Mailing List Archive

Hi there,

On Tue, 22 Sep 2020, eric-list@truenet.com wrote:

> I started writing my own, but of course I'm not catching them all.

If you could let me have some samples (complete messages) I could take
a look to see what I can do with my milter. If you agree I'd let you
have a private mail address to which you'd send an encrypted archive,
and we'd exchange the password by some other means.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Eric,

On Tue, 22 Sep 2020, G.W. Haywood via clamav-users wrote:
> On Tue, 22 Sep 2020, Eric Tykwinski wrote:
>
>> I started writing my own, but of course I'm not catching them all.
>
> If you could let me have some samples (complete messages) I could take
> a look to see what I can do with my milter. If you agree I'd let you
> have a private mail address to which you'd send an encrypted archive,
> and we'd exchange the password by some other means.

I see from the logs that you replied privately to my list address.
That won't normally work I'm afraid. My list address only accepts
list mail, but I've whitelisted you now (from _your_ list address to
_my_ list address) so if you try again you might have more luck. But
no promises, there are other defences you might still trip over. :)

Are these Emotet mails all coming from Microsoft servers? According to
our logs, for quite some time we've been rejecting steadily increasing
amounts of cr@p from AS8075 but recently it's been staggering. Mostly
just a few different original mail pieces sent from all over the place.
At a guess, thousands of script kiddies are exploiting Windows domains
which have not yet been patched for the ZeroLogon vulnerability. Some
of them don't seem to speak English terribly well. That may be a clue
to stopping the bulk of them - look at subject lines.

milter=> SELECT * FROM (SELECT timestamp,ip,country_code AS "CC",subject,
rank() OVER (PARTITION BY subject ORDER BY timestamp) AS r FROM connections
WHERE timestamp>'2020-01-01' AND asnum = 8075) AS x WHERE r=1 ORDER BY ...

timestamp | ip | CC | subject
-----------------+-------------------------+----+--------------------------------------------------------------------------------------
2020-08-10 10:28| 40.107.15.45 | IE | Concerning your domain name
2020-08-15 06:27| 40.107.220.128 | US | Re: BELOVED -15/08/2020
2020-08-16 10:21| 2a01:111:f400:7e8d::830 | US | Inheritance
2020-08-22 15:39| 40.92.42.108 | US |
2020-09-03 12:33| 51.120.94.141 | NO | Votre colis est disponible ?\u009F\u0093?
2020-09-12 20:22| 40.92.253.37 | SG | Here is All My Body Here erottiourocal
2020-09-14 08:46| 40.92.17.93 | AT | PEDIDO DE CREDITO PERSONALIZADO
2020-09-15 11:24| 40.92.253.16 | SG | Take Your Transfer by ID: 332235571
2020-09-15 11:24| 40.92.16.90 | NL | Take Your Transfer by ID: 955735
2020-09-17 17:34| 40.92.42.55 | US | Active Account Payment - $9378.96 Here
2020-09-17 17:35| 40.92.21.76 | US | Active Account Payment - $2879.25 Here
2020-09-20 10:56| 40.92.254.76 | KR | See Payment Summ $5556.54 Get Here
2020-09-20 17:06| 40.92.91.88 | NL | Order Amount $4983.29 Now
2020-09-20 17:06| 40.92.254.10 | KR | Claim Amount $4443.82
2020-09-21 15:01| 40.92.254.102 | KR | Foremost Payment 3147681-1HDY9QAJV
2020-09-21 21:09| 40.92.255.75 | HK | Send unique give nowadays $6348.51 take nowadays
2020-09-21 21:10| 40.92.254.94 | KR | Send singular talent today $7281.64 take today
2020-09-22 14:18| 40.92.255.32 | HK | You Send out requital with the number $1328.17 horizon the transferee hither
2020-09-22 18:45| 40.92.254.39 | KR | Defrayal came to ascertain all selective information and account symmetry $4983.34
2020-09-22 23:11| 40.92.18.97 | US | immediately
2020-09-22 23:12| 40.92.255.14 | HK | payment in the amount of $ 4217. 35
(21 rows)

This stuff is rejected here on GeoIP, DNSBL and other grounds and then
greylisted with a very long delay before ClamAV sees it, so that might
be why you're struggling with writing signatures while we aren't seeing
anything to worry about in the inboxes.

