You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Chip M." <sa...@IowaHoneypot.com> on 2016/07/13 18:29:33 UTC

Re: SA cannot block messages with attached zip

On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote:
>Meanwhile, there is RTF spam that's circulating which is
>currently bypassing the sanesecurity sigs. I've just submitted a
>sample to Steve, but the db hasn't yet been updated. Here's a
>sample:
>
>http://pastebin.com/ALsSAmwa

Alex, thanks for the spample! :)
I've seen a steady trickle of those, since late April.

That file attachment is actually the way-kewl "Office Open XML"
format, with an embedded VBA binary file, just like last week's
main vector for "Zepto" (a new ransomware morph), except those
used the (more correct) file extension ".docm".

The way-kewl thing about this file format is that they're
completely standard zip files, containing a mix of other mostly
standard files (e.g. XML, JPEGs).  In general, they're very easy
to parse (no obscure Microsoft OLE/etc in the main files).
The VBA is always in a file named "vbaproject.bin".

Since filenames in zip files are stored unaltered, it's just a
matter of de-MIME-ing the file, and scanning for the filename.
You do _NOT_ have to parse the zip file, just look for that one
simple string. :)
(Pedantic note:  Technically, there's another file named
"vbaProject.bin.rels" which is a plain text XML file.
Theoretically, you may want to exclude it, but practically, I
wouldn't bother - it seems to always occur with the binary ".bin"
file, so just nuke/quarantine them all.)

A couple of years ago, I changed my post-SA Filter so it always
tests the first few "raw" characters of every MIME Part, and if
they're the prefix that means PKZip, I de-MIME it and send it
thru my zip analyzer, regardless of ContentType or file ext.
I got fed up with all the Spammer Stupid Part Tricks, and it's
blindingly fast to check the prefix. :)
	- "Chip"

P.S.  Thanks everyone for the followups on how Foxhole handles
stuff. :)

P.P.S.  Today's new malware morph is a single zipped javascript
file, where the script filename ends with "..wsf".
Is the double dot just a mistake, or does that confuse anything?

Re: SA cannot block messages with attached zip

Posted by John Hardin <jh...@impsec.org>.

On Wed, 13 Jul 2016, Chip M. wrote:

> P.P.S.  Today's new malware morph is a single zipped javascript
> file, where the script filename ends with "..wsf".
> Is the double dot just a mistake, or does that confuse anything?

That's very likely an attempt to bypass "double-extension" filter checks 
that expect the first extension to actually be present (e.g. something 
like /\.[a-z]{1,3}\.wsf$/ ).

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  3 days until the 71st anniversary of the dawn of the Atomic Age