[CentOS] Detecting empty office doc containing virus macro

Fri Oct 30 11:08:47 UTC 2015
Eero Volotinen <eero.volotinen at iki.fi>

How about scanning files using virustotal?

https://github.com/Gawen/virustotal

--
Eero

2015-10-30 12:58 GMT+02:00 Gary Stainburn <gary at ringways.co.uk>:

> On Thursday 29 October 2015 20:37:03 Ned Slider wrote:
> > On 29/10/15 10:51, Gary Stainburn wrote:
> > > On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
> > >> On 28/10/15 11:55, Gary Stainburn wrote:
> > >>> We are receiving LOTS of emails that contain empty XLS or DOC
> documents
> > >>> with embedded virus macros.  These are getting past SPAMASSASSIN,
> > >>> Clamav and Kaspersky.
> > >>>
> > >>> I'm trying to write a filter for EXIM to block these emails but I
> need
> > >>> to know a good, quick, command-line to detect an empty doc with a
> > >>> macro.
> > >>>
> > >>> Is there anything available that I can use??
> > >>>
> > >>> I have managed to write a PERL script to detect empty xls xlsx, doc
> and
> > >>> docx files but I cannot detect whether they have any macros embedded
> > >>>
> > >>> Gary
> > >>
> > >> If you've got a script to detect empty docs then it should be
> relatively
> > >> easy to detect these. I assume empty attachments are not normal in
> your
> > >> mail flows?
> > >
> > > I have come to the conculsiion that I am just going to have to stick
> with
> > > detecting empty documents and forget the macro checks.
> > >
> > >> I would look to write some custom SpamAssassin rules, maybe
> > >> incorporating your script, to detect these and filter them out.
> > >
> > > I would love to be able to write custom Spamassassin rules but do not
> > > know how to do this. All I have done in the past is add small pattern
> > > matching rules to local.cf
> >
> > That's a great place to start. Combining multiple simple rules in a meta
> > rule is also a great way to detect many spams. If you can find 3 or 4
> > factors specific to these spam (the more unique the better), combining
> > them usually gives excellent results. For example, they all contain a
> > doc,docx,xls,xlsx attachment, they all contain a specific phrase or
> > something unique in the Subject, maybe they all contain a URL or email
> > address in the body etc. Individually the rules might not be
> > particularly good indicators of spam, but when combined together they
> > may become highly effective.
>
> The big problem is that the emails are vastly different in content, and are
> send by distributed computers. That's why I went down the document content
> checking in the first place.  The empty office document is the only obvious
> common factor.
>
> >
> > This might not be the best forum to discuss in detail; the SpamAssassin
> > mailing list is a great place to get help with writing rules.
> >
> As I've had to implement a malware = * to call my new script it has given
> me
> the chance to inplement checks that I have never been able to manage in
> Spamassassin.  No doubt they are possible, but I've not managed them.
>
> I now have access to the whole email in PERL and MIME::Parser so can do
> lots
> of other checking.
>
> > > Another rule I would like to add to Spamassassin is to catch emails
> where
> > > the subject starts with the email local part in brackets as we get a
> LOT
> > > of those too.
>
> This is one of the checks I can now do in my perl script.
>
> > >
> > >> Are you able to post some examples to pastebin?
> > >
> > > http://www.stainburn.com/virus_files/I0000040777.doc
> > > http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
> >
> > Sorry, I meant examples of the emails (including the full headers,
> > redacted where necessary), not the attachments. We might be able to
> > point you in the right direction or offer a few thoughts on how to
> > detect them in SpamAssassin.
>
> Unfortunately, I've only got this one as an example. I didn't keep any of
> the
> previous ones, and hopefully any new ones will never get through.
>
> http://www.stainburn.com/virus_files/Purchase.mbox
>
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
>
>
> --
> Gary Stainburn
> Group I.T. Manager
> Ringways Garages
> http://www.ringways.co.uk
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>