exe-bin|:PDF.


I'm clearly confused....


Thanks so much - this should make a big difference!


Ken




On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <
Thomas.Eckardt@...> wrote:
published ASSP_AFC 4.50


example results from the analyzer:


 URIBL check: 'OK'
• † • SuspiciousVirus: Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'

• attachment Invoice 07853327 05/17/2017.PDF is an executable 

 Not a Valid Format of HELO: '[42.113.108.55]'

the following additionally exception switches are implemented:


 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs
(NOT recommended to be used, false positives are expected)
 :CERTPDF - certificate signed adobe PDF file

 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined

 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files

Thomas



Von:        
Thomas Eckardt <Thomas.Eckardt@...>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
20.05.2017 07:17
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




ASSP_AFC 4.48 was too weak

ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the ':PDF' switch


I'm just looking for a way to prevent false positives.


Thomas






Von:        
K Post <nntp.post@...>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
19.05.2017 16:28
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <

nntp.post@...> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <

nntp.post@...> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <

Thomas.Eckardt@...> wrote:
Hi all,


I've just published ASSP_AFC.pm version 4.48 at SF-CVS.



This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.



Currently detected are:


- java script - most times this is requred by the virus to open and run any other embedded code


- ms office macros

- exe and com files


- wsh files


This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!



Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!


I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.



I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.



Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: updated ASSP_AFC Plugin

K Post
Fair enough.  Thanks for the hard work as usual.

On Mon, May 22, 2017 at 2:16 AM, Thomas Eckardt <[hidden email]> wrote:
>1. javascript scanning is intelligent, attempting to allow non-malicious javascript through.

This is more a wish than it is reality
- it will block the well known bad
- it will let pass the known good (or those are not detected for any reason)
- BUT - it will block all other JavaScripts, even they are innocent

The time will show, how we can improve the JavaScript scanning.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        21.05.2017 17:29
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin




Thank you for that very detailed and informative additional explanation.  Clears things up nicely.
And that explains why my sample PDF with javascript is getting through: it just fills in a date into a field, nothing questionable.

I suggest making a change to the AFC plugin documentation in the GUI to state that:
1. javascript scanning is intelligent, attempting to allow non-malicious javascript through.
2. That using the :PDF exception is not recommended as this will disable all PDF executable scanning.  (leaving out the bit about false positives)

Of note: when I try to do an analyze with that sample PDF's message file (the PDF with the basic javascript that I sent you), ASSP crashes - completely - the service needs to be started again.  Win32.    I've never seen that happen before.  If I disable the AFC plugin, analyze works.




On Sun, May 21, 2017 at 2:39 AM, Thomas Eckardt <[hidden email]> wrote:
I did not get any attachment from you.

>
that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

right


:PDF switches all executable checks off for PDF files - it is NOT recommended to do this - because it will block any (possibly also regular) JavaScript defined using '/S/JavaScript/JS'


>
There seems to be a bit of a double negative in your above comments.

yes - exe-bin is recommended - :PDF to exclude (1. not)  pdf scans - this is not (2. not) recommended

simple boolean operations should be not a problem for an IT prof :)


:PDF is a backward comp. switch - "use the old behavior"


>
that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?

An stream object can be anything in a PDF. The adobe suites will not support to create other executable objects. But it is possible to do this. Hackers will never use an adobe product to create a virus in a PDF!.


The nice ransomeware are doing the following for example:


1 2 obj

stream <.... binary docm anyhow encoded and encrypted ...>

endobj

....

10 11 obj

/Type/Filespec/test.docm .....

endobj

....

3 4 obj

/EmbeddedFile/test.docm/ ......<</JavaScript. ..../OpenAction .. load the docm in the JavaScript

endobj


If you use an outdated pdf reader, the reader will call/do an OLE to ms-word at the PDF-Open request - DONE- buy some bitcoins or restore!


A stream object <....> can be stored binary, hex encoded or octal - example hex:


<41424344454647>

which is 'ABCDEFG' - but abobe allows and ignores all white spaces included in this encoding. The following would be the same for the reader

<41    4243  44                           45 46                       47                          >


if more than 256 whitespaces are added, no antivirus will ever catch it.


Because assp does not need to read or process the attachment as a PDF reader (in ASSP_AFC), it decodes all streams to binary and removes all whitespaces (at any length) - even the binary result will be not 100% correct.

As long as I know, no antivirus ever decodes a PDF.


The combination docm and OLE and JavaScript - this is relatve easy to find. But it is also possible to define an encrypted and encoded  black/white (0/1) bitmap (picture), but instead to put executable code in it and to run this code as an open action.

Encyption is also used in PDF to prevent printing a document - so there is no password requied to encrypt data in a PDF.

