Infected files slipping through

Questions and answers about how to do stuff
Post Reply
cam
Posts: 37
Joined: 26 Oct 2012 17:02

Infected files slipping through

Post by cam »

Hey guys, we have had a huge issue lately with presumably infected .doc file attachments making it to inboxes - is this something we have incorrectly or some solution for it to scan attachments properly? Thanks!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Infected files slipping through

Post by pdwalker »

Can you show us the spam report?

Also, is the attachment a doc file, or a doc.js file? Would you be willing to attempt to send it to me?

I have some additional checks in place to help catch these kinds of things. I'd be curious to see if my checks would trap it.
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

Re: Infected files slipping through

Post by skoppes »

We had the same thing happen. Several users, over several days, were getting slammed with macro-infected DOC files. I still have one that came directly to me for reference:

Code: Select all

Spam Report:	
Score	Matching Rule	Description
-0.00	BAYES_20	Bayes spam probability is 5 to 20%
1.10	DCC_CHECK	Detected as bulk mail by DCC (dcc-servers.net)
0.50	JMQ_SPF_NEUTRAL_ALL	 
-0.00	RCVD_IN_DNSWL_NONE	Sender listed at http://www.dnswl.org/, no trust
-0.00	SPF_PASS	SPF: sender matches SPF record
0.01	T_OBFU_DOC_ATTACH
I am willing to send a copy for examination, with the warning that it is not something you want to run.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Infected files slipping through

Post by ovizii »

you can send me one too and if it gets caught I can let you know what stopped it: ovidiu *at* ict-consult *dot* co *dot* za
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

Re: Infected files slipping through

Post by skoppes »

I sent an email request through the site to you pdwalker, and a copy of the file directly to you ovizii.

These are nasty little buggers!
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Infected files slipping through

Post by ovizii »

@skoppes: I haven't received anything yet or I might be missing it, send me an emai lrequest through this site please.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Infected files slipping through

Post by shawniverson »

I am willing to test too :D. Email the infected bugger to shawniverson@summitgrid.org :)
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Infected files slipping through

Post by pdwalker »

skoppes wrote:I sent an email request through the site to you pdwalker, and a copy of the file directly to you ovizii.

These are nasty little buggers!
Hi Skoppes,

I'm going to pm you another email account to send to. The one registered with the site goes to google and not to my efa installation.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Infected files slipping through

Post by ovizii »

@skoppes: did you send one to the email I gave you above? ovidiu@ict-consult.co.za

Btw. I also had an infected .doc with macros slip through by clamav + unofficial signatures + sophos.
It looked suspicious so I then uploaded it to virustotal.com and it was recognized by 1 (Ikarus) out of 55 scanners as Trojan-Downloader.VBA.Agent so I submitted it to sophos and clamav.

What does virustotal.com say about your attachment and which scanner detected it as a virus?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Infected files slipping through

Post by pdwalker »

skoppes was able to send me one, and it passed through cleanly.

virustotal.com now mostly recongnizes this file, so when the clamav updates get pushed out, this one should be stopped.

Code: Select all

SHA256:	9efc192fae6979799481f42cf411d8c32f1b8e3ad91e2bd3ae72e3506402c5d5
File name:	ss_pennantcapital.com_68574.doc
Detection ratio:	37 / 55
Analysis date:	2016-09-13 12:55:18 UTC ( 0 minutes ago )

