[CentOS] Detecting empty office doc containing virus macro

Fri Oct 30 10:58:42 UTC 2015
Gary Stainburn <gary at ringways.co.uk>

On Thursday 29 October 2015 20:37:03 Ned Slider wrote:
> On 29/10/15 10:51, Gary Stainburn wrote:
> > On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
> >> On 28/10/15 11:55, Gary Stainburn wrote:
> >>> We are receiving LOTS of emails that contain empty XLS or DOC documents
> >>> with embedded virus macros.  These are getting past SPAMASSASSIN,
> >>> Clamav and Kaspersky.
> >>>
> >>> I'm trying to write a filter for EXIM to block these emails but I need
> >>> to know a good, quick, command-line to detect an empty doc with a
> >>> macro.
> >>>
> >>> Is there anything available that I can use??
> >>>
> >>> I have managed to write a PERL script to detect empty xls xlsx, doc and
> >>> docx files but I cannot detect whether they have any macros embedded
> >>>
> >>> Gary
> >>
> >> If you've got a script to detect empty docs then it should be relatively
> >> easy to detect these. I assume empty attachments are not normal in your
> >> mail flows?
> >
> > I have come to the conculsiion that I am just going to have to stick with
> > detecting empty documents and forget the macro checks.
> >
> >> I would look to write some custom SpamAssassin rules, maybe
> >> incorporating your script, to detect these and filter them out.
> >
> > I would love to be able to write custom Spamassassin rules but do not
> > know how to do this. All I have done in the past is add small pattern
> > matching rules to local.cf
> That's a great place to start. Combining multiple simple rules in a meta
> rule is also a great way to detect many spams. If you can find 3 or 4
> factors specific to these spam (the more unique the better), combining
> them usually gives excellent results. For example, they all contain a
> doc,docx,xls,xlsx attachment, they all contain a specific phrase or
> something unique in the Subject, maybe they all contain a URL or email
> address in the body etc. Individually the rules might not be
> particularly good indicators of spam, but when combined together they
> may become highly effective.

The big problem is that the emails are vastly different in content, and are 
send by distributed computers. That's why I went down the document content 
checking in the first place.  The empty office document is the only obvious 
common factor.

> This might not be the best forum to discuss in detail; the SpamAssassin
> mailing list is a great place to get help with writing rules.
As I've had to implement a malware = * to call my new script it has given me 
the chance to inplement checks that I have never been able to manage in 
Spamassassin.  No doubt they are possible, but I've not managed them.

I now have access to the whole email in PERL and MIME::Parser so can do lots 
of other checking.

> > Another rule I would like to add to Spamassassin is to catch emails where
> > the subject starts with the email local part in brackets as we get a LOT
> > of those too.

This is one of the checks I can now do in my perl script.

> >
> >> Are you able to post some examples to pastebin?
> >
> > http://www.stainburn.com/virus_files/I0000040777.doc
> > http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
> Sorry, I meant examples of the emails (including the full headers,
> redacted where necessary), not the attachments. We might be able to
> point you in the right direction or offer a few thoughts on how to
> detect them in SpamAssassin.

Unfortunately, I've only got this one as an example. I didn't keep any of the 
previous ones, and hopefully any new ones will never get through.


> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Gary Stainburn
Group I.T. Manager
Ringways Garages