The types of attachments we see for malware-laden email

August 28, 2017

These days we block some attachment types, but of course not all of them. We also use our commercial anti-spam package to detect and reject malware that isn't already rejected outright as a bad attachment type. This raises the obvious interesting question of what attachment types that malware comes in. Unfortunately I can't answer exactly that question from our logs, but I can see what attachment types we see in email that is rejected because it contains malware.

(This difference matters only if a malware email contains multiple attachments, possibly with multiple pieces of malware. When this happens, our commercial anti-spam system doesn't log information that would let us identify which particular attachment has the detected malware.)

In the past 19 days of logs, we rejected 440 messages because they were identified as containing malware. A few of these messages had attachments without MIME filenames; all of the attachments were detected as either Microsoft Word files or images (mostly PNGs with a couple of GIFs). The vast majority had MIME filenames, and the (claimed) extensions on these are as follows:

 241  .doc
  95  .jar
  52  .zip
  24  .html
   6  .htm
   6  .gz
   3  .7z .rar
   1  .z .xls .rev .psx .pdf

Most of the .zip files contained .doc files (26) or .jar files (12). Ten of the .zip files were actually given the MIME type application/msword (despite the .zip extension in their MIME filename) and contain the file extensions '.bin .png .rels[2] .xml[12] none'. Some Internet searches suggest that the .bin file extension here is the giveaway marker of Word macros being embedded in the file, and we certainly saw a bunch of .doc files that had .bin files inside them (it looks like 69 out of the 241 .doc files, so by no means all or even a majority but certainly a significant portion).

Out of the .doc files, the vast majority had some strain of what Sophos identifies as 'CXmail/OleDl'. A handful were Troj/DocDl or Troj/DocDrop. Out of the .jar files, almost all were identified by Sophos as CXmail/JarAd strains, some with 'Mal/DrodZp-A' added in; the remainder were basically all Java/Adwind (there was one that Sophos just labeled as 'Mal/Generic-S'). The .zip malware identifications were all over the map. The ZIPs that contained a .doc or a .jar unsurprisingly look like plain .docs or .jars; the remainder features Troj/DocDl, CXmail/JSDl, and a CXmail/PDFDoc. The HTML files appear to be a split between phish spam in attachments and 'CXmail/JSDl', which I suspect involves JavaScript embedded in that HTML.

Having gone through this stats gathering exercise, my overall view is that there's nothing terribly surprising here. Microsoft Word and Java/JARs are a big attack vector and HTML files appear to be a side door to sneak some attacks and phishing through where they might be blocked as an actual HTML email message.

(The obvious question to ask next is if our users get very many legitimate email messages that have Word files with embedded macros.)

Comments on this page:

By Jukka at 2017-09-02 04:43:35:

It would be interesting to see a statistical breakdown via a follow-up submission of the files to VirusTotal. I mean to get a sense that what you've seeing is also what others are seeing. Real-time submission is a bad idea, but after some preliminary screening, I think it shouldn't take more than a simple script.

By cks at 2017-09-02 15:42:56:

Unfortunately we don't keep copies of these emails (or malware parts); they get rejected at SMTP time.

Written on 28 August 2017.
« Is bootstrapping Go from source faster using Go 1.9 or Go 1.8?
OpenSSH has an annoyingly misleading sshd error log message »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Aug 28 01:27:33 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.