You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jared Hall <ja...@jaredsec.com> on 2021/07/13 02:30:44 UTC
Re: Email Phishing and Zloader: Redux
1) Kenneth: Uncomment the line in v343. Rules in the present KAM.cf
are thusly:
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
# increase number of mime parts checked
olemacro_num_mime 10
if (version >= 3.0040005)
body KAM_OLEMACRO eval:check_olemacro()
describe KAM_OLEMACRO Attachment has an Office Macro
score KAM_OLEMACRO 7.5
body KAM_OLEMACRO_MALICE eval:check_olemacro_malice()
describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro
score KAM_OLEMACRO_MALICE 10.0
body KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
score KAM_OLEMACRO_ENCRYPTED 3.0
#This may cause more CPU usage
olemacro_extended_scan 1
body KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()
describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed
score KAM_OLEMACRO_RENAME 0.5
meta GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )
describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook
score GB_OLEMACRO_REN_VIR 10
endif
body KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
score KAM_OLEMACRO_ZIP_PW 1.0
body KAM_OLEMACRO_CSV eval:check_olemacro_csv()
describe KAM_OLEMACRO_CSV Macro in csv file
score KAM_OLEMACRO_CSV 5.0
#meta KAM_OLEMACRO_ZIP_PW_NOMID ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )
#describe KAM_OLEMACRO_ZIP_PW_NOMID OLE macro sent by a bot / ratware
#score KAM_OLEMACRO_ZIP_PW_NOMID 5.0
meta KAM_OLEMACRO_ZIP_BOT ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )
describe KAM_OLEMACRO_ZIP_BOT OLE macro sent by a bot / ratware
score KAM_OLEMACRO_ZIP_BOT 5.0
endif
Yes, there does seems to be one "endif" too many but I don't think it
matters much with this type of a plugin.
Thanks for the information from hornetsecurity. It's the most
comprehensive write-up on Zloader that I've seen.
I did do some testing with Word and MHTML. A Word document when sent
out is assigned Content-Type: application/msword and
Content-Transfer-Encoding: base64. A MHTML file is sent out with
Content-Type: text/html and Content-Transfer-Encoding: quoted-printable
(w/ my document anyway).
I'm curious as to what HornetSecurity saw in their E-mail MIME header.
It DOES make a difference, at least regarding plugin scanning. But a
.doc file is a .doc file as far as Word is concerned.
I put forth a query to them. I'll let you know if they respond.
-- Jared Hall
>
> I simpy uncommented it in /etc/spamassassin/v343.pre:
>
> # OLEVBMacro - Detects both OLE macros and VB code inside Office
> documents
> loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
>
> the KAM.cf takes care of the rest.