We've now seen malware in a tar archive

October 31, 2017

Our anti-spam system recently logged the following information about an incoming message:

1e92K6-0007yD-37 attachment application/octet-stream; MIME file ext: .tar; tar exts: .exe; email is in-dnsbl
rejected 1e92K6-0007yD-37 from to <redacted>: identified virus: Mal/DrodTar-A

Sophos's information on Mal/DrodTar-A plus some Internet searches suggest that this .exe had attributes of a relatively generic Windows trojan. We also logged the message headers, and they make it clear that this wasn't a case of someone wrapping up a malware sample in a tar file in order to mail it to one of our people for research; it was an honest to goodness piece of Windows malware trying to propagate itself in a tar archive. Tell-tale headers include:

From: "Account Manager"<brand27@emediasol.com>
Subject: Purchase Order
To: undisclosed-recipients:;

(Our users do get emailed .tar and .tar.gz files, but they have actual contents and they're hopefully not showing up in email that looks like that.)

It turns out that this is not the first .exe-in-.tar attachment we've seen in the past several months; back in May and June we saw a few that were identified (at the time) as Mal/FareitVB-M. More recently we saw a couple that sadly weren't identified as malware, so they sailed right through the mail system (I suspect that they were malware; a single .exe file in a .tar is unusual, and most of our .tar attachments are actually .tar.gzs).

On further inspection we've also seen a number of other plain .tar attachments that seem to be malware, based on what they contain. In addition to .exes, we've logged single .scrs and .cmds, some of which have also been identified as Mal/FareitVB-M. Probably this means we should extend our rejection of bad things in ZIP archives to also cover bad things in tar archives.

(All this goes to show that things can be hiding under innocent looking rocks.)

I'm a little bit surprised that Windows malware distributes itself as tar archives, because I would have thought that not many Windows machines can actually extract them without having to go find additional software. However, I may be wrong about this; some searches suggest that common Windows archive handling programs (such as 7-zip) are sufficiently polymorphic that they'll also unpack tar archives for you. Perhaps the malware authors have discovered that malware packed up in tar archives gets through defenses slightly more readily than malware in ZIP archives.

(Sadly, this is certainly the case here, where we'd have immediately rejected these attachments if they'd been ZIP archives instead of tarballs.)

I guess I'm a little bit sad and disappointed that tar archives are now being exploited by malware, in a 'is nothing sacred?' kind of way.

(Where malware and spam in general is concerned, the answer has always been 'of course not'. But I still like to think of Unix things as existing in a separate world, one not contaminated by the grubby realities of the modern malware-in-email environment.)

Written on 31 October 2017.
« There are two sorts of TLS certificate mis-issuing
I think Certificate Transparency is better for the web than HTTP Key Pinning »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Oct 31 22:54:49 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.