It would be interesting to know when the NSA first knew about this one.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Ged,

> Hi Eric,
>
> > On Tue, 22 Sep 2020, Eric Tykwinski wrote:
> >
> >> I started writing my own, but of course I'm not catching them all.
> >
> > If you could let me have some samples (complete messages) I could take
> > a look to see what I can do with my milter. If you agree I'd let you
> > have a private mail address to which you'd send an encrypted archive,
> > and we'd exchange the password by some other means.
>
> I see from the logs that you replied privately to my list address.
> That won't normally work I'm afraid. My list address only accepts list
mail, but I've whitelisted you now (from _your_ list address to _my_ list
address) so if you try again you might > have more luck. But no promises,
there are other defences you might still trip over. :)

> Are these Emotet mails all coming from Microsoft servers? According to
our logs, for quite some time we've been rejecting steadily increasing
amounts of cr@p from AS8075 but > > recently it's been staggering. Mostly
just a few different original mail pieces sent from all over the place.
> At a guess, thousands of script kiddies are exploiting Windows domains
which have not yet been patched for the ZeroLogon vulnerability. Some of
them don't seem to speak
> English terribly well. That may be a clue to stopping the bulk of them -
look at subject lines.

Actually no, the first I saw was from a compromised account on our server
that hit our thresholds to alert us, and they seemed to be mainly generated
from compromised sites, PHPMailer in the headers and a lot of VPS providers.
The incoming messages seemed to be other compromised accounts and were
replies to older emails that I'm assuming the customer got hit before, which
makes me think Emotet. I wish the server had better logs, but this one is a
SmarterMail windows server sending to ClamAV over the network, so it's
manually parsing logs in python/perl to track things down.

> It would be interesting to know when the NSA first knew about this one.

Good luck on that...
I'll try and send a few samples again to you.


Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Eric,

On Wed, 23 Sep 2020, Eric Tykwinski wrote:

> ...
> I'll try and send a few samples again to you.
> ...

All four of your samples matched a case-insensitive 'password', and
they also all matched 'attachment.*\.zip'. I'd generally recommend
case-insensitive matches for this kind of thing anyway.

So I'd suggest a Yara rule embodying those, something like

$ cat My_Encrypted_Zip.yara
rule My_Encrypted_Zip_Rule // Password-protected zip files
{
strings:
$mymatcha = /password/ nocase ascii
$mymatchb = /attachment[\W\w]*zip/ nocase ascii
condition:
$mymatcha and $mymatchb
}

might be a good start. You might need to refine it of course, and if
your users are in the habit of mailing password-protected files to
each other you could tell them to call it a 'passphrase' instead.

On our clamd server I dropped that file into clamd database directory,
'telnet'ed to clamd and issued a RELOAD command, and used clamdscan to
scan your samples:

8<----------------------------------------------------------------------
$ ls *txt
outgoing_sample.txt sample1.txt sample2.txt sample3.txt
$ clamdscan *.txt
/home/ged/outgoing_sample.txt: Heuristics.Encrypted.Zip FOUND
/home/ged/sample1.txt: YARA.My_Encrypted_Zip_Rule.UNOFFICIAL FOUND
/home/ged/sample2.txt: YARA.My_Encrypted_Zip_Rule.UNOFFICIAL FOUND
/home/ged/sample3.txt: Heuristics.Encrypted.Zip FOUND

----------- SCAN SUMMARY -----------
Infected files: 4
Time: 0.178 sec (0 m 0 s)
Start Date: 2020:09:23 16:04:53
End Date: 2020:09:23 16:04:53
8<----------------------------------------------------------------------

Note that none of this requires any inspection of the malicious file
itself, it's entirely about the metadata. In this case the fact that
the file is an attachment, and that the text of the covering mail just
happens to have the word 'password' in it.

When I ran the samples past Jotti's scanner, all fifteen of the Virus
scanners which he uses failed to find the content, inevitably, as it's
encrypted. After decryption, ClamAV found one of them but most of the
others found all four. Three were in fact recognized as Emotet by one
of the scanners. Only eight of them found your outgoing one.

Of course to be able to send this mail. I had to delete the .yara file
and reload clamd again :)

HTH

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml