Someone missed a virus..

Well, an attachment, a 0 day virus.

How do we block an exe insite a .doc?

Maybe hackers/spammers have found a way around Anti-Virus
software, or
at least, attachment blocking.

Spam came in, with a 'proforma invoice' attached.
(if you want to see it, http://w
ww.secnap.com/downloads/proforma.eml)


Click on the proforma invoice.doc, ALMOST open it. (or run
strings on
it)

See a self executable zip file (.exe)

Proforma_Invoice.exe
C:PROFOR~1.EXE
C:PROFOR~1.EXE


'file Proforma_Invoice.doc' shows:

Proforma_Invoice.doc: Microsoft Office Document

file -i Proforma_Invoice.doc shows:
application/msword

Clamav and CA didn't see it as a virus.
(Two hours later, after submitting to virusca.com
and clamav, clam
finds it:
 clamdscan Proforma_Invoice.doc
/tmp/Proforma_Invoice.doc: Trojan.Dropper-1047 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.201 sec (0 m 0 s)

So, I assume clamav can find its way in.

Ca say it is:

"This is to notify you of the results of your
submission, issue number
1012270. Please keep this issue number for future reference.


With regards to the file "proforma_invoice.exe"
submitted by you on 16
Jun 00:18:00 (Australian Eastern Standard Time), we have
added cure
instructions for Win32/Banbot.L to the signature files. 

The Windows PE (I386,EXE) file
"proforma_invoice.exe" has been
determined to be malicious. Our researchers have analyzed
the file and
confirmed the result. 

Aliases reported by other AV products are listed here: 
(Generic Dropper.p)"

We don't block .doc, but we do block exe's.

We do (I think) block exe's inside zip, but how do we block
a .exe
inside a .doc?

Might be my fault, still using the old reg_ne stuff for
attachments.

Keep meaning to do the SQL based stuff and haven't.

Relevant configs:

amavisd.conf:

 $banned_filename_re = new_RE(
    
### BLOCKED ANYWHERE   
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable
components
   qr'^.(exe-ms|dll)$',                   # banned file(1)
types,
rudimentary

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARHIVES:
# [ qr'^.(gz|bz2)$'             => 0 ],  # allow any in
gzip or bzip2
  [ qr'^.(rpm|cpio|tar)$'       => 0 ],  # allow any in
Unix-type
archives

  qr'..(pif|scr)$'i,                     # banned
extensions -
rudimentary
# qr'^.zip$',                            # block zip type

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARHIVES:
### BLOCK THE FOLLOWING, EXCEPT WITHIN ARHIVES:
# [ qr'^.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any
within these
archives

  qr'^application/x-msdownload$'i,        # block these MIME
types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

  # block certain double extensions in filenames
 
qr'.[^./]*[A-Za-z][^./]*.s*(exe|vbs|pif|scr|bat|cmd|com|c
pl|dll)[.s]
*$'i,

 
qr'..(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|g
rp|hlp|hta|
       
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|m
st|
        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
 qr'..(ani|cur|ico)$'i,                 # banned cursors
and icons
filename

 qr'..(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension
- WinZip
vulnerab.
);
____________________________________________________________
_____________
This email has been scanned and certified safe by
SpammerTrap(tm). 
For Information please see http://www.spammertrap.com

____________________________________________________________
_____________

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

At 02:27 PM 6/15/2007, Michael Scheidell wrote:
>Well, an attachment, a 0 day virus.
>
>How do we block an exe insite a .doc?

