A single .jar recognized as several types of malware at once
In the spirit of the single email message with a lot of malware, I'll once again show you the log messages first:
1cwivp-0006vh-1M attachment application/zip; MIME file ext: .zip; zip exts: .jar; inner zip exts: .ai .b .box .class .download .drive .mf .ph rejected 1cwivp-0006vh-1M from firstname.lastname@example.org to <redacted>: identified virus: CXmail/JarZip-A, CXmail/Java-A, Java/Adwind-KU
Here we have a .jar inside a .zip (which is somewhat but not totally suspicious), and from this single incoming email our system felt it found three bad things.
Sophos's detailed information for CXMail/JarZip-A is not really detailed. It's possible that this is simply their name for some apparently recognizable family of .jar-in-.zip malware; as I'd hope, some testing has shown that it's not as comprehensive as 'all .jars inside .zips'. CXmail/Java-A has similarly generic information available. Java/Adwind-KU is apparently the more well known thing, and has apparently been around for some time.
It turns out that we've seen Java/Adwind-KU before, and in the recent past cases our Sophos PureMessage reported it as 'CXmail/JarAd-G, Java/Adwind-KU'. These cases appear to have been straightforward .jar attachments. We have some earlier hits that were reported as Java/Adwind-KU alone, and back then they were were .jar-in-.zips again. All of which goes to show that this sort of stuff evolves, both in form and in recognition.
When I started writing up this case I wondered if I had a situation where several pieces of malware had all rolled themselves into a single .jar file. Now that I've looked at this it appears that this is instead a single piece of malware that triggers multiple detection signatures inside Sophos PureMessage, presumably based on how it's decided to pack itself up.
The message was sent early Saturday morning from 18.104.22.168,
which isn't listed in any major DNS blocklist as I write this (it's
in Barracuda's blocklist, but that's still a relatively hair-trigger
one). Given its
To, it's obviously bad,
although it didn't seem to score as spam as well as something with
(As a hint for anyone writing virus messages, if you give a message
the subject of 'URGENT NEW ORDER PO1605MP1-00077' and then have the
To: be the same as the
From:, things are going to look more than
a little bit suspicious to anyone who actually reads the message.)
PS: I don't know what
.drive extensions are likely
to be in .jars, but they at least sound a bit suspicious. On the
other hand they could be used for something completely different
in real JARs; I have very little idea what Java file extensions are
normally found in them. Perhaps we should figure that out so we can
identify highly suspicious extensions, but that's too much work for
(One of the rules of anti-spam work is that there's always something more you could be doing, and thus you always have to draw the line somewhere and say 'we could do that, but let's not'.)