A single .jar recognized as several types of malware at once

April 9, 2017

In the spirit of the single email message with a lot of malware, I'll once again show you the log messages first:

1cwivp-0006vh-1M attachment application/zip; MIME file ext: .zip; zip exts: .jar; inner zip exts: .ai .b .box .class[35] .download .drive .mf .ph
rejected 1cwivp-0006vh-1M from to <redacted>: identified virus: CXmail/JarZip-A, CXmail/Java-A, Java/Adwind-KU

Here we have a .jar inside a .zip (which is somewhat but not totally suspicious), and from this single incoming email our system felt it found three bad things.

Sophos's detailed information for CXMail/JarZip-A is not really detailed. It's possible that this is simply their name for some apparently recognizable family of .jar-in-.zip malware; as I'd hope, some testing has shown that it's not as comprehensive as 'all .jars inside .zips'. CXmail/Java-A has similarly generic information available. Java/Adwind-KU is apparently the more well known thing, and has apparently been around for some time.

It turns out that we've seen Java/Adwind-KU before, and in the recent past cases our Sophos PureMessage reported it as 'CXmail/JarAd-G, Java/Adwind-KU'. These cases appear to have been straightforward .jar attachments. We have some earlier hits that were reported as Java/Adwind-KU alone, and back then they were were .jar-in-.zips again. All of which goes to show that this sort of stuff evolves, both in form and in recognition.

When I started writing up this case I wondered if I had a situation where several pieces of malware had all rolled themselves into a single .jar file. Now that I've looked at this it appears that this is instead a single piece of malware that triggers multiple detection signatures inside Sophos PureMessage, presumably based on how it's decided to pack itself up.

The message was sent early Saturday morning from, which isn't listed in any major DNS blocklist as I write this (it's in Barracuda's blocklist, but that's still a relatively hair-trigger one). Given its Subject, From, and To, it's obviously bad, although it didn't seem to score as spam as well as something with a virus.

(As a hint for anyone writing virus messages, if you give a message the subject of 'URGENT NEW ORDER PO1605MP1-00077' and then have the To: be the same as the From:, things are going to look more than a little bit suspicious to anyone who actually reads the message.)

PS: I don't know what .download and .drive extensions are likely to be in .jars, but they at least sound a bit suspicious. On the other hand they could be used for something completely different in real JARs; I have very little idea what Java file extensions are normally found in them. Perhaps we should figure that out so we can identify highly suspicious extensions, but that's too much work for now.

(One of the rules of anti-spam work is that there's always something more you could be doing, and thus you always have to draw the line somewhere and say 'we could do that, but let's not'.)

Written on 09 April 2017.
« Doing things the clever way in Exim ACLs by exploiting ACL message variables
How TLS certificates specify the hosts they're for »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Apr 9 22:56:21 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.