Re: SA cannot block messages with attached zip

["Chip M." <sa...@IowaHoneypot.com>]

At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
>We list the contents of attached archives 
>(using "lsar") and have filename-extension rules that block .js 
>inside .zip files. While this can lead to some FPs, which we handle 
>with selective whitelisting, it's very effective at catching the 
>latest crop of cryptolocker-style attacks.

I was looking more closely at the Foxhole page, and it SOUNDS
(to me) like they do _NOT_ block on ".js" file extension,
whereas you/Dianne do:

"This database will block most JavaScript (.js) files within within Zip, Rar files"
...
"To help minimise false positives, this database will only scan small sized Zip and Rar files."

*** Questions:
*1. Could someone clarify whether Foxhole is using some sort of
signatures on ".js" files?

*2. How did Foxhole perform on the recent campaign with duplicate
large zipped js files (e.g. 5 files of 236 kilobytes each)?
There was also a campaign with a single large file (e.g. 604
kilobytes), with most of the payload at the end.  I suspect both
campaigns were attempts to bypass sig based scanners.

I'm with Dianne on outright blocking js files, AND making highly
selective holes for specific sender/recipient pairs.
I protect a few thousand accounts and we only have a handful of
those holes, all for web designers.
"Aim small, miss small" :)

In my previous post, I mentioned "secret sauce" code to detect
javascript obfuscations.  That's a backup in case netscum figure
out a way to use a non obvious file extension.  FIRST, I do all
the quick tests (file extensions, etc), then, if there's enough
time, the slower/memory-heavy tests.  The recent large js file
campaigns took significantly longer (1/2 to 1 second) to do my
extra tests, but still hit all my tests. :)


*3. Is the list of file extensions on the Foxhole page complete?
	http://sanesecurity.com/foxhole-databases/
The page is missing the following (and perhaps others):
	.acm
	.ax
	.dll
	.drv
	.efi
	.mui
	.ocx
	.tsp
I verified that all of those actually occur and are executable
on a Windows7 machine.


I have seen, in the wild (about a year or so ago), malware email
that instructed the target to rename the attached file. :(
Long before that, I had added code to decompress just the first
few bytes of each zipped file, and check for executable
MagicNumbers (e.g. Windows' "MZ").  I also check all MIME parts
(I have a very speedy "MIME Prefix" test).

I recently added the MagicNumber for "old" style doc files, just
for files inside zips (when they appeared, as mentioned in my
previous post).  That does have a higher FP risk, since it's
reasonable to zip huge doc files, however in practice they're
rare, and I have an excellent Quarantine/FP pipeline.

A friend sent me this cool MagicNumber look up site:
	filesignatures.net
Any other suggestions for file types to add?
	- "Chip"

Re: SA cannot block messages with attached zip

[Benny Pedersen <me...@junc.eu>]

On 2016-06-08 23:23, Alex wrote:

> http://pastebin.com/ALsSAmwa

this sample can be reported to dnswl

Re: SA cannot block messages with attached zip

[John Hardin <jh...@impsec.org>]

On Wed, 13 Jul 2016, Chip M. wrote:

> P.P.S.  Today's new malware morph is a single zipped javascript
> file, where the script filename ends with "..wsf".
> Is the double dot just a mistake, or does that confuse anything?

That's very likely an attempt to bypass "double-extension" filter checks 
that expect the first extension to actually be present (e.g. something 
like /\.[a-z]{1,3}\.wsf$/ ).

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  3 days until the 71st anniversary of the dawn of the Atomic Age

Re: SA cannot block messages with attached zip

["Chip M." <sa...@IowaHoneypot.com>]

On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote:
>Meanwhile, there is RTF spam that's circulating which is
>currently bypassing the sanesecurity sigs. I've just submitted a
>sample to Steve, but the db hasn't yet been updated. Here's a
>sample:
>
>http://pastebin.com/ALsSAmwa

Alex, thanks for the spample! :)
I've seen a steady trickle of those, since late April.

That file attachment is actually the way-kewl "Office Open XML"
format, with an embedded VBA binary file, just like last week's
main vector for "Zepto" (a new ransomware morph), except those
used the (more correct) file extension ".docm".

The way-kewl thing about this file format is that they're
completely standard zip files, containing a mix of other mostly
standard files (e.g. XML, JPEGs).  In general, they're very easy
to parse (no obscure Microsoft OLE/etc in the main files).
The VBA is always in a file named "vbaproject.bin".

Since filenames in zip files are stored unaltered, it's just a
matter of de-MIME-ing the file, and scanning for the filename.
You do _NOT_ have to parse the zip file, just look for that one
simple string. :)
(Pedantic note:  Technically, there's another file named
"vbaProject.bin.rels" which is a plain text XML file.
Theoretically, you may want to exclude it, but practically, I
wouldn't bother - it seems to always occur with the binary ".bin"
file, so just nuke/quarantine them all.)

A couple of years ago, I changed my post-SA Filter so it always
tests the first few "raw" characters of every MIME Part, and if
they're the prefix that means PKZip, I de-MIME it and send it
thru my zip analyzer, regardless of ContentType or file ext.
I got fed up with all the Spammer Stupid Part Tricks, and it's
blindingly fast to check the prefix. :)
	- "Chip"

P.S.  Thanks everyone for the followups on how Foxhole handles
stuff. :)

P.P.S.  Today's new malware morph is a single zipped javascript
file, where the script filename ends with "..wsf".
Is the double dot just a mistake, or does that confuse anything?

