Vladimir Previn

malware server and csvs/tsvs with DDE

Discussion created by Vladimir Previn on Nov 20, 2017


a) It looks like Malware server does not process CSVs as a suspect filetype at all.
   a. As per this and these https://www.we45.com/2017/02/14/csv-injection-theres-devil-in-the-detail/ https://pentestmag.com/formula-injection/ https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSV%20injection https://www.contextis.com/blog/comma-separated-vulnerabilities http://www.exploresecurity.com/from-csv-to-cmd-to-qwerty/
   b. CSV/TSV files can quite clearly carry malicious content as far as excel is concerned.
b) (while I again want to point out RSA should be syncing this content via live (not 3m later in an RPM) to customers not us chasing you)
   a. we'd love to add a yara rules on malware for it but https://community.rsa.com/docs/DOC-78558
      i. (After a month the pictures still haven't been fixed) and
      ii. it seems like malware treats the file as none of these
         1. fileType Specifies the files type. Possible values are: WINDOWS_PE, MS_OFFICE, and PDF. If not specified, the default value is WINDOWS_PE.
   b. E.g.
      i. https://github.com/Neo23x0/signature-base/blob/master/yara/gen_dde_in_office_docs.yar https://github.com/InQuest/yara-rules/blob/master/Microsoft_Office_DDE_Command_Execution.rule
c) are we adding the yara rule incorrectly?
   a. or is this a product limitation?
   b. can it be addressed as a bug.
   c. These are exploited in the wild for about a month now. (Along with this https://community.rsa.com/message/900278?commentID=900278#comment-900278 )

Outcomes