On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote:
>Meanwhile, there is RTF spam that's circulating which is
>currently bypassing the sanesecurity sigs. I've just submitted a
>sample to Steve, but the db hasn't yet been updated. Here's a
>sample:
>
>http://pastebin.com/ALsSAmwa
Alex, thanks for the spample! :)
I've seen a steady trickle of those, since late April.
That file attachment is actually the way-kewl "Office Open XML"
format, with an embedded VBA binary file, just like last week's
main vector for "Zepto" (a new ransomware morph), except those
used the (more correct) file extension ".docm".
The way-kewl thing about this file format is that they're
completely standard zip files, containing a mix of other mostly
standard files (e.g. XML, JPEGs). In general, they're very easy
to parse (no obscure Microsoft OLE/etc in the main files).
The VBA is always in a file named "vbaproject.bin".
Since filenames in zip files are stored unaltered, it's just a
matter of de-MIME-ing the file, and scanning for the filename.
You do _NOT_ have to parse the zip file, just look for that one
simple string. :)
(Pedantic note: Technically, there's another file named
"vbaProject.bin.rels" which is a plain text XML file.
Theoretically, you may want to exclude it, but practically, I
wouldn't bother - it seems to always occur with the binary ".bin"
file, so just nuke/quarantine them all.)
A couple of years ago, I changed my post-SA Filter so it always
tests the first few "raw" characters of every MIME Part, and if
they're the prefix that means PKZip, I de-MIME it and send it
thru my zip analyzer, regardless of ContentType or file ext.
I got fed up with all the Spammer Stupid Part Tricks, and it's
blindingly fast to check the prefix. :)
- "Chip"
P.S. Thanks everyone for the followups on how Foxhole handles
stuff. :)
P.P.S. Today's new malware morph is a single zipped javascript
file, where the script filename ends with "..wsf".
Is the double dot just a mistake, or does that confuse anything?
