new technique: borked zip attachment w/malware

["Chip M." <sa...@IowaHoneypot.com>]

There's an interesting new zip attachment obfuscation that uses
an encoded EMPTY filename.

I've seen barely a trickle, but so far, all have had VERY low
SA scores ("1.1" with generally unremarkable test hits).

I'm still waiting for permission from the recipient to publish
a complete sample.
Here's an actual set of the zip's Content headers:

Content-Type: APPLICATION/X-ZIP-COMPRESSED; name="=?iso-8859-5?B?NjI=?="
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="=?iso-8859-5?B?NjI=?="

There's one HTML part, followed by the zip part.


Probably the best general defense is to decide that if the 
filename is encoded, it implies the sender committed to putting
something there, and since it was empty, it's a reasonable trait
to score medium to high on.

At first, the unusual "Content-Type" seemed worth a modest score,
however I did find (business) Ham samples using that form.

Currently, I've got a kill level score for anything with either
"zip" or "compressed" in the CT, and which does NOT have ".zip"
as the file extension.  I do have a robust FP pipeline, so what
makes me feel good, may not work as well for everyone. :)


Does anyone know if any mainstream email client can open such a
file?
I don't use Outlook, so maybe someone who does could zip up 
something benign, email it to themself, grab the network image,
hack the CT filename as above, re-inject it, then try opening it.
	- "Chip"

Re: new technique: borked zip attachment w/malware

[Jason Haar <Ja...@trimble.com>]

I don't get it: "=?iso-8859-5?B?NjI=?=" is "62" - that's not an empty
filename?

I sent it to our Exchange server and read it with Outlook - it didn't
know what to do with it and even saving to disk and double-clicking
failed to work. Renaming it with a .zip extension fixed that of course

Jason

On 01/10/11 16:10, Chip M. wrote:
>
> There's an interesting new zip attachment obfuscation that uses
> an encoded EMPTY filename.
>
> I've seen barely a trickle, but so far, all have had VERY low
> SA scores ("1.1" with generally unremarkable test hits).
>
> I'm still waiting for permission from the recipient to publish
> a complete sample.
> Here's an actual set of the zip's Content headers:
>
> Content-Type: APPLICATION/X-ZIP-COMPRESSED; name="=?iso-8859-5?B?NjI=?="
> Content-transfer-encoding: base64
> Content-Disposition: attachment; filename="=?iso-8859-5?B?NjI=?="
>
> There's one HTML part, followed by the zip part.
>
>
> Probably the best general defense is to decide that if the
> filename is encoded, it implies the sender committed to putting
> something there, and since it was empty, it's a reasonable trait
> to score medium to high on.
>
> At first, the unusual "Content-Type" seemed worth a modest score,
> however I did find (business) Ham samples using that form.
>
> Currently, I've got a kill level score for anything with either
> "zip" or "compressed" in the CT, and which does NOT have ".zip"
> as the file extension.  I do have a robust FP pipeline, so what
> makes me feel good, may not work as well for everyone. :)
>
>
> Does anyone know if any mainstream email client can open such a
> file?
> I don't use Outlook, so maybe someone who does could zip up
> something benign, email it to themself, grab the network image,
> hack the CT filename as above, re-inject it, then try opening it.
>         - "Chip"
>
>

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1