Starting about two hours ago, more than 80% of my real-time
honeypot spam is a new malware campaign.
Full spample (with redacted/munged email addresses and
Message-ID):
http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt
This is a variation on an XML file malware campaign that briefly
spewed a year ago this month.
The big difference is the Content Types of the payload, which,
so far, are of three forms:
Content-Type: application/x-rtf;
name="Invoice_MKUBV53827_from_tip_top_delivery.rtf"
Content-Type: application/octet-stream;
name="Invoice_MKUBV53827_from_tip_top_delivery.rtf"
Content-Type: application/rtf;
name="Invoice_MKUBV53827_from_tip_top_delivery.rtf"
Note: I normalized all the filenames to be the same as the
sample (i.e. "MK..."). All have been in the form AAAAA99999.
*** The key very-safe-to-nuke signature (in the rtf) is:
<w:binData w:name="REDACTED.mso">QWN0aXZlTWltZQ
The ".mso" "name" fields have had considerable variation, both
in length and content.
The MIME string "QWN0aXZlTWltZQ" decodes to "ActiveMime", which
immediately struck me as Dangerous Sounding. :) So for the
last year I've been using that as a Kill rule, specificially:
<w:binData
combined with:
QWN0aXZlTWltZQ
I had considered anchoring the MIME string, however we have a
very powerful quarantine system, so I kept that rule simple.
We've had zero FPs on either rule, albeit only in xml/doc/msword
files.
The Subjects are all currently of the form:
Invoice MKINV43197 from Tip Top Delivery
Where "MKINV43197" matches the token in the filename.
So far, they all have these headers:
X-Interface: IDSMail OLE Server v6.12 (32)
X-Mailer: Everest CRM Studio
Which feel too helpful to last long. :)
Some of these are going through a system running a
"shared" Bayes, and oddly, so far half have hit "BAYES_00" and
half have hit "BAYES_50". That will probably improve with time.
Question: What other file extensions / Content Types would be
viable for this payload? For last year's campaign, I've been
testing xml, msword and doc. I may just add those tokens to my
"all file attachments" tests, at least for a regression test.
- "Chip"
