Re: [Assp-test] updated ASSP_AFC Plugin

Sun, 21 May 2017 22:57:43 -0700 

>ASSP crashes - completely 

This no longer happens using ASSP_AFC 4.51 (available at SF-CVS)

Thomas



Von:    K Post <nntp.p...@gmail.com>
An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum:  21.05.2017 17:29
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin



Thank you for that very detailed and informative additional explanation.  
Clears things up nicely.
And that explains why my sample PDF with javascript is getting through: it 
just fills in a date into a field, nothing questionable.

I suggest making a change to the AFC plugin documentation in the GUI to 
state that:
1. javascript scanning is intelligent, attempting to allow non-malicious 
javascript through.
2. That using the :PDF exception is not recommended as this will disable 
all PDF executable scanning.  (leaving out the bit about false positives)

Of note: when I try to do an analyze with that sample PDF's message file 
(the PDF with the basic javascript that I sent you), ASSP crashes - 
completely - the service needs to be started again.  Win32.    I've never 
seen that happen before.  If I disable the AFC plugin, analyze works.



On Sun, May 21, 2017 at 2:39 AM, Thomas Eckardt <
thomas.ecka...@thockar.com> wrote:
I did not get any attachment from you. 

>that would include anything in the PDF, CertPDF, JSPDF, and URIPDF 
category right? 

right 

:PDF switches all executable checks off for PDF files - it is NOT 
recommended to do this - because it will block any (possibly also regular) 
JavaScript defined using '/S/JavaScript/JS' 

>There seems to be a bit of a double negative in your above comments. 

yes - exe-bin is recommended - :PDF to exclude (1. not)  pdf scans - this 
is not (2. not) recommended 
simple boolean operations should be not a problem for an IT prof :) 

:PDF is a backward comp. switch - "use the old behavior" 

>that would include anything in the PDF, CertPDF, JSPDF, and URIPDF 
category right? 

An stream object can be anything in a PDF. The adobe suites will not 
support to create other executable objects. But it is possible to do this. 
Hackers will never use an adobe product to create a virus in a PDF!. 

The nice ransomeware are doing the following for example: 

1 2 obj 
stream <.... binary docm anyhow encoded and encrypted ...> 
endobj 
.... 
10 11 obj 
/Type/Filespec/test.docm ..... 
endobj 
.... 
3 4 obj 
/EmbeddedFile/test.docm/ ......<</JavaScript. ..../OpenAction .. load the 
docm in the JavaScript 
endobj 

If you use an outdated pdf reader, the reader will call/do an OLE to 
ms-word at the PDF-Open request - DONE- buy some bitcoins or restore! 

A stream object <....> can be stored binary, hex encoded or octal - 
example hex: 

<41424344454647> 
which is 'ABCDEFG' - but abobe allows and ignores all white spaces 
included in this encoding. The following would be the same for the reader 
<41    4243  44                           45 46                       47   
                       > 

if more than 256 whitespaces are added, no antivirus will ever catch it. 

Because assp does not need to read or process the attachment as a PDF 
reader (in ASSP_AFC), it decodes all streams to binary and removes all 
whitespaces (at any length) - even the binary result will be not 100% 
correct. 
As long as I know, no antivirus ever decodes a PDF. 

The combination docm and OLE and JavaScript - this is relatve easy to 
find. But it is also possible to define an encrypted and encoded 
 black/white (0/1) bitmap (picture), but instead to put executable code in 
it and to run this code as an open action. 
Encyption is also used in PDF to prevent printing a document - so there is 
no password requied to encrypt data in a PDF. 
I'm waiting for the first of those PDF files. The technology is known, but 
currently not used. How ever, JavaScript will be required to implement 
those viruses.We have a wappon - ASSP_AFC! 


ASSP_AFC tries to ignore innocent JavaScript. For example used in a 
formular field definition for verification. 
The stucture(s) that must be used to do malicous things in a PDF is known. 
ASSP_AFC is looking for those structures. For example: embedding any other 
executable code or use an URi to download those. 
PDF's are commonly used and seen as a very secure way to provide 
information. And for 99% or even more, this is true. Doing anything too 
strict, will lead in to a large amount of false positives and BIG 
complaints will got to the IT dep. 

The real problem is, that the adobe reader has enabled JavaScipt execution 
per default - blame on them. I recommend to disable JavaScript in all pdf 
readers. If a PDF contains JavaScript, the reader will warn the user, that 
the formular will not work unless it is enabled. But at this point, the 
user sees the PDF and knows where it comes from and if it is safe to allow 
JavaScript for this document. 


So, this PDF scan in ASSP_AFC is somehow different from the other 
executable scans. NOT: "look in to, find and block" - MORE: "look in to, 
be smart, find malicous content and block". 
To test this extenson, you need to try to do malicous things. Everything 
created with the adobe products should pass this check. 