Antivirus	Result	Update
ALYac	W97M.Downloader.EFN	20160913
AVG	Downloader.Generic_c.AMNH	20160913
AVware	Trojan.OLE.Generic.a (v)	20160913
Ad-Aware	W97M.Downloader.EFN	20160913
AhnLab-V3	W97M/Dropper	20160913
Antiy-AVL	Trojan[Downloader]/VBS.Agent.bzr	20160913
Arcabit	W97M.Downloader.EFN	20160913
Avast	VBA:Downloader-DDK [Trj]	20160913
Avira (no cloud)	W2000M/Dldr.Agent.AM.5763	20160913
Baidu	VBA.Trojan-Dropper.Agent.mu	20160913
BitDefender	W97M.Downloader.EFN	20160913
CAT-QuickHeal	W97M.Downloader.JA	20160913
ClamAV	Win.Malware.Agent3380527549/CRDF-1	20160913
Comodo	TrojWare.VBS.Dropper.mimko	20160912
Cyren	W97M/Nastjencro	20160913
DrWeb	W97M.Dropper.35	20160913
ESET-NOD32	VBA/TrojanDropper.Agent.NV	20160913
Emsisoft	W97M.Downloader.EFN (B)	20160913
F-Prot	New or modified W97M/Nastjencro	20160913
F-Secure	Trojan:W97M/Nastjencro.A	20160913
Fortinet	WM/Nastjencro.A!tr	20160913
GData	W97M.Downloader.EFN	20160913
Ikarus	Trojan-Downloader.VBA.Agent	20160913
Kaspersky	Trojan-Downloader.MSWord.Agent.aoy	20160913
McAfee	W97M/Dropper.ci	20160913
McAfee-GW-Edition	W97M/Dropper.ci	20160912
eScan	W97M.Downloader.EFN	20160913
Microsoft	Trojan:O97M/Madeba.A!det	20160913
Panda	W97M/Downloader	20160912
Qihoo-360	virus.office.gen.75	20160913
Sophos	Troj/DocDl-EJR	20160913
Symantec	Trojan.Mdropper	20160913
Tencent	Macro.Trojan.Dropperd.Auto	20160913
TrendMicro	W2KM_HANCITOR.YYSVS	20160913
TrendMicro-HouseCall	W2KM_HANCITOR.YYSVS	20160913
VIPRE	Trojan.OLE.Generic.a (v)	20160913
ViRobot	W97M.S.Downloader.273920[h]	20160913
AegisLab		20160913
Alibaba		20160913
Bkav		20160912
CMC		20160912
Jiangmin		20160913
K7AntiVirus		20160913
K7GW		20160913
Kingsoft		20160913
Malwarebytes		20160913
NANO-Antivirus		20160913
Rising		20160913
SUPERAntiSpyware		20160913
TheHacker		20160911
VBA32		20160913
Yandex		20160911
Zillya		20160912
Zoner		20160913
nProtect		20160913
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Infected files slipping through

Post by ovizii »

I also just got one from Skoppes which got stopped by clamav with the unofficial signatures as well as sophos:
Clamd: message was infected: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL ,Clamd: ss_pennantcapital.com_68574.doc was infected: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL Sophos: >>> Virus 'Troj/DocDl-EJR' found in file ./D599F100052.AB35B/ss_pennantcapital.com_68574.doc
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Infected files slipping through

Post by pdwalker »

Frankly, I'd like efa to just immediately quarantine any macro enabled office document. However, it seems that is quite a difficult thing to accomplish.

Thanks Microsoft!
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Infected files slipping through

Post by ovizii »

@pdwalker: I'm sure its possible.
What I am doing is checking for macros and if a message hits say BAYES_BL && MICROSOFT_OLE2MACRO then I add an extra score. Has worked fine so far.
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

Re: Infected files slipping through

Post by skoppes »

Update: Yes, that is the address I sent it to. Apparently our (updated) EFA was happy to kill it on outbound, so I had to try a few times to send while bypassing EFA. My apologies if it came through more than once - our email server was being a little difficult.

EFA did not automatically notify me about killing something outbound. AV scanners used to send an email back to the admin with inbound detection, but I'd never tried outbound. Yikes!

Here is what the EFA report stated for it:

Code: Select all

Virus:	 Y 
Blocked File:	 N 
Other Infection:	 N 
Report:	Clamd: ss_pennantcapital.com_68574.doc was infected: Heuristics.OLE2.ContainsMacros 
virustotal.com results:
https://virustotal.com/en/file/9efc192f ... /analysis/

pdwalker has a copy now too - I don't feel as bad since his EFA gave it a thumbs-up too :whistle:


It was never a question of whether it was malicious content or not, it was a question of how/why it got past EFA, and what we can do about it going forward.
Last edited by skoppes on 13 Sep 2016 13:13, edited 1 time in total.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Infected files slipping through

Post by pdwalker »

how are you checking for macros?
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Infected files slipping through

Post by ovizii »

@pdwalker:

you could use /etc/clamd.conf and set OLE2BlockMacros yes
the description is a bit misleading, at first I assumed one could use this to add a header: Heuristics.OLE2.ContainsMacros without blocking but that doesn't seem to work that way.

I use this: https://github.com/JonathanThorpe/spama ... -vba-macro
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Infected files slipping through

Post by pdwalker »

I ran freshclam, and now it is detected.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Infected files slipping through

Post by pdwalker »

ovizii wrote:@pdwalker:

you could use /etc/clamd.conf and set OLE2BlockMacros yes
the description is a bit misleading, at first I assumed one could use this to add a header: Heuristics.OLE2.ContainsMacros without blocking but that doesn't seem to work that way.

I use this: https://github.com/JonathanThorpe/spama ... -vba-macro
The "OLE2BlockMacros yes" treats alll macros as viruses. I'd rather score them higher with spamassassin.

I use the same spamassassin module to attempt to detect macro in embedded documents. However, it doesn't catch all. See these links
viewtopic.php?f=14&t=1547&p=5691&hilit= ... o.pm#p5734
viewtopic.php?f=13&t=1598&p=5887&hilit= ... o.pm#p5887
https://github.com/JonathanThorpe/spama ... /issues/14
Post Reply