What file types we see inside singleton nested zipfiles in email

February 13, 2017

Earlier, I wrote about how email attachments of a single .zip inside another zip are suspicious. Given that the .doc malware using them has come back, today I feel like reporting on what file types we've seen in such cases over the past nine weeks.

(I'm picking nine weeks because we rotate this particular logfile once a week and it's thus easy to grep through just nine weeks worth.)

So here are the raw numbers:

  2292 inner zip exts: .js
  1261 inner zip exts: .doc
   606 inner zip exts: .lnk
   361 inner zip exts: .wsf
    15 inner zip exts: .jse
     5 inner zip exts: .exe
     1 inner zip exts: .txt
     1 inner zip exts: .scr

Of these 4542 emails, 3760 came from IP addresses that were listed in zen.spamhaus.org. In fact, here is the breakdown of how many of each different type were listed there:

  2051 inner zip exts: .js    (89%)
  1101 inner zip exts: .doc   (87%)
   386 inner zip exts: .lnk   (64%)
   214 inner zip exts: .wsf   (59%)
     4 inner zip exts: .jse   (27%)
     3 inner zip exts: .exe   (60%)
     1 inner zip exts: .scr  (100%)

The .jse extension is Javascript (.js) under another name. .wsf is a Windows Script File. .lnk files are Windows shortcuts, but get abused in malware as covered eg here (or the interesting live scam covered here). And .scr is a Windows screensaver, which can also contain all sorts of executable code.

There's nothing really surprising here; it's basically a greatest hits collection of ways to run your own code on reasonably modern Windows machines (apparently .bat and .com are now too old for most things). Since the .lnk files are not with other files, they're probably being used in the way mentioned here, where they run Powershell or some other capable tool with a bunch of command line arguments that pull down and run a nasty thing.

I don't know what to make of the variance in Zen listings between the various file extensions. I suspect that it has something to do with how big and broad a malware campaign is; if a campaign is prolific, its sending IPs are probably more likely to trip the detection for DNS blocklists. It seems at least reasonable that campaigns using .doc and .js malware are more prolific than the others; they certainly send us much more stuff.

Written on 13 February 2017.
« I'm too much of a perfectionist about contributing to open source projects
Does CR LF as a line ending cause extra problems with buffers? »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Feb 13 01:56:05 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.