I'm currently not sure if the ':CertPDF' switch is a nice one. It assumes, 
that an attacker will not sign the virus PDF. But if a PDF is signed, no 
action will be taken by the PDF reader, until the certificate is verfied. 

Thomas 






Von:        K Post <nntp.p...@gmail.com> 
An:        ASSP development mailing list <assp-test@lists.sourceforge.net> 

Datum:        21.05.2017 01:01 
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin 



Thank you Thomas.  Question, you wrote: 

the following additionally exception switches are implemented:  

 :PDF - adobe PDF file with embedded executable code or microsoft office 
macros files, JavaScript and bad URIs (NOT recommended to be used, false 
positives are expected)  
 :CERTPDF - certificate signed adobe PDF file  
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known 
malicious JavaScript combinations will be blocked, even this option is 
defined  
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or 
to open local files 


  
I'm slightly confused by your red text though..  I take anything you 
suggest very seriously, especially so if it's in red.  There seems to be a 
bit of a double negative in your above comments.   

If we just use exe-bin as a level 1 block, that would include anything in 
the PDF, CertPDF, JSPDF, and URIPDF category right?  If we do exe-bin|:PDF 
that will block exe's but NOT those that are PDF files with embedded 
executable code or microsoft office macros files, JavaScript and bad URIs 
right?  That seems to remove all of this new PDF blocking functionality or 
am I off base?  Then you said in red that this is not recommended.  I 
can't tell if you mean you recommend that we not use the :PDF exception 
(so don't so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) 
to best avoid false positives.   

that would include anything in the PDF, CertPDF, JSPDF, and URIPDF 
category right?   Based on your description, clearly that's the case - and 
I'd think I would want to block them, but I can't figure out how to do 
that if you (might be) recommending that we do exe-bin|:PDF. 

I'm clearly confused.... 

Thanks so much - this should make a big difference! 

Ken 



On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <
thomas.ecka...@thockar.com> wrote: 
published ASSP_AFC 4.50 

example results from the analyzer: 

• URIBL check: 'OK'
• † • SuspiciousVirus: 
Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'
• attachment Invoice 07853327 05/17/2017.PDF is an executable 
• Not a Valid Format of HELO: '[42.113.108.55]' 

the following additionally exception switches are implemented: 

 :PDF - adobe PDF file with embedded executable code or microsoft office 
macros files, JavaScript and bad URIs (NOT recommended to be used, false 
positives are expected) 
 :CERTPDF - certificate signed adobe PDF file 
 :JSPDF - adobe PDF file with JavaScript inside - notice: well known 
malicious JavaScript combinations will be blocked, even this option is 
defined 
 :URIPDF - adobe PDF file with URIs to download exeutables from the web or 
to open local files

Thomas 


Von:        Thomas Eckardt <thomas.ecka...@thockar.com> 
An:        ASSP development mailing list <assp-test@lists.sourceforge.net> 

Datum:        20.05.2017 07:17 
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin 



ASSP_AFC 4.48 was too weak 
ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the 
':PDF' switch 

I'm just looking for a way to prevent false positives. 

Thomas





Von:        K Post <nntp.p...@gmail.com> 
An:        ASSP development mailing list <assp-test@lists.sourceforge.net> 

Datum:        19.05.2017 16:28 
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin 



Here's a sample PDF with javascript that runs at startup (populates a 
field with the current date). 

On Fri, May 19, 2017 at 10:16 AM, K Post < 
nntp.p...@gmail.com> wrote: 
I tested with this new plugin installed and exe-bin blocking.  This plugin 
now blocks all pdf's that have javascript embedded right?  That's not what 
I experienced. 

I created a simple pdf with a button.  That button's action was to run 
javascript to print the document.  I emailed it to myself from gmail.  It 
was received, not blocked. 

Am I missing something?   

On Fri, May 19, 2017 at 9:48 AM, K Post < 
nntp.p...@gmail.com> wrote: 
Thanks for this!!! 

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt < 
thomas.ecka...@thockar.com> wrote: 
Hi all, 

I've just published ASSP_AFC.pm version 4.48 at SF-CVS. 


This version contains an extension to detect embedded executable code in 
real PDF files, if 'exe-bin' files are not allowed in the assp 
configuration. 


Currently detected are: 

- java script - most times this is requred by the virus to open and run 
any other embedded code 

- ms office macros 
- exe and com files 

- wsh files 

This extension is hard coded. There is no way to make an exception to 
(e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files 
are every time malicious! 


Currently it seems, that another ransomware attack is starting in 
preparation for the weekend! Distributed are such real PDF files per 
email! 

I don't think that there will be a stupid 'killswitch' in the new viruses 
to save the world. 


I just saw that ClamAV (sanesecurity signatures) detected most of them - 
they all are classified as UNOFFICIAL !!!!. 


Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
******************************************************* 



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to