Wandering Thoughts archives

2017-12-18

What file types we see inside ZIP archives with only a single file in email

Earlier this year, I wrote about how email attachments of a single .zip inside another zip were suspicious, and then did a file type breakdown for them. Malware is ever-mutating so nested ZIP archives have gone out of style by now, but instead we're seeing a not insignificant amount of attachments that are ZIP archives with only a single file in them. Today I want to do a breakdown of those file types that we've seen over the past nine weeks or so.

So here are the raw numbers; for some types I've added the percent that were received from IPs listed in zen.spamhaus.org at the time:

   434 .exe         (26%)
    91 .zip         (94%)
    86 .jar         (30%)
    43 .vbs         (58%)
    13 .bat          (0%)
     6 .com         (17%, ie 1)
     3 .wsf .pdf
     2 .scr .py .js
     1 .xls .rkt .rar .pot .jse .hta .eml .docx .csv

(Overall, about 36% of these messages were from IPs listed in zen.spamhaus.org at the time.)

Some of these we reject immediately these days, such as the .exe and .wsf cases. Others we probably should, like .js, .com, .vbs, and .bat (which we already reject as top-level attachments).

The single nested .zip cases break down like this:

    89  inner zip exts: .doc
     1  inner zip exts: .scr
     1  inner zip exts: .js

It's somewhat interesting to me that in all cases, there's only a single file inside the inner zip. Because of past events, we also reject the doubly nested .doc files. We'll also reject the doubly-nested .js attachment (because it's a .js inside a ZIP archive, even a nested one), but not the .scr one.

Unfortunately, what stands out in this list is the nested .jar files. Partly this is because these days Sophos PureMessage is identifying all of them as malware, for example CXmail/JarZip-A (which we saw in an epic case) and also Mal/DrodZp-A. Not a single one is making it through all of our anti-spam and anti-virus filtering to reach our users as presumed legitimate email.

(It's possible that this identification by Sophos is generic and means very little more than 'a single .jar file inside a .zip with some vague additional threat markers'. This doesn't matter in practice, since the net effect is the same.)

PS: As you might suspect, this entry came about because I noticed that .jars in .zips were being rejected as malware and then decided to go look at the numbers to see if we should be rejecting them immediately. My current answer is that we probably should be, along with some other rejections, although there are arguments against this reaction.

spam/ZipfileSingleFileTypes-2017-12 written at 01:32:47; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.