Mailing List Archive

you can make exception rules for exclude mails from phishing / spam checks, but this isn't maybe what you need.
normally clamav should flag such content "possible phishing" or "possible spam" ... if not, please report it
https://www.clamav.net/reports/malware


Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
An / To: Newcomer01 <mailto:newcomer01@posteo.de>
CC / CC: Scott <mailto:qmail@top-consulting.net>
Gesendet / Sent: Freitag, August 04, 2023 um 20:03 (at 08:03 PM) +0200
Betreff / Subject: [clamav-users] Catching javascript in html attachment
>
> I am dealing with these pesky phishing attempts that come as attached html files and contain escaped/obfuscated javascript.
>
> File is attached like this:
>
> Content-Type: text/html; name="NEW ORDER JULY 2023.html"
>
> Content-Transfer-Encoding: base64
>
> Content-Disposition: attachment; filename="NEW ORDER JULY 2023.html"
>
> And contents are like
>
> <script>
>
> document.write(unescape('%3C%21doctype%20html%3E%0A%3Chtml%20dir%3D%22ltr%22%20lang%3D%22%23%22%3E
>
> any way to flag all javascript from attached html files ?
>
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

I was looking for a way to write my own detection mechanisms. I know I can
detect binary files by creating signatures with sigtool but this javascript
can change like one character and the signature would be off.

I'm thinking something more generic like all javascript in attachments
should be deemed phishing would be better at this.

-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
newcomer01 via clamav-users
Sent: Friday, August 4, 2023 2:34 PM
To: Scott via clamav-users <clamav-users@lists.clamav.net>
Cc: newcomer01 <newcomer01@posteo.de>
Subject: Re: [clamav-users] Catching javascript in html attachment

you can make exception rules for exclude mails from phishing / spam checks,
but this isn't maybe what you need.
normally clamav should flag such content "possible phishing" or "possible
spam" ... if not, please report it https://www.clamav.net/reports/malware


Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
An / To: Newcomer01 <mailto:newcomer01@posteo.de> CC / CC: Scott
<mailto:qmail@top-consulting.net> Gesendet / Sent: Freitag, August 04, 2023
um 20:03 (at 08:03 PM) +0200 Betreff / Subject: [clamav-users] Catching
javascript in html attachment
>
> I am dealing with these pesky phishing attempts that come as attached html
files and contain escaped/obfuscated javascript.
>
> File is attached like this:
>
> Content-Type: text/html; name="NEW ORDER JULY 2023.html"
>
> Content-Transfer-Encoding: base64
>
> Content-Disposition: attachment; filename="NEW ORDER JULY 2023.html"
>
> And contents are like
>
> <script>
>
> document.write(unescape('%3C%21doctype%20html%3E%0A%3Chtml%20dir%3D%22
> ltr%22%20lang%3D%22%23%22%3E
>
> any way to flag all javascript from attached html files ?
>
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On Fri, 4 Aug 2023, Scott via clamav-users wrote:

> I was looking for a way to write my own detection mechanisms. I know I can
> detect binary files by creating signatures with sigtool but this javascript
> can change like one character and the signature would be off.
>
> I'm thinking something more generic like all javascript in attachments
> should be deemed phishing would be better at this.
>
> -----Original Message-----
>> any way to flag all javascript from attached html files ?

IIRC, long ago I used PUA filtering to exclude emails containing PDFs with
javascript and/or flash. Thus
https://docs.clamav.net/faq/faq-pua.html
might help.

clamd.conf does have option "ScanHTML" which doesn't do what you want
but may help if you are not using it already.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Scott,

Yara should be easy enough. (Someone better at regex should advise on what to escape, I didn’t test it, and just escaped everything.)

rule attachment_javascript
{
strings:
$re1 = /\<script.*\>/
$re2 = /document\(write\(unescape\(.*/
$attachment = “.html” no case
condition:
$re1 and $re2 and $attachment
}

