You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jared Hall <ja...@jaredsec.com> on 2021/07/13 02:30:44 UTC

Re: Email Phishing and Zloader: Redux

1) Kenneth:  Uncomment the line in v343.  Rules in the present KAM.cf 
are thusly:

ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro

   # increase number of mime parts checked

   olemacro_num_mime 10

   if (version >= 3.0040005)

     body     KAM_OLEMACRO eval:check_olemacro()

     describe KAM_OLEMACRO Attachment has an Office Macro

     score    KAM_OLEMACRO 7.5

     body     KAM_OLEMACRO_MALICE eval:check_olemacro_malice()

     describe KAM_OLEMACRO_MALICE Potentially malicious Office Macro

     score    KAM_OLEMACRO_MALICE 10.0

     body     KAM_OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()

     describe KAM_OLEMACRO_ENCRYPTED Has an Office doc that is encrypted

     score    KAM_OLEMACRO_ENCRYPTED 3.0

     #This may cause more CPU usage

     olemacro_extended_scan 1

     body     KAM_OLEMACRO_RENAME eval:check_olemacro_renamed()

     describe KAM_OLEMACRO_RENAME Has an Office doc that has been renamed

     score    KAM_OLEMACRO_RENAME 0.5

     meta     GB_OLEMACRO_REN_VIR ( KAM_OLEMACRO_RENAME && FORGED_OUTLOOK_HTML )

     describe GB_OLEMACRO_REN_VIR Olemacro and fake Outlook

     score    GB_OLEMACRO_REN_VIR 10

   endif

   body     KAM_OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()

   describe KAM_OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip

   score    KAM_OLEMACRO_ZIP_PW 1.0

   body     KAM_OLEMACRO_CSV eval:check_olemacro_csv()

   describe KAM_OLEMACRO_CSV Macro in csv file

   score    KAM_OLEMACRO_CSV 5.0

   #meta     KAM_OLEMACRO_ZIP_PW_NOMID  ( KAM_OLEMACRO_ZIP_PW && MISSING_MID )

   #describe KAM_OLEMACRO_ZIP_PW_NOMID  OLE macro sent by a bot / ratware

   #score    KAM_OLEMACRO_ZIP_PW_NOMID  5.0

   meta     KAM_OLEMACRO_ZIP_BOT    ( KAM_OLEMACRO_ZIP_PW && ( MISSING_MID || PDS_FROMNAME_SPOOFED_EMAIL ) )

   describe KAM_OLEMACRO_ZIP_BOT    OLE macro sent by a bot / ratware

   score    KAM_OLEMACRO_ZIP_BOT    5.0

endif


Yes, there does seems to be one "endif" too many but  I don't think it 
matters much with this type of a plugin.

Thanks for the information from hornetsecurity.  It's the most 
comprehensive write-up on Zloader that I've seen.

I did do some testing with Word and MHTML.  A Word document when sent 
out is assigned Content-Type: application/msword and 
Content-Transfer-Encoding: base64.  A MHTML file is sent out with 
Content-Type: text/html and Content-Transfer-Encoding: quoted-printable 
(w/ my document anyway).

I'm curious as to what HornetSecurity saw in their E-mail MIME header.  
It DOES make a difference, at least regarding plugin scanning.  But a 
.doc file is a .doc file as far as Word is concerned.

I put forth a query to them.  I'll let you know if they respond.

-- Jared Hall




>
> I simpy uncommented it in /etc/spamassassin/v343.pre:
>
> # OLEVBMacro - Detects both OLE macros and VB code inside Office 
> documents
> loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
>
> the KAM.cf takes care of the rest.