Malware spammers put .exe Windows executables in everything
Recently, for reasons beyond the scope of this entry, I've been expanding our system for recording email attachment type information to be able to look inside more archive formats to get the file extensions of files inside them. The most significant format I wanted to be able to peer inside was 7zip archives, because 7zip archives are one of the big areas where ClamAV differs from our current commercial solution by recognizing fewer things, but I added support for ISO 9660 images and CAB files while I was there.
In completely unsurprising news, once I had this interior file extension
logging working, it started lighting up with 7zip archives, ISO 9660
images, and even a CAB archive here and there that all contained
files, generally with nothing else. This matches malware behavior I've
seen before for 7zip attachments and ISO images, but it's always useful to have this stuff
confirmed (especially since malware behavior changes over time).
(We're already rejecting email that contains .cab files or ISO images as attachments, but now I can have more confidence that these truly are bad and we can make more fine grained filtering decisions if we need to. Since we now can, we're rejecting email with 7zip archives that have .exes in them.)
My assumption is that malware spammers are putting .exes in all sorts of archive formats in an attempt to shield them from content scanners. Some of this will be for content scanners that can't look inside the archive format at all, and probably some is for things where a different archive format messes up simple signature recognition or executable scanning. I can't say that this is a silly idea, because until recently this content smuggling mostly worked against us.
It is somewhat amusing to get confirmation that all of those very bad looking things really are bad, such as the people who put several extensions on their filenames:
attachment application/x-7z-compressed; MIME file ext: .pdf.z; 7zip exts: .exe
Of course, in the grand traditional of malware, sometimes the extension is sort of a lie:
attachment application/octet-stream; MIME file ext: .pdf.z; file magic: application/x-rar; rar exts: .exe
Perhaps it's simpler in the software to just use a fixed set of extensions regardless of what archive type you're packing it up as. (We have a number of these .pdf.z RAR archives logged recently.)