Wandering Thoughts archives

2017-01-31

Email attachments of singleton nested zipfiles are suspicious

Today I tweeted:

Our most commonly detected inbound email virus is now a .doc in a .zip inside another .zip. It's tempting to reject all such emails.

All of the recent ones of these have been what Sophos identifies as 'Mal/DrodZp-A' (which means that they're malware, not viruses as such). The good news is that after discussing the issue, we now reject such emails. One reason we could make this decision easily and with confidence is that we couldn't find legitimate examples in a month's worth of logs, which once again shows us the worth of setting up a system so that we know what types of attachments our users are getting.

But this is just one instance of a broader pattern we've been seeing for a while. Malware seems to like wrapping its payload up in two levels of archives, commonly as a single .zip inside another .zip (there are variants with RAR archives, but zip-in-zip is what we see almost all the time). It appears that every single instance of this pattern we've seen in the past month has been bad; besides .doc files, we've seen .lnk, .js, .wsf, and a couple of .exe and .scr. At this point I'm definitely going to keep an eye out for any new file extensions that show up in such matryoshka zipfiles; whether or not our commercial antispam system detects them as malware, they're probably bad news.

At the same time, you don't want to unconditionally block any zipfile that contains another zipfile. We've seen plenty of legitimate cases where people bundle up a bunch of stuff in a zipfile and part of what they bundled up is one or more other zipfiles. The suspicious case only is when it's just a single .zip file inside the first zipfile; it's hard to see a legitimate use for this, since you could just as well send the inner .zip directly.

(Well, apart from using an encrypted zipfile to pack up an unencrypted one, but I'm not sure if we can even see filenames inside encrypted zipfiles so I don't think we'd notice this.)

SuspiciousNestedZipfiles written at 19:25:07; Add Comment

2017-01-20

Spam and virus filtering on email is a risk (although likely not a big one)

If you have a decent-sized email system, you're probably running incoming email through some sort of anti-virus and anti-spam system. It may be a commercial product such as the one we use, or it may be a free one such as SpamAssassin or ClamAV. There are ways around needing such a system while still allowing a reasonable amount of incoming email, but they let some spam through and they require aggressively blocking attachments in order to try to exclude viruses.

These systems, commercial or free, are a potential security risk. We know that desktop anti-virus scanners have vulnerabilities (both in the engines and in things like their update mechanisms), so it's only prudent to assume that server-based systems do as well, especially for anti-virus systems. Modern AV systems are trying to parse and understand complicated file formats, almost certainly using code written in C and not aggressively hardened; it would be a miracle if they didn't have exploitable vulnerabilities somewhere.

(At least one commercial system definitely had vulnerabilities, although they may or may not have been exploitable.)

At one level, this is really quite alarming; your email AV system is completely exposed to inbound email from the outside world, since automatically checking that email is its entire job. An attacker who knows and can exploit a vulnerability in it can send you a malicious message and your system will be owned without any action on your part. It's not too much different from your web server having a remotely exploitable vulnerability. Yes, it's likely that coming up with a reliable attack against your AV system will be harder, but it's very likely it can still be done.

So should you abandon use of an AV system, and in fact of all content-scanning systems that look at your inbound email? As usual, this is a balance of risks question. In particular I think it's a question of how easily AV systems can be exploited generically and have something useful done with them.

The reality of life is that if an attacker is targeting you specifically, they're probably going to get in somehow. It's worth making sure that your AV system is not exceptionally vulnerable, but at the same time it is probably not the sole weak point in your environment, and not having an AV system or other content filtering has its own set of risks. For most sites, you are probably better off overall having an email AV system even if it provides an additional attack point for someone who is targeting you specifically.

But specific attackers aren't the only attackers we have to worry about; there are also mass attackers, people who find some broadly spread vulnerability and attack everyone they can find with it in order to do various sorts of nastiness (sending out spam, holding your files to ransom, selling access to other people, whatever). If a mass attack is possible at all, it is really the biggest risk, simply because mass attackers spray their attack widely in order to reach as many targets as possible.

(As a corollary, there probably will never be a mass attack against your custom local filtering, although there may be a mass attack against some common sub-component you're using in it, such as a MIME parsing library or a compression library.)

I'm wary of saying that there can't be a successful mass attack against an email AV or anti-spam scanner, but I think that the odds are against it. These systems are deployed on varied systems, in very varied environments, often in varied versions of the software itself, and there are a fair number of different software packages that mail systems use. Barring a glaring, trivial vulnerability, a would be mass attacker probably can't develop a truly broad single exploit even for a broadly spread vulnerability; they might need a different one for different Linux releases, for example. Then they'd have to find enough mail systems on the Internet that were running the specific AV/anti-spam system on Debian X or CentOS Y in order to make a mass attack worth it. It just seems unlikely to me.

(Things like web servers are more exposed to mass attacks because they are easier to mass scan and assess.)

SpamAndVirusFilteringRisk written at 01:25:39; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.