Malware is definitely out there and it's targeting us specifically

December 22, 2016

A few years ago I did a count of 'viruses' that our email system had seen in incoming traffic and found that we'd seen a relatively low volume. This left me with the impression that things had died down, an impression not changed by occasional surges early in 2015.

Well, let me update that. Ever since I started actively looking at the attachment types we've been getting in email and actively blocking some of them, I've noticed what I think of as a real volume of malware and periodic surges in it. Some quick numbers suggest that this is indeed the case and we seem to be running at more than twice the rejection volume we were at the start of 2015.

With rare exceptions, what we seem to get is mostly malware, which I suspect is all ransomware. More notably, lately it's clear that there is a real wave of it that is specifically targeting the university in volume. I can tell this because a great deal of the malware we're rejecting at the moment is actually relayed to us from the university's central email system (many of our users forward their central email address to us). The current burst seems to be coming from random outside envelope origin addresses, but earlier runs were actually forged from dangerously plausible university email addresses like copier@<our-domain>.ca (and with Subject: headers to match it).

(The malware that I've looked at appears to mostly be Office documents with embedded macros. At the moment we don't feel that we can reject all of these outright, although it's getting tempting, and anyways I'm not sure we can reliably detect them. Some macro-enabled attachments seem to use specific extensions, like .docm, but it appears that some don't. Presumably you have to sniff inside .doc files to be sure and I'm dubious about going that far in our own local code.)

I knew malware was out there and sending email spam, of course. But I didn't realize that it was quite as active as it seems to be.

(And I expect it to only get worse from here, partly because ransomware seems to be a pretty reliable way to make money. Reliable ways to make money feed spam activity for the obvious reasons.)

Written on 22 December 2016.
« An important little detail of our ZFS spares setup
Why the gosimple program is great »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Dec 22 01:32:14 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.