Re: SA cannot block messages with attached zip

[Alex <my...@gmail.com>]

Meanwhile, there is RTF spam that's circulating which is currently
bypassing the sanesecurity sigs. I've just submitted a sample to
Steve, but the db hasn't yet been updated. Here's a sample:

http://pastebin.com/ALsSAmwa

The pattern to temporarily stop them involves a meta with
__DOC_ATTACH_MT and some body rules. Other ideas welcome.


On Wed, Jun 8, 2016 at 5:08 PM, Paul Stead <pa...@zeninternet.co.uk> wrote:
>
>
> On 08/06/16 21:39, Paul Stead wrote:
>
>
>
> BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:*
>
>
> Should point out that this may be prone to false positives. The Sane sigs
> are scored low, med, high FP risk and can be installed as such.
> --
> Paul Stead
> Systems Engineer
> Zen Internet

Re: SA cannot block messages with attached zip

[Paul Stead <pa...@zeninternet.co.uk>]

On 08/06/16 21:39, Paul Stead wrote:


BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:*

Should point out that this may be prone to false positives. The Sane sigs are scored low, med, high FP risk and can be installed as such.
--
Paul Stead
Systems Engineer
Zen Internet

Re: SA cannot block messages with attached zip

[Paul Stead <pa...@zeninternet.co.uk>]

On 08/06/16 20:59, Chip M. wrote:
I was looking more closely at the Foxhole page, and it SOUNDS (to me) like they do _NOT_ block on ".js" file extension, whereas you/Dianne do:
More relevant for the ClamAV/Sanesecurity list, hope this isn't looked down upon.

I'm not sure if Steve is on the list but I'll do my best to answer.
"This database will block most JavaScript (.js) files within within Zip, Rar files" ... "To help minimise false positives, this database will only scan small sized Zip and Rar files." *** Questions: *1. Could someone clarify whether Foxhole is using some sort of signatures on ".js" files?
"The three new foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container/archive files for various filenames/extensions and perform Regular Expressions, on those filenames/extensions."

Here's one example rule from foxhole_js.cdb

---8<---
Sanesecurity.Foxhole.JS_Zip_1:CL_TYPE_ZIP:*:\.([Jj][Ss])$:0-512000:*:0:1:*:*
---8<---

cdb files have the following format:

VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]]

You could adjust rules if needed. Steve is also very helpful and responsive.

*2. How did Foxhole perform on the recent campaign with duplicate large zipped js files (e.g. 5 files of 236 kilobytes each)? There was also a campaign with a single large file (e.g. 604 kilobytes), with most of the payload at the end. I suspect both campaigns were attempts to bypass sig based scanners.

The js detection was recently upped from 256 kilobytes based on list feedback - as you see the 512 kilobytes it is currently at is the FileSizeInContainer - "usually compressed size".

I have had a very positive experience with these signatures over all

I'm with Dianne on outright blocking js files, AND making highly selective holes for specific sender/recipient pairs.

We can block any JS file with Zips, 7zip, rar, arj, cab...

Foxhole.ZIP.JS:CL_TYPE_ZIP:*:\.[Jj][Ss]$:*:*:*:*:*:*
Foxhole.7Z.JS:CL_TYPE_7Z:*:\.[Jj][Ss]$:*:*:*:*:*:*
Foxhole.RAR.JS:CL_TYPE_RAR:*:\.[Jj][Ss]$:*:*:*:*:*:*
Foxhole.ARJ.JS:CL_TYPE_ARJ:*:\.[Jj][Ss]$:*:*:*:*:*:*
Foxhole.CAB.JS:CL_TYPE_CAB:*:\.[Jj][Ss]$:*:*:*:*:*:*

ContainerType: one of CL_TYPE_ZIP, CL_TYPE_RAR, CL_TYPE_ARJ,
CL_TYPE_MSCAB, CL_TYPE_7Z, CL_TYPE_MAIL, CL_TYPE_(POSIX|OLD)_TAR,
CL_TYPE_CPIO_(OLD|ODC|NEWC|CRC) or * to match any of the container
types listed here

or...

BlockAnyAndAllJS:*:*:\.[Jj][Ss]$:*:*:*:*:*:*

*3. Is the list of file extensions on the Foxhole page complete? http://sanesecurity.com/foxhole-databases/ The page is missing the following (and perhaps others): .acm .ax .dll .drv .efi .mui .ocx .tsp I verified that all of those actually occur and are executable on a Windows7 machine.

Those extensions aren't listed within the Foxhole databases, I'll feed this back via their mailing list - might be worth popping along?

I recently added the MagicNumber for "old" style doc files, just for files inside zips (when they appeared, as mentioned in my previous post).

This could be accomplished with yara rules within ClamAV too - docs on signature creation can be found here https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf


Paul
--
Paul Stead
Systems Engineer
Zen Internet

Re: SA cannot block messages with attached zip

[jimimaseye <gr...@yahoo.com>]

If you think the foxhole databases are not sufficient enough and that other
extensions are required, then contact Steve @ Sane to discuss/request:
http://sanesecurity.com/contact-us/.  I speak to him regularly and is open
to feedback.

Chip M. wrote
> At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
> 
> *3. Is the list of file extensions on the Foxhole page complete?
> 	http://sanesecurity.com/foxhole-databases/
> The page is missing the following (and perhaps others):
> 	.acm
> 	.ax
> 	.dll
> 	.drv
> 	.efi
> 	.mui
> 	.ocx
> 	.tsp
> I verified that all of those actually occur and are executable
> on a Windows7 machine.





--
View this message in context: http://spamassassin.1065346.n5.nabble.com/SA-cannot-block-messages-with-attached-zip-tp120785p121205.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.