Mailing List Archive

Hi there,

On Sat, 27 Mar 2021, Jigar via clamav-users wrote:

> In the first week of March 2021, multiple users had received email
> with xlsx attachment having exploit for CVE-2017-11882. The clamav
> could not detect it but other antivirus like eScan and ESET could
> detect it as malware threat.

Signatures exist for at least some exploits of CVE-2017-11882. Looking
at the signatures in my current ClamAV database:

$ grep -as CVE-2017-11882 * | cut -d';' -f1
MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M2
MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M3
MiscreantPunch099-Low.ldb:MisreantPunch.EvilDoc.CVE-2017-11882.M9
MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.CVE-2017-11882.M10
MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.RTF-CVE-2017-11882.Template.180412.M2
porcupine.hsb:58cbe7516369d9e79660bda6e576cffd:2738688:Porcupine.Win32.Exploit.CVE-2017-11882.C.99928:73
porcupine.hsb:5cc0bfe9a8528b1deb2dcaa7691b1794:2621952:Porcupine.Win32.Exploit.CVE-2017-11882.C.100063:73
porcupine.hsb:140aade63d9cd5cb747845101df9ff85:2395136:Porcupine.Win32.Exploit.CVE-2017-11882.C.100065:73
porcupine.hsb:0db8aceb5fdf7f22bc31682726c5b071:883200:Porcupine.Win32.Exploit.CVE-2017-11882.C.99936:73
porcupine.hsb:652fa43a2f71cab80126efc843a98d84:84891:Porcupine.Win32.Exploit.CVE-2017-11882.C.99924:73

This is a rather old CVE, what databases do you use for your ClamAV
installation? Perhaps what you have seen recently is a new threat
which has been engineered to avoid some of the existing signatures.

> We also need guidance:
>
> 1. How to identify the correct file to generate the generic signature,
> especially if files with different name but same exploit has been sent.

I do not understand the question, but ClamAV looks at a stream of data
or at the contents of files. Except for the purposes of reporting to
you the results of scanning the files, the names of those files are of
no significance to ClamAV.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

Thank you for valuable inputs. We have herewith attached a screenshot
of eset detection as cve2017-11882. This may
further help.

We have also scannws using the latest clamav signature, porcupine,
etc. but could not detect it. So, we tried to
prepare it using the malicious file.

Brief Analysis: Microsoft Equation Editor, which is a Microsoft Office
component, contains a stack buffer overflow vulnerability that enables
remote code execution on a vulnerable system.
The vulnerability is caused by the Equation Editor which fails to
properly handle OLE objects in memory. This can allow an attacker to
cause remote code execution on the system using specially crafted
files.
The files attempt to exploit the CVE-2017-11882 vulnerability to
trigger code execution which downloads additional malware to take
control of the system.


IOC:
HASH: SHA-256
99ce15e2fc458d02db44d648a4b88bfff0043131b392475ad314a1f3dd72245f
HTTP Requests
http://18.184.225.160/win/marxlo.exe
.......



With Regards
Jigar Raval

On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users
<clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Sat, 27 Mar 2021, Jigar via clamav-users wrote:
>
> > In the first week of March 2021, multiple users had received email
> > with xlsx attachment having exploit for CVE-2017-11882. The clamav
> > could not detect it but other antivirus like eScan and ESET could
> > detect it as malware threat.
>
> Signatures exist for at least some exploits of CVE-2017-11882. Looking
> at the signatures in my current ClamAV database:
>
> $ grep -as CVE-2017-11882 * | cut -d';' -f1
> MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M2
> MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M3
> MiscreantPunch099-Low.ldb:MisreantPunch.EvilDoc.CVE-2017-11882.M9
> MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.CVE-2017-11882.M10
> MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.RTF-CVE-2017-11882.Template.180412.M2
> porcupine.hsb:58cbe7516369d9e79660bda6e576cffd:2738688:Porcupine.Win32.Exploit.CVE-2017-11882.C.99928:73
> porcupine.hsb:5cc0bfe9a8528b1deb2dcaa7691b1794:2621952:Porcupine.Win32.Exploit.CVE-2017-11882.C.100063:73
> porcupine.hsb:140aade63d9cd5cb747845101df9ff85:2395136:Porcupine.Win32.Exploit.CVE-2017-11882.C.100065:73
> porcupine.hsb:0db8aceb5fdf7f22bc31682726c5b071:883200:Porcupine.Win32.Exploit.CVE-2017-11882.C.99936:73
> porcupine.hsb:652fa43a2f71cab80126efc843a98d84:84891:Porcupine.Win32.Exploit.CVE-2017-11882.C.99924:73
>
> This is a rather old CVE, what databases do you use for your ClamAV
> installation? Perhaps what you have seen recently is a new threat
> which has been engineered to avoid some of the existing signatures.
>
> > We also need guidance:
> >
> > 1. How to identify the correct file to generate the generic signature,
> > especially if files with different name but same exploit has been sent.
>
> I do not understand the question, but ClamAV looks at a stream of data
> or at the contents of files. Except for the purposes of reporting to
> you the results of scanning the files, the names of those files are of
> no significance to ClamAV.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hello again,