I believe if you have the 'ripole' tool and uncomment (or
add) the 
decoders entry
# 'doc',  &do_ole,         'ripole'
Then the .exe file will be available to the regular
banned_filename_* tools.
Haven't tested this lately, but it used to (mostly) work. 
Sometimes 
the ripole tool gets confused, but it seems to work on this
particular doc.

ripole can be found at http://www.pldaniels
.com/ripole/



-- 
Noel Jones 


------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

At 02:44 PM 6/15/2007, Noel Jones wrote:
>At 02:27 PM 6/15/2007, Michael Scheidell wrote:
> >Well, an attachment, a 0 day virus.
> >
> >How do we block an exe insite a .doc?
>
>I believe if you have the 'ripole' tool and uncomment
(or add) the
>decoders entry
># 'doc',  &do_ole,         'ripole'

Oops, that's not the whole line for decoders, it should look
like:
   ['doc',  &do_ole,         'ripole'],

-- 
Noel Jones

>Then the .exe file will be available to the regular
banned_filename_* tools.
>Haven't tested this lately, but it used to (mostly)
work.  Sometimes
>the ripole tool gets confused, but it seems to work on
this particular doc.
>
>ripole can be found at http://www.pldaniels
.com/ripole/
>
>
>
>--
>Noel Jones
>
>
>--------------------------------------------------------
-----------------
>This SF.net email is sponsored by DB2 Express
>Download DB2 Express C - the FREE version of DB2 express
and take
>control of your XML. No limits. Just data. Click to get
it now.
>http://sourcefor
ge.net/powerbar/db2/
>_______________________________________________
>AMaViS-user mailing list
>AMaViS-userlists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/amavis-user

>AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
>AMaViS-HowTos:http://www.amavis.org/ho
wto/


------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Michael Scheidell wrote the following on 6/15/2007 12:27 PM
-0800:
> Well, an attachment, a 0 day virus.
>
> How do we block an exe insite a .doc?
>
> Maybe hackers/spammers have found a way around
Anti-Virus software, or
> at least, attachment blocking.
>
> Spam came in, with a 'proforma invoice' attached.
> (if you want to see it, http://w
ww.secnap.com/downloads/proforma.eml)
>
>
> Click on the proforma invoice.doc, ALMOST open it. (or
run strings on
> it)
>
> See a self executable zip file (.exe)
>
> Proforma_Invoice.exe
> C:PROFOR~1.EXE
> C:PROFOR~1.EXE
>
>
> 'file Proforma_Invoice.doc' shows:
>
> Proforma_Invoice.doc: Microsoft Office Document
>
> file -i Proforma_Invoice.doc shows:
> application/msword
>
> Clamav and CA didn't see it as a virus.
> (Two hours later, after submitting to virusca.com
and clamav, clam
> finds it:
>  clamdscan Proforma_Invoice.doc
> /tmp/Proforma_Invoice.doc: Trojan.Dropper-1047 FOUND
>   
Thanks for reporting this one Michael, malware distributors
are getting 
more creative all the time.  Just as an FYI, since I am
using the recent 
"$bypass_decode_parts = 1" feature that disables
all decoding by 
amavisd-new and instead passes the raw messages to the virus
scanner(s) 
and relies on the decoding supported by the virus scanner
itself.  In 
this case I run both clamd and f-prot, and both were able to
detect the 
trojan inside the .doc file, without any decoding on the
part of 
amavisd-new:

F-Prot:
/var/quarantine/virus/virus-TO4HclB5j1Sz->Proforma_Invoic
e.doc->Proforma_Invoice.exe  
is a security risk named W32/Dropper.ESR

ClamD:
/var/quarantine/virus/virus-TO4HclB5j1Sz:
Trojan.Dropper-1047 FOUND

Thanks again, Mark, for adding the ability to bypass all
decoding in 
amavisd-new, it seems to be working fine for me thus far.