I'm waiting for the first of those PDF files. The technology is known, but currently not used. How ever, JavaScript will be required to implement those viruses.We have a wappon - ASSP_AFC!



ASSP_AFC tries to ignore innocent JavaScript. For example used in a formular field definition for verification.

The stucture(s) that must be used to do malicous things in a PDF is known. ASSP_AFC is looking for those structures. For example: embedding any other executable code or use an URi to download those.

PDF's are commonly used and seen as a very secure way to provide information. And for 99% or even more, this is true. Doing anything too strict, will lead in to a large amount of false positives and BIG complaints will got to the IT dep.


The real problem is, that the adobe reader has enabled JavaScipt execution per default - blame on them. I recommend to disable JavaScript in all pdf readers. If a PDF contains JavaScript, the reader will warn the user, that the formular will not work unless it is enabled. But at this point, the user sees the PDF and knows where it comes from and if it is safe to allow JavaScript for this document.



So, this PDF scan in ASSP_AFC is somehow different from the other executable scans. NOT: "look in to, find and block" - MORE: "look in to, be smart, find malicous content and block".

To test this extenson, you need to try to do malicous things. Everything created with the adobe products should pass this check.


I'm currently not sure if the ':
CertPDF' switch is a nice one. It assumes, that an attacker will not sign the virus PDF. But if a PDF is signed, no action will be taken by the PDF reader, until the certificate is verfied.

Thomas







Von:        
K Post <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
21.05.2017 01:01
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Thank you Thomas.  Question, you wrote:

the following additionally exception switches are implemented:
 

 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs
 (NOT recommended to be used, false positives are expected) 
 :CERTPDF - certificate signed adobe PDF file
 
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined
 
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files



 

I'm slightly confused by your red text though..  I take anything you suggest very seriously, especially so if it's in red.  There seems to be a bit of a double negative in your above comments.  


If we just use exe-bin as a level 1 block, that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?  If we do exe-bin|:PDF that will block exe's but NOT those that are PDF files with embedded executable code or microsoft office macros files, JavaScript and bad URIs right?  That seems to remove all of this new PDF blocking functionality or am I off base?  Then you said in red that this is not recommended.  I can't tell if you mean you recommend that we not use the :PDF exception (so don't so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best avoid false positives.  


that would include anything in the PDF, CertPDF, JSPDF, and URIPDF category right?   Based on your description, clearly that's the case - and I'd think I would want to block them, but I can't figure out how to do that if you (might be) recommending that we do exe-bin|:PDF.


I'm clearly confused....


Thanks so much - this should make a big difference!


Ken




On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <
[hidden email]> wrote:
published ASSP_AFC 4.50


example results from the analyzer:


 URIBL check: 'OK'
• † • SuspiciousVirus: Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'

• attachment Invoice 07853327 05/17/2017.PDF is an executable 

 Not a Valid Format of HELO: '[42.113.108.55]'

the following additionally exception switches are implemented:


 :PDF - adobe PDF file with embedded executable code or microsoft office macros files, JavaScript and bad URIs
(NOT recommended to be used, false positives are expected)
 :CERTPDF - certificate signed adobe PDF file

 :JSPDF - adobe PDF file with JavaScript inside - notice: well known malicious JavaScript combinations will be blocked, even this option is defined

 :URIPDF - adobe PDF file with URIs to download exeutables from the web or to open local files

Thomas



Von:        
Thomas Eckardt <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
20.05.2017 07:17
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




ASSP_AFC 4.48 was too weak

ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the ':PDF' switch


I'm just looking for a way to prevent false positives.


Thomas






Von:        
K Post <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
19.05.2017 16:28
Betreff:        
Re: [Assp-test] updated ASSP_AFC Plugin




Here's a sample PDF with javascript that runs at startup (populates a field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <

[hidden email]> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin now blocks all pdf's that have javascript embedded right?  That's not what I experienced.

I created a simple pdf with a button.  That button's action was to run javascript to print the document.  I emailed it to myself from gmail.  It was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <

[hidden email]> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <

[hidden email]> wrote:
Hi all,


I've just published ASSP_AFC.pm version 4.48 at SF-CVS.



This version contains an extension to detect embedded executable code in real PDF files, if 'exe-bin' files are not allowed in the assp configuration.



Currently detected are:


- java script - most times this is requred by the virus to open and run any other embedded code


- ms office macros

- exe and com files


- wsh files


This extension is hard coded. There is no way to make an exception to (e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files are every time malicious!



Currently it seems, that another ransomware attack is starting in preparation for the weekend! Distributed are such real PDF files per email!


I don't think that there will be a stupid 'killswitch' in the new viruses to save the world.



I just saw that ClamAV (sanesecurity signatures) detected most of them - they all are classified as UNOFFICIAL !!!!.



Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Loading...