Wandering Thoughts archives

2017-02-25

A single email message with quite a lot of different malware

This is the kind of thing where it's easier to show you the log messages first and discuss them later:

1chbMp-0007UF-Jw attachment application/msword; MIME file ext: .doc; zip exts: .rels .xml[3] none
1chbMp-0007UF-Jw attachment application/msword; MIME file ext: .doc; zip exts: .rels .xml[3] none
1chbMp-0007UF-Jw attachment application/msword; MIME file ext: .doc; zip exts: .bin .png .rels .xml[10] none
1chbMp-0007UF-Jw attachment application/msword; MIME file ext: .doc; zip exts: .eps .gif .rels .xml[10] none
1chbMp-0007UF-Jw attachment application/msword; MIME file ext: .doc
rejected 1chbMp-0007UF-Jw from 59.120.21.181/nie0461@gmail.com to <redacted>: identified virus: CXmail/OleDl-L2, Troj/20152545-E, Troj/DocDrop-RK
detail 1chbMp-0007UF-Jw Subject: [PMX:SPAM] [PMX:VIRUS] Urgent Order..

That one incoming email message had five different attachments and between them they had at least three different forms of malware. It's possible that all five attachments were bad but with some duplication of malware types, so the report we got only identified the unique malware, especially since the first two attachments have the exact same file extensions.

The origin IP address is in HINET (AS3462, hinet.net), which was a big source of issues back in the days when I actively tracked who was the source of issues. It's not currently listed in the Spamhaus ZEN, but it is on Barracuda's blocklist and psky.me (at their 'defer but don't reject' blocking level). Our logs say it HELO'd as 'mail.synclink.com.tw' and to be relaying the email from 85.114.138.127 (which is on the CBL, as well as psky.me at the 'reject during SMTP' level).

Troj/20152545-E is apparently normally a PostScript file, so I suspect that it was found in the .eps file in the fourth attachment. CXmail/OleDl-L2 is claimed to show up in 'OpenDocument' and Microsoft Office files (see also). Troj/DocDrop-RK is apparently normally seen in RTF files, so who knows where it lurks in this set of MIME attachments.

SingleEmailMuchMalware written at 18:26:47; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.