Bill

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

> -----Original Message-----
> From: amavis-user-bounceslists.sourceforge.net 
> [mailto:amavis-user-bounceslists.sourceforge.net] On
Behalf 
> Of Bill Landry
> Sent: Friday, June 15, 2007 3:51 PM
> To: amavis-userlists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
> 
> Michael Scheidell wrote the following on 6/15/2007
12:27 PM -0800:
> Thanks for reporting this one Michael, malware
distributors 
> are getting more creative all the time.  Just as an
FYI, 
> since I am using the recent "$bypass_decode_parts
= 1" 
> feature that disables all decoding by amavisd-new and
instead 
> passes the raw messages to the virus scanner(s) and
relies on 
> the decoding supported by the virus scanner itself.  In
this 
> case I run both clamd and f-prot, and both were able to

> detect the trojan inside the .doc file, without any
decoding 
> on the part of
> amavisd-new:
> 
> F-Prot:
>
/var/quarantine/virus/virus-TO4HclB5j1Sz->Proforma_Invoic
e.doc
->Proforma_Invoice.exe
> is a security risk named W32/Dropper.ESR
> 
> ClamD:
> /var/quarantine/virus/virus-TO4HclB5j1Sz:
Trojan.Dropper-1047 FOUND
> 
> Thanks again, Mark, for adding the ability to bypass
all 
> decoding in amavisd-new, it seems to be working fine
for me thus far.

Yes, but you only got that because I reported it to clamav
at CA:

(I use clamav, and at the time, it wasn't in the file:

If you had checked that earlier (before daily/3430) you
would have
missed it.


-------- Original Message --------
Subject: 	Your submission to ClamAV
Date: 	Fri, 15 Jun 2007 19:22:27 +0000 (GMT)
From: 	ClamAV <mailer-daemonclamav.net>
To: 	scheidellsecnap.net


Dear ClamAV user,

The following submissions have been processed and
published:
- 1213966 Trojan.Dropper-1046

See http://cvdpedia
.clamav.net/daily/3430

-- 
Best regards,
The ClamAV team


____________________________________________________________
_____________
This email has been scanned and certified safe by
SpammerTrap(tm). 
For Information please see http://www.spammertrap.com

____________________________________________________________
_____________

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

> -----Original Message-----
> From: amavis-user-bounceslists.sourceforge.net 
> [mailto:amavis-user-bounceslists.sourceforge.net] On
Behalf 
> Of Noel Jones
> Sent: Friday, June 15, 2007 3:45 PM
> To: amavis-userlists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
> 
> At 02:27 PM 6/15/2007, Michael Scheidell wrote:
> >Well, an attachment, a 0 day virus.
> >
> >How do we block an exe insite a .doc?
> 
> I believe if you have the 'ripole' tool and uncomment
(or 
> add) the decoders entry
> # 'doc',  &do_ole,         'ripole'
> Then the .exe file will be available to the regular 
> banned_filename_* tools.
> Haven't tested this lately, but it used to (mostly)
work.  
> Sometimes the ripole tool gets confused, but it seems
to work 
> on this particular doc.
> 
> ripole can be found at http://www.pldaniels
.com/ripole/

I think there was some talk about problems with ripole,
Mark???

I think that is why its disabled by default:

 grep ripole /usr/local/etc/amavisd.conf
# ['doc',  &do_ole,         'ripole'],


____________________________________________________________
_____________
This email has been scanned and certified safe by
SpammerTrap(tm). 
For Information please see http://www.spammertrap.com

____________________________________________________________
_____________

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Michael Scheidell wrote the following on 6/15/2007 12:54 PM
-0800:
>> -----Original Message-----
>> From: amavis-user-bounceslists.sourceforge.net 
>> [mailto:amavis-user-bounceslists.sourceforge.net] On
Behalf 
>> Of Bill Landry
>> Sent: Friday, June 15, 2007 3:51 PM
>> To: amavis-userlists.sourceforge.net
>> Subject: Re: [AMaViS-user] Someone missed a
virus..
>>
>> Michael Scheidell wrote the following on 6/15/2007
12:27 PM -0800:
>> Thanks for reporting this one Michael, malware
distributors 
>> are getting more creative all the time.  Just as an
FYI, 
>> since I am using the recent
"$bypass_decode_parts = 1" 
>> feature that disables all decoding by amavisd-new
and instead 
>> passes the raw messages to the virus scanner(s) and
relies on 
>> the decoding supported by the virus scanner itself.
 In this 
>> case I run both clamd and f-prot, and both were
able to 
>> detect the trojan inside the .doc file, without any
decoding 
>> on the part of
>> amavisd-new:
>>
>> F-Prot:
>>
/var/quarantine/virus/virus-TO4HclB5j1Sz->Proforma_Invoic
e.doc
>>     
> ->Proforma_Invoice.exe
>   
>> is a security risk named W32/Dropper.ESR
>>
>> ClamD:
>> /var/quarantine/virus/virus-TO4HclB5j1Sz:
Trojan.Dropper-1047 FOUND
>>
>> Thanks again, Mark, for adding the ability to
bypass all 
>> decoding in amavisd-new, it seems to be working
fine for me thus far.
>>     
>
> Yes, but you only got that because I reported it to
clamav at CA:
>
> (I use clamav, and at the time, it wasn't in the file:
>
> If you had checked that earlier (before daily/3430) you
would have
> missed it.
>   
I don't disagree.  My comment was more toward the fact that
many virus 
scanners now support mime decoding and file unpacking
themselves and 
thus the decoding feature of amavisd-new can be disabled
(meaning no 
need to install and use unpackers within amavisd.conf, like
ripole), 
which also possibly removes the requirement to try and work
around files 
embedded in other files or mis-labeled file formats within
amavisd.conf.

Anyway, it was simply an observation on my part.

Bill

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Bill Landry wrote:
> Michael Scheidell wrote the following on 6/15/2007
12:54 PM -0800:

> I don't disagree.  My comment was more toward the fact
that many virus 
> scanners now support mime decoding and file unpacking
themselves and 
> thus the decoding feature of amavisd-new can be
disabled (meaning no 
> need to install and use unpackers within amavisd.conf,
like ripole), 
> which also possibly removes the requirement to try and
work around 
> files embedded in other files or mis-labeled file
formats within 
> amavisd.conf.
>
> Anyway, it was simply an observation on my part.
>
> Bill
>

I was hoping to block (use amavisd-new banned quarantine) on
any .doc 
with an embedded .exe in it.


____________________________________________________________
_____________
This email has been scanned and certified safe by
SpammerTrap(tm). 
For Information please see http://www.spammertrap.com

____________________________________________________________
_____________

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

At 03:02 PM 6/15/2007, Bill Landry wrote:
> >
>I don't disagree.  My comment was more toward the fact
that many virus
>scanners now support mime decoding and file unpacking
themselves and
>thus the decoding feature of amavisd-new can be disabled
(meaning no
>need to install and use unpackers within amavisd.conf,
like ripole),

Amavisd-new cannot detect doc files with embedded
executables without 
performing the decoding and running ripole.  Skipping the 
decoding/unpacking greatly reduces the effectiveness of the

banned_filenames feature of amavisd-new.
Clamav can scan for malware in document files, but it must
already 
have a signature.

-- 
Noel Jones 


------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

At 02:56 PM 6/15/2007, Michael Scheidell wrote:
>I think there was some talk about problems with ripole,
Mark???
>
>I think that is why its disabled by default:
>
>  grep ripole /usr/local/etc/amavisd.conf
># ['doc',  &do_ole,         'ripole'],

Sometimes ripole gets confused and reports an error (used to
coredump 
sometimes, but haven't seen that lately).  This doesn't seem
to 
affect amavisd-new operation.

So while ripole may not be 100% stable and reliable, it has
never 
been known to pose a security risk or to break amavisd-new.

I've been using ripole with amavisd-new for quite some time
with no 
apparent problems.  I would recommend using the -devel
version of 
ripole (apparently last updated 2005-12-31) if you're
interested.

-- 
Noel Jones 


------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/