We've now seen malware in a tar archive
Our anti-spam system recently logged the following information about an incoming message:
1e92K6-0007yD-37 attachment application/octet-stream; MIME file ext: .tar; tar exts: .exe; email is in-dnsbl
rejected 1e92K6-0007yD-37 from email@example.com to <redacted>: identified virus: Mal/DrodTar-A
Sophos's information on Mal/DrodTar-A
plus some Internet searches
suggest that this
.exe had attributes of a relatively generic Windows
We also logged the message headers, and they make it clear that this
wasn't a case of someone wrapping up a malware sample in a tar file in
order to mail it to one of our people for research; it was an honest to
goodness piece of Windows malware trying to propagate itself in a tar
Tell-tale headers include:
From: "Account Manager"<firstname.lastname@example.org>
Subject: Purchase Order
(Our users do get emailed .tar and .tar.gz files, but they have actual contents and they're hopefully not showing up in email that looks like that.)
It turns out that this is not the first .exe-in-.tar attachment we've
seen in the past several months; back in May and June we saw a few that
were identified (at the time) as Mal/FareitVB-M.
More recently we saw a couple that sadly weren't identified as malware,
so they sailed right through the mail system (I suspect that they were
malware; a single
.exe file in a
.tar is unusual, and most of our
.tar attachments are actually
On further inspection we've also seen a number of other plain
attachments that seem to be malware, based on what they contain.
In addition to
.exes, we've logged single
some of which have also been identified as Mal/FareitVB-M. Probably
this means we should extend our rejection of bad things in ZIP archives
to also cover bad things in tar archives.
(All this goes to show that things can be hiding under innocent looking rocks.)
I'm a little bit surprised that Windows malware distributes itself as tar archives, because I would have thought that not many Windows machines can actually extract them without having to go find additional software. However, I may be wrong about this; some searches suggest that common Windows archive handling programs (such as 7-zip) are sufficiently polymorphic that they'll also unpack tar archives for you. Perhaps the malware authors have discovered that malware packed up in tar archives gets through defenses slightly more readily than malware in ZIP archives.
(Sadly, this is certainly the case here, where we'd have immediately rejected these attachments if they'd been ZIP archives instead of tarballs.)
I guess I'm a little bit sad and disappointed that tar archives are now being exploited by malware, in a 'is nothing sacred?' kind of way.
(Where malware and spam in general is concerned, the answer has always been 'of course not'. But I still like to think of Unix things as existing in a separate world, one not contaminated by the grubby realities of the modern malware-in-email environment.)