NetWitness Community

VladimirPrevin · ‎2017-10-18

I don't know if anyone else actually uses RSA malware but would like to share out pet peve issue with it.

Basically the static analysis engine is tied to major releases and minor releases and is not openly customer customizable e.g. via yara.

E.g. most recently - doesn’t work correctly for PoC and mal docs for [as in malicious files used in crimeware and targeted attacks no longer get passed to the sandbox and analysed]

https://isc.sans.edu/forums/diary/Hancitor+malspam+uses+DDE+attack/22936/ ß used in the wild in crimeware [our partner orgs also report targeted attacks ]

more info 1 more info 2 more info 3

we’ve previously raised similar issues with the malware server

^ essentially there needs to be a live deployable AND customer yara sig way of adding signatures and adjusting static scores WITHOUT new RPMs

e.g. yara sig here https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/

To put it more simply: customers need to be able to respond to network file threats in an adequate manner - including rapidly deploying detection rules for Office 2003/2010 static rules. [as in extracted XML content from 2010 too]

if anyone is actually using Malware server - go ping your account manager

EricPartington · ‎2017-10-18

https://community.rsa.com/docs/DOC-78558

Yara was updated recently in the Malware engine and you are able to apply custom Yara signatures in the engine

There are RSA Malware rules from live (3sets) but they haven't been updated in a while.

There is a set of parsers and application rules that define what is sent to the malware engine for analysis, not the cleanest picture but this is all the interactions I could find for filtering and routing data to the malware service.

https://community.rsa.com/community/products/netwitness/blog/2016/12/23/malware-spectrum-whats-involved

Functionality enhancements for MA could be of great benefit for file analysis to keep up with threats of today ... yup, been there with the same questions.

VladimirPrevin · ‎2017-10-18

hmmm that's probably fairly helpful. how do we make it work for a Office 2007 PKed doc though (the yara rule is for the composite xml files inside)

and I guess for 2003 - ole analysis is a whole other story, but I shouldn't digress.

Ideally all of this should be coming as a magical fluffy feed via like to keep customers safe 😃

VladimirPrevin · ‎2017-10-19

can you guys also get the images fixed up in https://community.rsa.com/docs/DOC-78558

VladimirPrevin · ‎2017-10-19

sadly it's not clear from YARA doc regarding trying to write a rule on either (let's use word as an example) :

a) WordDocument stream for 2003, or

b) document.xml inside a docx in the 2007+?

as I've mentioned in the other thread - it's also not at all clear what happens with docs (presumably ole lib for 2003 and zip + yara rule backed for both?)

VladimirPrevin · ‎2017-10-19

re dde issue - some more examples

@ Eric Partington

https://mobile.twitter.com/i/moments/918126999738175489

https://github.com/InQuest/yara-rules/blob/master/Microsoft_Office_DDE_Command_Execution.rule

^perhaps RSA can confirm how to use o2003/2007 rules with it (aside from the extra meta section bits) and Investigation: Implement Custom YARA Content (fix the images) - or better yet start actively pushing content for Malware server via live for similar scenarios

sadly it's not clear from YARA doc regarding trying to write a rule on either (let's use word as an example) :
a) WordDocument stream for 2003, or
b) document.xml inside a docx in the 2007+?

as I've mentioned in the other thread - it's also not at all clear what happens with docs (presumably ole lib for 2003 and zip + yara rule backed for both?)

some more examples of the in wild:

http://blog.inquest.net/blog/2017/10/13/microsoft-office-dde-macro-less-command-execution-vulnerability/
http://blog.inquest.net/blog/2017/10/14/02-microsoft-office-dde-freddie-mac-targeted-lure/
http://blog.inquest.net/blog/2017/10/14/01-microsoft-office-dde-sec-omb-approval-lure/ <--- hmmm apparently the prompts are negotiable via good old ..\..\..\
http://blog.inquest.net/blog/2017/10/14/03-microsoft-office-dde-poland-ransomware/

EricPartington · ‎2017-10-19

working on fixing the missing images ... issue opened with RSA Link Team

EricPartington · ‎2017-10-19

you could also try this

WTF

I know it isn't programatically attached to MA for file analysis... wish it was but you may have better luck on a file by file basis trying out that analysis tool from the RSA Labs Team and seeing if it gets you better visibility into DDE

VladimirPrevin · ‎2017-10-19

mmm not really... Thanks but malware server if for AUTO need to get malware server fixed and for the files to get auto sandboxed...for single samples plenty of better resources vs what'sthisfile .

any suggestions re above - converting public yara rules for docx and ole doc ? Can you suggest anyone who can help/give an indication where this is at internally ?

now in more campaigns e.g. locky DDE docx https://www.virustotal.com/#/file/4a7f805f6b8fec64d3cf07c02a1d200c703ce4cc6ddf2dabd56ad9d6c936c603/detection

keen to see a rapid response from RSA (words not used in the same sentence really but we've not lost hope).

Glad to see repeatedly raised customer issues for Malware server fall on deaf ears.

NetWitness Community

more flexibility for SA Malware server static side rules is needed.