… why it is so important to make every email attachment completely naked.

Email malware scanner finds and identifies unwanted content in emails. Finding and identifying means that all objects to be examined must first be exposed to the extent that it becomes visible what you are dealing with. The uncovered object is then inspected and the decision is made as to how to deal with it: good or evil?

Good or evil?

We make no compromises on this question!
Malware sometimes mutates after a few minutes. Therefore, we no longer consider it sufficient to block content only after malicious code has been detected. The cutting-edge approach is that of a classic firewall. A policy defines which content is allowed to be sent from the outside into the innermost part of the company’s IT and which is not. Consequently, potentially dangerous content is completely prohibited and only those that are harmless and actually needed are permitted. Windows and doors that are not in use at the moment should remain closed and locked. The task of the SecuMail^® team is to permanently update this policy in coordination with the customer.

However, these decisions can only be made if the filter system is able to open any archives, encodings and containers that are conceivable in e-mail. And there are many. Malware is also very creative, as this recent example shows.

Extracting mails:

Malware must be easy to open by the attacked user. First, however, the infected mail must reach his mailbox. In order for this to succeed, the malicious code is increasingly hiding like an onion under several layers, which are first peeled. The following mail has left some packaging waste on our servers. These are the layers:

1. MIME Encoding:
A MIME part contains a file encoded in bas64 called winmail.dat:
Content Transfer Encoding: base64
Content-Type: application/ms-tnef; name=”winmail.dat”

2. winmail.dat
Here, email content is wrapped in Microsoft’s TNEF standard. This archive format can usually only be opened by Outlook. All others do not seem to be in the target group of the malware.

3. GZIP Archive
The result is another archive file with the heavily “obfuscated” name:
“order_#092928_ scan_copy_15-05-2017.gz”
Note the nice attempt to confuse the unpackers with spaces and a garden fence as a comment mark.
This archive is also created in such a way that it cannot be opened by a few simple unpackers. A native Gnu-gzip of a common Linux distribution can do this.

5. No ASCII File
The included file calls itself “order_#092928_ scan_copy_15-05-2017.bat“
However, it is not an ASCII batch file, but a binary Windows Executable. So an exe file. Now the virus scanner also strikes.
If this file was executed by clicking on it, Agent Ransom would be unleashed and soon the first colleagues at the administrator would be ringing their phones hot because shared files can no longer be opened.

Result:

Quite a lot of effort for a little worm. It didn’t do him any good, because his invisibility cloaks were removed and an “ordinary” executable with malicious code was exposed.

The policy generally does not allow executable files, which is why SecuMail^® blocks the entire email. Strictly speaking, we could save ourselves waiting for the results of the virus scanners.

 

 

 

 

SecuMail^® is a cloud-based email spam and malware filter
which works as a security instance between customers’ corporate networks and the Internet. Like a kind of taster, a network of filter servers checks the emails before they make their way to the company’s mail server and blocks spam and messages with dangerous attachments.

 

Addendum 30.05.2017:
Heise-Online reports today about the latest extortion Trojan “Jaff“. It is a crypto-ransomware, it actually hides in PDF files.
In order to be able to detect the Trojan, attached PDF files must first be unpacked. Then more documents come to light, which ultimately contain a macro that reloads the actual virus.
First unpack and then reject the macro via Policy. This is exactly how SecuMail^® protects against Jaff.
Heise-Online article on Jaff

 

Any questions? Contact us 08171-246920 – support@secumail.de
https://www.secumail.de

Your SecuMail Team