Detecting Empty Office Doc Containing Virus Macro

Home » CentOS » Detecting Empty Office Doc Containing Virus Macro
CentOS 10 Comments

We are receiving LOTS of emails that contain empty XLS or DOC documents with embedded virus macros. These are getting past SPAMASSASSIN, Clamav and Kaspersky.

I’m trying to write a filter for EXIM to block these emails but I need to know a good, quick, command-line to detect an empty doc with a macro.

Is there anything available that I can use??

I have managed to write a PERL script to detect empty xls xlsx, doc and docx files but I cannot detect whether they have any macros embedded

Gary

10 thoughts on - Detecting Empty Office Doc Containing Virus Macro

  • Just a word of advise to everybody: stay away from Kaspersky (unless you want to submit to KGB). Do your own homework (web search, etc) and keep in mind what everybody says: there is no retirement from secret services
    (KGB, CIA, MI5, NSA, …) other than dead, feet first dead.

    I guess I see everywhere the confirmation of the saddest history lesson that people never learn history lessons ;-(

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • I’ve had a look at this and

    a) it looks a little like over-kill for what I want, b) I haven’t a clue how to use it in my EXIM environment c) from the VERY quick look I’ve taken I don’t see how to use it to detect macros in office documents.

    I think I’m going to forget about the macros, and just assume that if the document is empty, it’s a virus

  • If you’ve got a script to detect empty docs then it should be relatively easy to detect these. I assume empty attachments are not normal in your mail flows?

    I would look to write some custom SpamAssassin rules, maybe incorporating your script, to detect these and filter them out.

    Are you able to post some examples to pastebin?

  • I have come to the conculsiion that I am just going to have to stick with detecting empty documents and forget the macro checks.

    I would love to be able to write custom Spamassassin rules but do not know how to do this. All I have done in the past is add small pattern matching rules to local.cf

    Another rule I would like to add to Spamassassin is to catch emails where the subject starts with the email local part in brackets as we get a LOT of those too.

    http://www.stainburn.com/virus_files/I0000040777.doc http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc

  • That’s a great place to start. Combining multiple simple rules in a meta rule is also a great way to detect many spams. If you can find 3 or 4
    factors specific to these spam (the more unique the better), combining them usually gives excellent results. For example, they all contain a doc,docx,xls,xlsx attachment, they all contain a specific phrase or something unique in the Subject, maybe they all contain a URL or email address in the body etc. Individually the rules might not be particularly good indicators of spam, but when combined together they may become highly effective.

    This might not be the best forum to discuss in detail; the SpamAssassin mailing list is a great place to get help with writing rules.

    Sorry, I meant examples of the emails (including the full headers, redacted where necessary), not the attachments. We might be able to point you in the right direction or offer a few thoughts on how to detect them in SpamAssassin.

  • Yep.

    In Exim I score 1 for sending IP address having no reverse DNS
    (IP > Name > the same IP address)
    I score 1 for HELO/EHLO not resolving to the sending IP address I score 1 for a non-existent email address

    3 = IP blocked for several months ***before*** downloading the email’s body.

    2 = Gets connection rejected ***before*** downloading the email’s body.

    +++

    Never accept email from home user’s domain names like (here is just a few)

    *airtelbroadband.in
    *adsl.alicedsl.de
    *dynamic.se.alltele.net
    *alshamil.net.ae
    *adsl.anteldata.net.uy
    *aphie.info
    *pools.arcor-ip.net
    *static.arcor-ip.net
    *as9105.com
    *as13285.net
    *as43234.net

    Don’t be an idle victim of mail abuse. Fight back hard.

  • The big problem is that the emails are vastly different in content, and are send by distributed computers. That’s why I went down the document content checking in the first place. The empty office document is the only obvious common factor.

    As I’ve had to implement a malware = * to call my new script it has given me the chance to inplement checks that I have never been able to manage in Spamassassin. No doubt they are possible, but I’ve not managed them.

    I now have access to the whole email in PERL and MIME::Parser so can do lots of other checking.

    This is one of the checks I can now do in my perl script.

    Unfortunately, I’ve only got this one as an example. I didn’t keep any of the previous ones, and hopefully any new ones will never get through.

    http://www.stainburn.com/virus_files/Purchase.mbox