Mailing List Archive

When you submit it, be sure to include the password so that the ClamAV signature team can properly asses it and provide a hash signature for the zip file.

-Al-

> On Dec 22, 2020, at 03:32, Alessandro Vesely via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi all,
>
>
> today I received a message with an encrypted zip attachment. I saved the attachment and loaded it to VirusTotal, where no scanner detected anything:
> https://www.virustotal.com/gui/file/2cef2c979e60c1e2892e6a494814dd65db14c2076102279e6e74737d36c115a5/detection
>
> Then I unzipped the file using the password given in the message text, uploaded the only extracted file and got plenty of VBA / W97M malware:
> https://www.virustotal.com/gui/file/99b352442e1351334d5e68e7f12469dc7f2790e6ae44b05be7dcd03739211f1f/detection
>
> I spare reporting this malware to ClamAV, as it seems hopeless to me. Am I wrong?
>
>
> Best
> Ale

Hi there,

On Tue, 22 Dec 2020, Alessandro Vesely via clamav-users wrote:

> Is there anything to do about encrypted viruses?

Yes, indeed there is and it isn't too difficult.

> today I received a message with an encrypted zip attachment. I saved the attachment and loaded it to VirusTotal, where no scanner detected anything:
> https://www.virustotal.com/gui/file/2cef2c979e60c1e2892e6a494814dd65db14c2076102279e6e74737d36c115a5/detection
>
> Then I unzipped the file using the password given in the message text, uploaded the only extracted file and got plenty of VBA / W97M malware:
> https://www.virustotal.com/gui/file/99b352442e1351334d5e68e7f12469dc7f2790e6ae44b05be7dcd03739211f1f/detection
>
> I spare reporting this malware to ClamAV, as it seems hopeless to me. Am I wrong?

With current decryption technology it isn't feasible, in a reasonable
time, to reliably decrypt any sanely encrypted message if you don't
have the encryption key. So we can have Internet banking. Oh, goody.

Criminals abuse this lack of capability by sending encrypted malware
in mail which contains a plaintext key in the covering note. They do
this millions of times every day so they don't need a big hit rate to
steal serious quantitites of money when some sucker opens the archive.

It's automated. They have bots which create accounts with most of the
large free email service providers, bots to steal genuine credentials,
bots which do all sorts of other things - just to get their cr@p sent.

It's trivial to produce a *different* encrypted zip file for each and
every mail message which is sent out, so that signature-based methods
of detecting the encrypted file are faced with an overwhelming task.

So yes, it's kind of hopeless to report every message to a signature
provider _if_ the messages are being individually crafted. It's not
necessarily hopeless if they aren't, but even so there will still be a
heck of a lot of them so doing all this manually isn't very rewarding.

What beats me is why anybody thesedays would ever accept the messages.

Block all encypted archives. Better still, block all archives except
those which are sent by prior arrangement - which is almost what I do.

The criminals will send these messages to anybody who's daft enough to
accept them. They send quite a lot to addresses here that don't exist
for example and all of them get reported at a bare minimum to SpamCop,
Abuseipdb and as required the third party ClamAV signature providers.

Actually I tempfail, then report. When the incontinent provider sees
a tempfail, almost immediately it tries to send the message from one
of its other IPs - and so on, until it's tried them all. As a result
senders like gmal, protection.outluck and yaboo get every IP of their
entire spam-spewing server farm reported, instead of just the one that
tried to send the cr@p first.

It's a clear indictment of all those senders who have in their control
resources vastly more extensive and capable than anything I have here,
that I can almost trivially catch and report all their cr@p while they
simply don't bother doing anything about it.

Obviously it's making them money, or they wouldn't do it, so when it
comes to the big providers I'm on the hanging bench. You could make a
reasonable case for blocking everything that they try to send.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Since the password has to be included for the victim to be able to
decrypt, it ought to be possible to automatically find the password in
the email. Of course, eventually the criminals will start hiding the
password in some way that a human can easily find it, but non-AI
automation can't.


On Tue, 22 Dec 2020 03:46:13 -0800
Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:

> When you submit it, be sure to include the password so that the ClamAV signature team can properly asses it and provide a hash signature for the zip file.
>
> -Al-
>
> > On Dec 22, 2020, at 03:32, Alessandro Vesely via clamav-users <clamav-users@lists.clamav.net> wrote:
> >
> > Hi all,
> >
> >
> > today I received a message with an encrypted zip attachment. I saved the attachment and loaded it to VirusTotal, where no scanner detected anything:
> > https://www.virustotal.com/gui/file/2cef2c979e60c1e2892e6a494814dd65db14c2076102279e6e74737d36c115a5/detection
> >
> > Then I unzipped the file using the password given in the message text, uploaded the only extracted file and got plenty of VBA / W97M malware:
> > https://www.virustotal.com/gui/file/99b352442e1351334d5e68e7f12469dc7f2790e6ae44b05be7dcd03739211f1f/detection
> >
> > I spare reporting this malware to ClamAV, as it seems hopeless to me. Am I wrong?
> >
> >
> > Best
> > Ale

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml