Malware strains may go away sometimes, but they generally come back
I have a little confession. Last Tuesday I wrote about how we'd started rejecting .doc files in nested zipfiles. Although I didn't mention it in the entry, we did this because we'd seen them dominate our detected malware attempts over the weekend (with everything being identified by Sophos PureMessage as 'Mal/DrodZp-A'). Well, guess what? The moment we added that new rejection rule, all of those .docs in .zips in zipfiles vanished, with not one to be seen for our new rule to reject.
On the one hand, in theory this didn't matter; as I wrote, singleton nested zipfiles are suspicious in general and we had definitely not seen any legitimate cases of this sort of email. On the other hand, in practice we don't want to have rejection rules for everything we've seen once, because every rejection rule is a little bit of complexity added to our mail system and we want to keep the complexity down to only the things that are really worthwhile. With malware, there are always more things we could be looking for and rejecting on, so we have to draw the line somewhere; otherwise we could be playing whack-a-mole against obscure malware for months and building up a towering mass of complexity in the process. So it wasn't a good feeling to think that I might have written in a useless rejection rule and maybe I should go back in and take it out.
I won't say that I shouldn't have worried about it, but I can say
that I don't have to any more. Starting on February 6th, whatever
malware was sending this stuff our way came roaring back (well,
roaring for our traffic volume); we had 30 rejections on the 6th,
59 on the 7th, and 38 on the 8th. Just over 93% of these were from
IPs listed in the Spamhaus ZEN aggregate DNSBL, which suggests that we probably
rejected a bunch more that were sent to people who had opted in to
DNSBL based rejection (which happens at
RCPT TO time, before we
receive the message and start scanning MIME attachments).
Whatever strain of malware is responsible for sending these things
out may have temporarily turned its attention away from us for a
while, but it's back now, at least for a while.
I suppose this really shouldn't surprise me. We've seen that MyDoom is still around and there's no particular reason why a malware attack vector should stop being used as long as it's even vaguely working. Spam (malware included) comes and goes based on where the sending attention is focused today, but it's very likely to come back sooner or later. And even if a particular strain of malware is wiped out totally (by taking over its command & control infrastructure or arresting the people behind it or the like), I expect that any respite is only temporary. Sooner or later someone will come along to pick up the pieces and revive the attack techniques and address lists for their own benefit, and we'll get hit again by something that looks very much like the same old thing.