[clamav-users] Encrypted Word doc/phishing attack

Michael Grant mgrant at grant.org
Wed Oct 5 15:09:41 EDT 2016


I see a ton of these too.  But I also have clients who get password
protected documents all the time, so it's a bit difficult to just blanket
block all password protected documents.

However, if you look at one of these emails, virtually 100% of the virus
emails contain the password to decrypt the message.  But it's not so easy
to know what word in the message is the password.  Sometimes they say 'here
is the key', sometimes they say 'here is the code you need', or sometimes
they say 'the password is'... so you can't really just build a regex to
find the password.  Maybe you could just iterate through every word in the
body of the email and try them.

What I have had to do is just train people that if someone sends them an
email with an attachment and the password is included or comes in a second
email, to call the person and ask them if it's real.

Incidentally, does anyone know of some open source mail gateway/proxy thing
that would block password protected attachments like these but then send an
email back to the user and have them upload the file to a secure web
server, then forward an email on to the recipient letting them download it
from the server?  This way, clamav could scan the message on the server.


On 5 October 2016 at 18:43, Joel Esler (jesler) <jesler at cisco.com> wrote:

> Alex,
>
> Are you submitting these files to ClamAV?
>
> http://www.clamav.net/reports/malware
>
> --
> Joel
>
>
> > On Oct 5, 2016, at 8:21 AM, Alex <mysqlstudent at gmail.com> wrote:
> >
> > Hi,
> > I'm starting to receive emails like this:
> >
> > http://pastebin.com/HpvEcT9K
> >
> > They're not being caught by clamav or other virus filters. Is it even
> > possible to catch encrypted Word docs with a virus scanner?
> >
> > I'm using spamassassin on fedora with amavisd. Is there something that
> > can be done to at least tag them in some way so the end-user knows
> > it's a potential threat?
> >
> > Thanks,
> > Alex
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list