How to detect SPAM with attachments (DRIDEX)
From Splunk Wiki
SPAM waves distributing the banking malware DRIDEX are really active. The method used to deliver the malware through emails frequently changes, each new campaign uses a new method of delivering.
There are solutions to detect if a computer has been infected by the malware but these tools are for post-infection analysis.
The main goal is to be able to see those emails before the users open them, whether it's a DRIDEX campaign or any other.
The difficulty here is that SPAM waves are morphing:
- senders are always different
- attachments are build on the fly which make them unique
Majority of the files identified as infection vector were .doc or .xls.
Security professionals have also seen .wav.lnk, .odt and .dat.
Format of attachments were multiples:
It's easy to find a REGEX to block the reception of those emails, nevertheless it's more difficult to detect a new wave before a user's feedback.
Detect a SPAM wave with potential malicious attachments
THEORY OF THE TECHNIQUE:
The idea is to group emails with an attachment following a same pattern. The use of the pattern of an attachment instead of his file name allow us to factorize and group different file name in a same group if their construction are the same.
If a pattern stands out during a period, we could deduct that a SPAM wave is potentially ongoing.
- SPLUNK: inbound emails indexed logs
- PYTHON: custom script which gives the pattern of a file name
- Illustration with few samples
- fact_name.surname_12345678.doc --> w_w.w_d.doc
- SCAN-12345678.doc --> w-d.doc
- FACTURE_name_123456.doc --> w_w_d.doc
In the same way a REGEX will match a string. Here the idea is to simplify how a file name is built so it can match attachments with the same construction.
We will keep the extension of the file intact for our groups.
#!/usr/bin/python # -*- coding: utf-8 -*- # Oct 2015, BG import splunk.Intersplunk import os, re results = splunk.Intersplunk.readResults(None, None, False) newresults =  for result in results: fichier = result[sys.argv] pattern = "" filename, file_extension = os.path.splitext(fichier) if filename and file_extension: subparts = re.split(r'[._-]+',filename) Len_strings = 0 for j, subpart in enumerate(subparts): last = len(subpart) - 1 separator = "" Len_strings += len(subpart) current_type = "" previous_type = "" for i, char in enumerate(subpart): if i != last: separator = fichier[Len_strings + j] if char.isdigit(): current_type="d" else: current_type="w" if current_type != previous_type: previous_type = current_type pattern = str(pattern)+str(current_type) pattern = pattern + separator pattern = pattern + file_extension.rstrip()[1:] result['pattern'] = str(pattern) newresults.append(result) splunk.Intersplunk.outputResults(newresults)
Declare the command to use it in Splunk search:
[getpattern] filename = get_pattern.py supports_getinfo = false enableheader = false retainsevents = true changes_colorder = false overrides_timeorder = true
host=inboundmail* attachment_name=* NOT attachment_name=*.ics NOT attachment_name=*.jpg NOT attachment_name=*.png NOT attachment_name=*.gif | getpattern attachment_name | stats values(mid) as mid values(attachment_name) as files count by pattern | eval nb_attachments=mvcount(files) | where count>20 AND nb_attachments >15 | mvexpand mid | map search="search host=mailin* mid=$mid$ | transaction mid keepevicted=t | table _time host mid recipient sender attachment_name message_subject" maxsearches=2000 | getpattern attachment_name | stats latest(_time) as last_time values(host) as hosts values(mid) as mid values(recipient) as recipients values(sender) as senders values(attachment_name) as files values(message_subject) as subjects count by pattern | eval last_time=strftime(last_time, "%d/%m/%Y %H:%M:%S") | eval nb_recipients=mvcount(recipients) | eval nb_senders=mvcount(senders) | eval nb_subjects=mvcount(subjects) | eval nb_attachments=mvcount(files) | eval nb_mids=mvcount(mid) | where nb_senders>5 AND nb_recipients>5 AND nb_attachments >5 | table pattern hosts last_time nb_mids mid nb_senders senders nb_recipients recipients nb_subjects subjects nb_attachments files
Reduce the false positives:
By filtering folowing extensions, we can reduce false positives rate to an acceptable level:
- .ics : Outlook meeting invitations
- .jpg .png .gif : pictures are often in signatures of emails and sent as attachments
Result of the search
Here is an alert sent by Splunk:
In a period of 30 minutes, SPLUNK has seen a group with 31 emails with attachments that follow the pattern wdwd .doc
A quick look at the column files tell us that SPLUNK has detected a SPAM wave :)
|wdwd.doc||inboundmail1 inboundmail2||02/11/2015 08:57:04||31||9084042 9084061 9084155 9084178 9084192 9084297 9084382 9084435 9084521 9084857 9084898 9085024 9317112 9317153 9317276 9317511 9317516 9317620 9317621 9317831 9317871 9318017 9318068 9318189 9318203 9318306 9318496 9318512 9318773 9319146 9319181||31||*||31||*||31||*||31||FACTURE116CFD18.doc FACTURE166AD126.doc FACTURE1FD45909.doc FACTURE303003D4.doc FACTURE3150E463.doc FACTURE34230DD4.doc FACTURE34CF6330.doc FACTURE36C83706.doc FACTURE41191EE4.doc FACTURE65214A72.doc FACTURE656039E9.doc FACTURE65AA4309.doc FACTURE68982DE4.doc FACTURE82F83210.doc FACTURE83428EE5.doc FACTURE92BA7664.doc FACTURE93DE0515.doc FACTURE988B7580.doc FACTUREB384D789.doc FACTUREBBF32C64.doc FACTUREBEC74E71.doc FACTUREBF155D97.doc FACTUREC038B268.doc FACTURECF8015A8.doc FACTURED767E554.doc FACTURED885CEC7.doc FACTUREED659A64.doc FACTUREF04DAF79.doc FACTUREF572DF42.doc FACTUREFBC96E76.doc FACTUREFE133DC0.doc|