On Sun, 28 Mar 2021, Jigar via clamav-users wrote:
> On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users wrote:
>>
>> This is a rather old CVE, what databases do you use for your ClamAV
>> installation? Perhaps what you have seen recently is a new threat
>> which has been engineered to avoid some of the existing signatures.
>
> ...
> We have also scannws using the latest clamav signature, porcupine,
> etc. but could not detect it. ...

Can you give full details? To tell us 'etc.' does not help.

This is the address to use for reporting malware to the ClamAV team:

https://www.clamav.net/reports/malware

Did you use it? If so, you probably don't need to do more, but you
may need to be patient. The signature team is small and busy.

If you would place an encrypted archive of the malicious file(s)
somewhere on the Web so that I can download it, I can take a look.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello Jigar,



> clam clam 312952834 Mar 9 10:48 securiteinfoold.hdb
> clam clam 16405860 Mar 26 09:36 securiteinfo.hdb
> clam clam 7203325 Mar 26 09:36 securiteinfohtml.hdb
> clam clam 8421132 Mar 26 13:32 securiteinfoascii.hdb

Why you do not have javascript.ndb ???
It can detect some cve2017-11882.


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

I just tried using the following command but it is not detecting it.

clamscan -d javascript.ndb Receipt.xlsx

I feel it is different varient in cve 2017-11882.


On Sun, Mar 28, 2021, 15:19 Arnaud Jacques <webmaster@securiteinfo.com>
wrote:

> Hello Jigar,
>
>
>
> > clam clam 312952834 Mar 9 10:48 securiteinfoold.hdb
> > clam clam 16405860 Mar 26 09:36 securiteinfo.hdb
> > clam clam 7203325 Mar 26 09:36 securiteinfohtml.hdb
> > clam clam 8421132 Mar 26 13:32 securiteinfoascii.hdb
>
> Why you do not have javascript.ndb ???
> It can detect some cve2017-11882.
>
>
> --
> Cordialement / Best regards,
>
> Arnaud Jacques
> Gérant de SecuriteInfo.com
>
> Téléphone : +33-(0)3.60.47.09.81
> E-mail : aj@securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> Signatures for ClamAV antivirus : http://ow.ly/LqfdL
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Hello,

I have uploaded the infected file in clamav malware report submission.
Kindly look into it. I have also herewith attached
signature generated using it.

With Regards

Jigar Raval




On Sun, Mar 28, 2021 at 1:26 PM G.W. Haywood via clamav-users
<clamav-users@lists.clamav.net> wrote:
>
> Hello again,
>
> On Sun, 28 Mar 2021, Jigar via clamav-users wrote:
> > On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users wrote:
> >>
> >> This is a rather old CVE, what databases do you use for your ClamAV
> >> installation? Perhaps what you have seen recently is a new threat
> >> which has been engineered to avoid some of the existing signatures.
> >
> > ...
> > We have also scannws using the latest clamav signature, porcupine,
> > etc. but could not detect it. ...
>
> Can you give full details? To tell us 'etc.' does not help.
>
> This is the address to use for reporting malware to the ClamAV team:
>
> https://www.clamav.net/reports/malware
>
> Did you use it? If so, you probably don't need to do more, but you
> may need to be patient. The signature team is small and busy.
>
> If you would place an encrypted archive of the malicious file(s)
> somewhere on the Web so that I can download it, I can take a look.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hello,

With reference to uploaded infected file and generated signature on
30/March/2021, we hope the clamav team is further checking.

Meanwhile, for ready reference, we have enabled the signature on the
mail server and have not found any false positive till today.

With Regards

Jigar Raval




On Tue, Mar 30, 2021 at 9:22 AM Jigar <ojigar@gmail.com> wrote:
>
> Hello,
>
> I have uploaded the infected file in clamav malware report submission.
> Kindly look into it. I have also herewith attached
> signature generated using it.
>
> With Regards
>
> Jigar Raval
>
>
>
>
> On Sun, Mar 28, 2021 at 1:26 PM G.W. Haywood via clamav-users
> <clamav-users@lists.clamav.net> wrote:
> >
> > Hello again,
> >
> > On Sun, 28 Mar 2021, Jigar via clamav-users wrote:
> > > On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users wrote:
> > >>
> > >> This is a rather old CVE, what databases do you use for your ClamAV
> > >> installation? Perhaps what you have seen recently is a new threat
> > >> which has been engineered to avoid some of the existing signatures.
> > >
> > > ...
> > > We have also scannws using the latest clamav signature, porcupine,
> > > etc. but could not detect it. ...
> >
> > Can you give full details? To tell us 'etc.' does not help.
> >
> > This is the address to use for reporting malware to the ClamAV team:
> >
> > https://www.clamav.net/reports/malware
> >
> > Did you use it? If so, you probably don't need to do more, but you
> > may need to be patient. The signature team is small and busy.
> >
> > If you would place an encrypted archive of the malicious file(s)
> > somewhere on the Web so that I can download it, I can take a look.
> >
> > --
> >
> > 73,
> > Ged.
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

Any update w.r.t. submitted infected file and signature?.

