Email attachments of singleton nested zipfiles are suspicious

January 31, 2017

Today I tweeted:

Our most commonly detected inbound email virus is now a .doc in a .zip inside another .zip. It's tempting to reject all such emails.

All of the recent ones of these have been what Sophos identifies as 'Mal/DrodZp-A' (which means that they're malware, not viruses as such). The good news is that after discussing the issue, we now reject such emails. One reason we could make this decision easily and with confidence is that we couldn't find legitimate examples in a month's worth of logs, which once again shows us the worth of setting up a system so that we know what types of attachments our users are getting.

But this is just one instance of a broader pattern we've been seeing for a while. Malware seems to like wrapping its payload up in two levels of archives, commonly as a single .zip inside another .zip (there are variants with RAR archives, but zip-in-zip is what we see almost all the time). It appears that every single instance of this pattern we've seen in the past month has been bad; besides .doc files, we've seen .lnk, .js, .wsf, and a couple of .exe and .scr. At this point I'm definitely going to keep an eye out for any new file extensions that show up in such matryoshka zipfiles; whether or not our commercial antispam system detects them as malware, they're probably bad news.

At the same time, you don't want to unconditionally block any zipfile that contains another zipfile. We've seen plenty of legitimate cases where people bundle up a bunch of stuff in a zipfile and part of what they bundled up is one or more other zipfiles. The suspicious case only is when it's just a single .zip file inside the first zipfile; it's hard to see a legitimate use for this, since you could just as well send the inner .zip directly.

(Well, apart from using an encrypted zipfile to pack up an unencrypted one, but I'm not sure if we can even see filenames inside encrypted zipfiles so I don't think we'd notice this.)

Written on 31 January 2017.
« Why having CR LF as your line ending is a mistake
Sometimes you get lucky and apparently dead disks come back to life »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jan 31 19:25:07 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.