It's always convenient when malware is clear about its nature (7z edition)
A certain amount of malware these days likes 7z files, or at least things that claim
to be 7z files with their file extension. We've been getting a run
of malware that claims its file extension is .pdf.7z
and that
Sophos PureMessage detects as 'CXmail/MalPE-AS', which I suspect
means that there's actually a Windows executable in there. We've
also got others that are being reported by our attachment logger as simply
.7z
files (and also, apparently, as MalPE-AS).
All of this caused me to take a look at our logs, where I found
some attachments with the listed extension of .exe.7z
(which were
also detected as MalPE-AS). This is actually quite convenient for
us, because we already reject email with .exe
attachments. If
you're going to helpfully label your attachment as a .exe in some
way, well, we'll extend our rejection to rejecting it too, which
we now do.
(We've also decided to reject .pdf.7z
attachments. As far as we
can tell we don't get any real ones. We're not sure we get any real
.7z
attachments in general, but rejecting those is currently a
little bit more chancy. For various reasons, we will probably be
augmenting our attachment logger to try to peer into 7z archives,
as it currently does for ZIP and RAR archives.)
As a side note, the reason I said that the .7z
attachments were
'apparently' detected as MalPE-AS is that all of the email messages
with them actually had two attachments:
application/octet-stream; MIME file ext: .7z application/msword; MIME file ext: .doc; zip exts: .bin .emf .rels .xml[9] none
PureMessage only gives us a report for the entire message, and
it reported that these emails have both CXmail/DocDrp-C and
CXmail/MalPE-AS. I suspect that DocDrp is the .doc
and MalPE
is the .7z
, but I don't know for sure.
(This would be another example of malware covering its bases.)
|
|