With Regards
Jigar

On Thu, Apr 1, 2021, 09:26 Jigar <ojigar@gmail.com> wrote:

> Hello,
>
> With reference to uploaded infected file and generated signature on
> 30/March/2021, we hope the clamav team is further checking.
>
> Meanwhile, for ready reference, we have enabled the signature on the
> mail server and have not found any false positive till today.
>
> With Regards
>
> Jigar Raval
>
>
>
>
> On Tue, Mar 30, 2021 at 9:22 AM Jigar <ojigar@gmail.com> wrote:
> >
> > Hello,
> >
> > I have uploaded the infected file in clamav malware report submission.
> > Kindly look into it. I have also herewith attached
> > signature generated using it.
> >
> > With Regards
> >
> > Jigar Raval
> >
> >
> >
> >
> > On Sun, Mar 28, 2021 at 1:26 PM G.W. Haywood via clamav-users
> > <clamav-users@lists.clamav.net> wrote:
> > >
> > > Hello again,
> > >
> > > On Sun, 28 Mar 2021, Jigar via clamav-users wrote:
> > > > On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users wrote:
> > > >>
> > > >> This is a rather old CVE, what databases do you use for your ClamAV
> > > >> installation? Perhaps what you have seen recently is a new threat
> > > >> which has been engineered to avoid some of the existing signatures.
> > > >
> > > > ...
> > > > We have also scannws using the latest clamav signature, porcupine,
> > > > etc. but could not detect it. ...
> > >
> > > Can you give full details? To tell us 'etc.' does not help.
> > >
> > > This is the address to use for reporting malware to the ClamAV team:
> > >
> > > https://www.clamav.net/reports/malware
> > >
> > > Did you use it? If so, you probably don't need to do more, but you
> > > may need to be patient. The signature team is small and busy.
> > >
> > > If you would place an encrypted archive of the malicious file(s)
> > > somewhere on the Web so that I can download it, I can take a look.
> > >
> > > --
> > >
> > > 73,
> > > Ged.
> > >
> > > _______________________________________________
> > >
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
>

Hi there,

On Sat, 3 Apr 2021, Jigar via clamav-users wrote:

> Any update w.r.t. submitted infected file and signature?.

This vulnerability was patched by Microsoft more than three years ago.

For example, see

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882

There should be no vulnerable versions of the software running now.

As this is such an old threat, and mitigated a long time ago, you seem
to me to be more concerned about it than I would expect anyone to be.

Is there any particular reason for that?

If you supplied your email address to the ClamAV signature team when
you reported the malware samples you will get an email in due course
if a new signature is developed. OTOH I should not expect them to be
putting this one at the front of their schedule.

If you are using vulnerable software, patch it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

Thank you..

I agree with you and also aware about it as old vulnerability and to use of
latest/patched software.

However, my intention was to detect it before it get deliver to user.
Especially when other AV could detect it and block it.

I will wait for response from clamav team.

With Regards
Jigar


On Sat, Apr 3, 2021, 22:26 G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Sat, 3 Apr 2021, Jigar via clamav-users wrote:
>
> > Any update w.r.t. submitted infected file and signature?.
>
> This vulnerability was patched by Microsoft more than three years ago.
>
> For example, see
>
> https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882
>
> There should be no vulnerable versions of the software running now.
>
> As this is such an old threat, and mitigated a long time ago, you seem
> to me to be more concerned about it than I would expect anyone to be.
>
> Is there any particular reason for that?
>
> If you supplied your email address to the ClamAV signature team when
> you reported the malware samples you will get an email in due course
> if a new signature is developed. OTOH I should not expect them to be
> putting this one at the front of their schedule.
>
> If you are using vulnerable software, patch it.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Hi there,

On Sun, 4 Apr 2021, Jigar via clamav-users wrote:

> I agree with you and also aware about it as old vulnerability and to use of
> latest/patched software.
>
> However, my intention was to detect it before it get deliver to user.

As I said a week ago, if you can place somewhere on the Web an archive
which contains samples of the offending messages so that I can download
it for examination I might be able to offer more help.

Otherwise you will need to be patient and wait for the ClamAV signature team.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml