Page 1 of 1
Infected files slipping through
Posted: 01 Sep 2016 20:51
by cam
Hey guys, we have had a huge issue lately with presumably infected .doc file attachments making it to inboxes - is this something we have incorrectly or some solution for it to scan attachments properly? Thanks!
Re: Infected files slipping through
Posted: 02 Sep 2016 03:56
by pdwalker
Can you show us the spam report?
Also, is the attachment a doc file, or a doc.js file? Would you be willing to attempt to send it to me?
I have some additional checks in place to help catch these kinds of things. I'd be curious to see if my checks would trap it.
Re: Infected files slipping through
Posted: 02 Sep 2016 13:47
by skoppes
We had the same thing happen. Several users, over several days, were getting slammed with macro-infected DOC files. I still have one that came directly to me for reference:
Code: Select all
Spam Report:
Score Matching Rule Description
-0.00 BAYES_20 Bayes spam probability is 5 to 20%
1.10 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
0.50 JMQ_SPF_NEUTRAL_ALL
-0.00 RCVD_IN_DNSWL_NONE Sender listed at http://www.dnswl.org/, no trust
-0.00 SPF_PASS SPF: sender matches SPF record
0.01 T_OBFU_DOC_ATTACH
I am willing to send a copy for examination, with the warning that it is not something you want to run.
Re: Infected files slipping through
Posted: 09 Sep 2016 07:00
by ovizii
you can send me one too and if it gets caught I can let you know what stopped it: ovidiu *at* ict-consult *dot* co *dot* za
Re: Infected files slipping through
Posted: 09 Sep 2016 18:40
by skoppes
I sent an email request through the site to you pdwalker, and a copy of the file directly to you ovizii.
These are nasty little buggers!
Re: Infected files slipping through
Posted: 10 Sep 2016 09:50
by ovizii
@skoppes: I haven't received anything yet or I might be missing it, send me an emai lrequest through this site please.
Re: Infected files slipping through
Posted: 11 Sep 2016 12:18
by shawniverson
I am willing to test too
. Email the infected bugger to
shawniverson@summitgrid.org 
Re: Infected files slipping through
Posted: 12 Sep 2016 17:59
by pdwalker
skoppes wrote:I sent an email request through the site to you pdwalker, and a copy of the file directly to you ovizii.
These are nasty little buggers!
Hi Skoppes,
I'm going to pm you another email account to send to. The one registered with the site goes to google and not to my efa installation.
Re: Infected files slipping through
Posted: 12 Sep 2016 18:13
by ovizii
@skoppes: did you send one to the email I gave you above?
ovidiu@ict-consult.co.za
Btw. I also had an infected .doc with macros slip through by clamav + unofficial signatures + sophos.
It looked suspicious so I then uploaded it to virustotal.com and it was recognized by 1 (Ikarus) out of 55 scanners as Trojan-Downloader.VBA.Agent so I submitted it to sophos and clamav.
What does virustotal.com say about your attachment and which scanner detected it as a virus?
Re: Infected files slipping through
Posted: 13 Sep 2016 12:57
by pdwalker
skoppes was able to send me one, and it passed through cleanly.
virustotal.com now mostly recongnizes this file, so when the clamav updates get pushed out, this one should be stopped.
Code: Select all
SHA256: 9efc192fae6979799481f42cf411d8c32f1b8e3ad91e2bd3ae72e3506402c5d5
File name: ss_pennantcapital.com_68574.doc
Detection ratio: 37 / 55
Analysis date: 2016-09-13 12:55:18 UTC ( 0 minutes ago )
Antivirus Result Update
ALYac W97M.Downloader.EFN 20160913
AVG Downloader.Generic_c.AMNH 20160913
AVware Trojan.OLE.Generic.a (v) 20160913
Ad-Aware W97M.Downloader.EFN 20160913
AhnLab-V3 W97M/Dropper 20160913
Antiy-AVL Trojan[Downloader]/VBS.Agent.bzr 20160913
Arcabit W97M.Downloader.EFN 20160913
Avast VBA:Downloader-DDK [Trj] 20160913
Avira (no cloud) W2000M/Dldr.Agent.AM.5763 20160913
Baidu VBA.Trojan-Dropper.Agent.mu 20160913
BitDefender W97M.Downloader.EFN 20160913
CAT-QuickHeal W97M.Downloader.JA 20160913
ClamAV Win.Malware.Agent3380527549/CRDF-1 20160913
Comodo TrojWare.VBS.Dropper.mimko 20160912
Cyren W97M/Nastjencro 20160913
DrWeb W97M.Dropper.35 20160913
ESET-NOD32 VBA/TrojanDropper.Agent.NV 20160913
Emsisoft W97M.Downloader.EFN (B) 20160913
F-Prot New or modified W97M/Nastjencro 20160913
F-Secure Trojan:W97M/Nastjencro.A 20160913
Fortinet WM/Nastjencro.A!tr 20160913
GData W97M.Downloader.EFN 20160913
Ikarus Trojan-Downloader.VBA.Agent 20160913
Kaspersky Trojan-Downloader.MSWord.Agent.aoy 20160913
McAfee W97M/Dropper.ci 20160913
McAfee-GW-Edition W97M/Dropper.ci 20160912
eScan W97M.Downloader.EFN 20160913
Microsoft Trojan:O97M/Madeba.A!det 20160913
Panda W97M/Downloader 20160912
Qihoo-360 virus.office.gen.75 20160913
Sophos Troj/DocDl-EJR 20160913
Symantec Trojan.Mdropper 20160913
Tencent Macro.Trojan.Dropperd.Auto 20160913
TrendMicro W2KM_HANCITOR.YYSVS 20160913
TrendMicro-HouseCall W2KM_HANCITOR.YYSVS 20160913
VIPRE Trojan.OLE.Generic.a (v) 20160913
ViRobot W97M.S.Downloader.273920[h] 20160913
AegisLab 20160913
Alibaba 20160913
Bkav 20160912
CMC 20160912
Jiangmin 20160913
K7AntiVirus 20160913
K7GW 20160913
Kingsoft 20160913
Malwarebytes 20160913
NANO-Antivirus 20160913
Rising 20160913
SUPERAntiSpyware 20160913
TheHacker 20160911
VBA32 20160913
Yandex 20160911
Zillya 20160912
Zoner 20160913
nProtect 20160913
Re: Infected files slipping through
Posted: 13 Sep 2016 12:59
by ovizii
I also just got one from Skoppes which got stopped by clamav with the unofficial signatures as well as sophos:
Clamd: message was infected: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL ,Clamd: ss_pennantcapital.com_68574.doc was infected: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL Sophos: >>> Virus 'Troj/DocDl-EJR' found in file ./D599F100052.AB35B/ss_pennantcapital.com_68574.doc
Re: Infected files slipping through
Posted: 13 Sep 2016 13:00
by pdwalker
Frankly, I'd like efa to just immediately quarantine any macro enabled office document. However, it seems that is quite a difficult thing to accomplish.
Thanks Microsoft!
Re: Infected files slipping through
Posted: 13 Sep 2016 13:07
by ovizii
@pdwalker: I'm sure its possible.
What I am doing is checking for macros and if a message hits say BAYES_BL && MICROSOFT_OLE2MACRO then I add an extra score. Has worked fine so far.
Re: Infected files slipping through
Posted: 13 Sep 2016 13:10
by skoppes
Update: Yes, that is the address I sent it to. Apparently our (updated) EFA was happy to kill it on outbound, so I had to try a few times to send while bypassing EFA. My apologies if it came through more than once - our email server was being a little difficult.
EFA did not automatically notify me about killing something outbound. AV scanners used to send an email back to the admin with inbound detection, but I'd never tried outbound. Yikes!
Here is what the EFA report stated for it:
Code: Select all
Virus: Y
Blocked File: N
Other Infection: N
Report: Clamd: ss_pennantcapital.com_68574.doc was infected: Heuristics.OLE2.ContainsMacros
virustotal.com results:
https://virustotal.com/en/file/9efc192f ... /analysis/
pdwalker has a copy now too - I don't feel as bad since his EFA gave it a thumbs-up too
It was never a question of whether it was malicious content or not, it was a question of how/why it got past EFA, and what we can do about it going forward.
Re: Infected files slipping through
Posted: 13 Sep 2016 13:10
by pdwalker
how are you checking for macros?
Re: Infected files slipping through
Posted: 13 Sep 2016 13:39
by ovizii
@pdwalker:
you could use /etc/clamd.conf and set OLE2BlockMacros yes
the description is a bit misleading, at first I assumed one could use this to add a header: Heuristics.OLE2.ContainsMacros without blocking but that doesn't seem to work that way.
I use this:
https://github.com/JonathanThorpe/spama ... -vba-macro
Re: Infected files slipping through
Posted: 13 Sep 2016 13:40
by pdwalker
I ran freshclam, and now it is detected.
Re: Infected files slipping through
Posted: 13 Sep 2016 13:52
by pdwalker
ovizii wrote:@pdwalker:
you could use /etc/clamd.conf and set OLE2BlockMacros yes
the description is a bit misleading, at first I assumed one could use this to add a header: Heuristics.OLE2.ContainsMacros without blocking but that doesn't seem to work that way.
I use this:
https://github.com/JonathanThorpe/spama ... -vba-macro
The "OLE2BlockMacros yes" treats alll macros as viruses. I'd rather score them higher with spamassassin.
I use the same spamassassin module to attempt to detect macro in embedded documents. However, it doesn't catch all. See these links
viewtopic.php?f=14&t=1547&p=5691&hilit= ... o.pm#p5734
viewtopic.php?f=13&t=1598&p=5887&hilit= ... o.pm#p5887
https://github.com/JonathanThorpe/spama ... /issues/14