On 7/7/2014 5:34 PM, David F. Skoll wrote:
Replying to myself...
full MSDOGEXE /\n\nTV[opqr]/
Seems to work. :)
So this sounds like you are searching the entire email for this string
which just sounds inefficient especially if they use some big attachments.
Since I'm guessing you are using MD, wouldn't something like this be
better? Untested, but based on some code for looking for rar files
masquerading as zip files:
sub filter_bad_filename {
# Check for hidden executables
unless (re_match($entity, '\.exe$') ) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
if(&check_for_exe_signature($path,
$entity->head->recommended_filename())) {
action_add_header("X-Suspected-Hidden-EXE-Attachment","True");
}
}
}
}
...
}
sub check_for_exe_signature {
my ($path, $recommended_filename) = @_;
my ($filehandle, $header);
#OPEN THE FILE, GRAB THE HEADER AND TEST
$filehandle = new IO::File("< $path");
if (defined $filehandle) {
read($filehandle,$header,2);
close ($filehandle);
if (uc($header) eq "MZ") {
return 1;
}
return 0;
}
NOTE: I would actually use an action_add_header_immediately routine that
modifies the message that's passed to SA
But then add rules like this that use the header and other items to make
a poison pill score possible
body __KAM_CRYPTO1 /open the attached document/i
body __KAM_CRYPTO2 /add an extension/i
header __KAM_CRYPTO3 X-Suspected-Hidden-EXE-Attachment =~ /True/
meta KAM_CRYPTO (__KAM_CRYPTO1 + __KAM_CRYPTO2 + __KAM_CRYPTO3 >= 3)
describe KAM_CRYPTO Likely CryptoLocker Spam with Hidden EXE Malware
score KAM_CRYPTO 8.0
regards,
KAM
