How to block malicious VBA documents and spreadsheets with spam assassin or amavisd
Monitoring our net streams for SMTP traffic, I have a particular Splunk alert configured to alert when a spam campaign in underway. It’s quite interesting to see what tricks spammers try and how long some campaigns last.
Something that has caught my attention is the increased use of unsolicited “invoice” and “order” emails which get sent with .doc documents attached. Reviewing the documents nearly all of them contain malicious VB scripting usually set to auto run, which downloads and tries to execute binaries.
Now I have created a number of spam assassin rules to block these types of emails (invoices with .doc files attached) but it’s a cat and mouse game, and you can’t be too generic as you may block legitimate email. What I can block ruthlessly is documents and spreadsheets which contain autorun VB scripting.
Here is how to do it:
Create the following file on your amavisd server at the location “/usr/local/bin/detectvba.pl”
#!/usr/bin/perl -w
# technion@lolware.net
# Detects vba macros containing blacklisted strings.
# https://github.com/technion/maia_mailguard/blob/master/scripts/detectvba.pl
# Mods by www.cammckenzie.com
#
# Suggested amavisd/maiad.conf config:
# ['Detect-VBA',
# '/usr/local/bin/detectvba.pl', "{}",
# [0], qr/INFECTED/, qr/\bINFECTED (.+)\b/m ],
#
use strict;
my $sigtool = '/usr/bin/sigtool'; #Clamav sigtool path
if ($#ARGV != 0) {
print "Please supply directory to scan\n";
exit 0;
}
#Sanity check directory
my $dir = $ARGV[0];
if ($dir !~ /^[a-z0-9A-Z\/-]+$/) {
print "Invalid directory passed\n";
exit 0;
}
opendir DIR, $dir or die "Cannot open dir $dir: $!";
my @files = readdir DIR;
foreach my $file (@files) {
next if $file =~ /^\.$/;
next if $file =~ /^\.\.$/;
my $scan = `$sigtool --vba="$dir/$file"`;
if ($scan =~ /autoopen/i ) {
print "Scanning $file: INFECTED VBA\n";
exit 1;
} else {
print "Scanning $file: OK\n";
}
}
closedir DIR;
exit 0;
Then in amavisd.conf (/etc/amavisd/amavisd.conf on CentOS) modify the section “@av_scanners” and insert as a primary scanner the following stanza:
['Detect-VBA',
'/usr/loca/bin/detectvba.pl', "{}",
[0], qr/INFECTED/, qr/\bINFECTED (.+)\b/m ],
Then after that just restart your amavisd service and you should see, it finds Detect-VBA as a primary scanner, test it by sending yourself a malicious macro document lol.
Download the raw howto here, so that special characters are intact as FlatPress has a habit of removing them….https://www.cammcken … assin-or-amavisd.txt