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Aug 4, 2023, at 2:40 PM, Scott via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> I was looking for a way to write my own detection mechanisms. I know I can
> detect binary files by creating signatures with sigtool but this javascript
> can change like one character and the signature would be off.
>
> I'm thinking something more generic like all javascript in attachments
> should be deemed phishing would be better at this.
>
> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> newcomer01 via clamav-users
> Sent: Friday, August 4, 2023 2:34 PM
> To: Scott via clamav-users <clamav-users@lists.clamav.net>
> Cc: newcomer01 <newcomer01@posteo.de>
> Subject: Re: [clamav-users] Catching javascript in html attachment
>
> you can make exception rules for exclude mails from phishing / spam checks,
> but this isn't maybe what you need.
> normally clamav should flag such content "possible phishing" or "possible
> spam" ... if not, please report it https://www.clamav.net/reports/malware
>
>
> Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
> An / To: Newcomer01 <mailto:newcomer01@posteo.de> CC / CC: Scott
> <mailto:qmail@top-consulting.net> Gesendet / Sent: Freitag, August 04, 2023
> um 20:03 (at 08:03 PM) +0200 Betreff / Subject: [clamav-users] Catching
> javascript in html attachment
>>
>> I am dealing with these pesky phishing attempts that come as attached html
> files and contain escaped/obfuscated javascript.
>>
>> File is attached like this:
>>
>> Content-Type: text/html; name="NEW ORDER JULY 2023.html"
>>
>> Content-Transfer-Encoding: base64
>>
>> Content-Disposition: attachment; filename="NEW ORDER JULY 2023.html"
>>
>> And contents are like
>>
>> <script>
>>
>> document.write(unescape('%3C%21doctype%20html%3E%0A%3Chtml%20dir%3D%22
>> ltr%22%20lang%3D%22%23%22%3E
>>
>> any way to flag all javascript from attached html files ?
>>
>>
>> _______________________________________________
>>
>> Manage your clamav-users mailing list subscription / unsubscribe:
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

I'd recommend removing the "l" of @attachment in order to make it hit on ".htm" regardless of the l in the end or not.

Better, avoid using yara in ClamAV which isn't very well implemented.

Here would be a very similar .ldb signature:

ATTACHMENT.JAVASCRIPT;Engine:81-255,Target:3;0&1;3c736372697074;646f63756d656e742e777269746528756e65736361706528

Javascript comes unfortunately in way too many attached .html or .htm that sig won't hit on all of them, but will unfortunately lead to some false positives. I have about 20 different signatures for all kinds of variations of those document.write. Monitoring those and suspicious (HTML) attachments takes quite a bit of my time.

Good luck,
Laurent
------- Original Message -------
On Friday, August 4th, 2023 at 21:42, Eric Tykwinski via clamav-users <clamav-users@lists.clamav.net> wrote:

> Scott,
>
> Yara should be easy enough. (Someone better at regex should advise on what to escape, I didn’t test it, and just escaped everything.)
>
> rule attachment_javascript
> {
> strings:
> $re1 = /\<script.*\>/
> $re2 = /document\(write\(unescape\(.*/
> $attachment = “.html” no case
> condition:
> $re1 and $re2 and $attachment
> }
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
>> On Aug 4, 2023, at 2:40 PM, Scott via clamav-users <clamav-users@lists.clamav.net> wrote:
>>
>> I was looking for a way to write my own detection mechanisms. I know I can
>> detect binary files by creating signatures with sigtool but this javascript
>> can change like one character and the signature would be off.
>>
>> I'm thinking something more generic like all javascript in attachments
>> should be deemed phishing would be better at this.
>>
>> -----Original Message-----
>> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
>> newcomer01 via clamav-users
>> Sent: Friday, August 4, 2023 2:34 PM
>> To: Scott via clamav-users <clamav-users@lists.clamav.net>
>> Cc: newcomer01 <newcomer01@posteo.de>
>> Subject: Re: [clamav-users] Catching javascript in html attachment
>>
>> you can make exception rules for exclude mails from phishing / spam checks,
>> but this isn't maybe what you need.
>> normally clamav should flag such content "possible phishing" or "possible
>> spam" ... if not, please report it https://www.clamav.net/reports/malware
>>
>> Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
>> An / To: Newcomer01 <mailto:newcomer01@posteo.de> CC / CC: Scott
>> <mailto:qmail@top-consulting.net> Gesendet / Sent: Freitag, August 04, 2023
>> um 20:03 (at 08:03 PM) +0200 Betreff / Subject: [clamav-users] Catching
>> javascript in html attachment
>>
>>> I am dealing with these pesky phishing attempts that come as attached html
>>
>> files and contain escaped/obfuscated javascript.
>>
>>> File is attached like this:
>>>
>>> Content-Type: text/html; name="NEW ORDER JULY 2023.html"
>>>
>>> Content-Transfer-Encoding: base64
>>>
>>> Content-Disposition: attachment; filename="NEW ORDER JULY 2023.html"
>>>
>>> And contents are like
>>>
>>> <script>
>>>
>>> document.write(unescape('%3C%21doctype%20html%3E%0A%3Chtml%20dir%3D%22
>>> ltr%22%20lang%3D%22%23%22%3E
>>>
>>> any way to flag all javascript from attached html files ?
>>>
>>> _______________________________________________
>>>
>>> Manage your clamav-users mailing list subscription / unsubscribe:
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>>
>>> https://docs.clamav.net/#mailing-lists-and-chat
>>
>> _______________________________________________
>>
>> Manage your clamav-users mailing list subscription / unsubscribe:
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat
>>
>> _______________________________________________
>>
>> Manage your clamav-users mailing list subscription / unsubscribe:
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>>
>> https://docs.clamav.net/#mailing-lists-and-chat