At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
>We list the contents of attached archives
>(using "lsar") and have filename-extension rules that block .js
>inside .zip files. While this can lead to some FPs, which we handle
>with selective whitelisting, it's very effective at catching the
>latest crop of cryptolocker-style attacks.
I was looking more closely at the Foxhole page, and it SOUNDS
(to me) like they do _NOT_ block on ".js" file extension,
whereas you/Dianne do:
"This database will block most JavaScript (.js) files within within Zip, Rar
files"
...
"To help minimise false positives, this database will only scan small sized Zip
and Rar files."
*** Questions:
*1. Could someone clarify whether Foxhole is using some sort of
signatures on ".js" files?
*2. How did Foxhole perform on the recent campaign with duplicate
large zipped js files (e.g. 5 files of 236 kilobytes each)?
There was also a campaign with a single large file (e.g. 604
kilobytes), with most of the payload at the end. I suspect both
campaigns were attempts to bypass sig based scanners.
I'm with Dianne on outright blocking js files, AND making highly
selective holes for specific sender/recipient pairs.
I protect a few thousand accounts and we only have a handful of
those holes, all for web designers.
"Aim small, miss small" :)
In my previous post, I mentioned "secret sauce" code to detect
javascript obfuscations. That's a backup in case netscum figure
out a way to use a non obvious file extension. FIRST, I do all
the quick tests (file extensions, etc), then, if there's enough
time, the slower/memory-heavy tests. The recent large js file
campaigns took significantly longer (1/2 to 1 second) to do my
extra tests, but still hit all my tests. :)
*3. Is the list of file extensions on the Foxhole page complete?
http://sanesecurity.com/foxhole-databases/
The page is missing the following (and perhaps others):
.acm
.ax
.dll
.drv
.efi
.mui
.ocx
.tsp
I verified that all of those actually occur and are executable
on a Windows7 machine.
I have seen, in the wild (about a year or so ago), malware email
that instructed the target to rename the attached file. :(
Long before that, I had added code to decompress just the first
few bytes of each zipped file, and check for executable
MagicNumbers (e.g. Windows' "MZ"). I also check all MIME parts
(I have a very speedy "MIME Prefix" test).
I recently added the MagicNumber for "old" style doc files, just
for files inside zips (when they appeared, as mentioned in my
previous post). That does have a higher FP risk, since it's
reasonable to zip huge doc files, however in practice they're
rare, and I have an excellent Quarantine/FP pipeline.
A friend sent me this cool MagicNumber look up site:
filesignatures.net
Any other suggestions for file types to add?
- "Chip"
