Jason_Haar at trimble
Oct 2, 2011, 1:31 PM
Post #2 of 2
I don't get it: "=?iso-8859-5?B?NjI=?=" is "62" - that's not an empty
Re: new technique: borked zip attachment w/malware
[In reply to]
I sent it to our Exchange server and read it with Outlook - it didn't
know what to do with it and even saving to disk and double-clicking
failed to work. Renaming it with a .zip extension fixed that of course
On 01/10/11 16:10, Chip M. wrote:
> There's an interesting new zip attachment obfuscation that uses
> an encoded EMPTY filename.
> I've seen barely a trickle, but so far, all have had VERY low
> SA scores ("1.1" with generally unremarkable test hits).
> I'm still waiting for permission from the recipient to publish
> a complete sample.
> Here's an actual set of the zip's Content headers:
> Content-Type: APPLICATION/X-ZIP-COMPRESSED; name="=?iso-8859-5?B?NjI=?="
> Content-transfer-encoding: base64
> Content-Disposition: attachment; filename="=?iso-8859-5?B?NjI=?="
> There's one HTML part, followed by the zip part.
> Probably the best general defense is to decide that if the
> filename is encoded, it implies the sender committed to putting
> something there, and since it was empty, it's a reasonable trait
> to score medium to high on.
> At first, the unusual "Content-Type" seemed worth a modest score,
> however I did find (business) Ham samples using that form.
> Currently, I've got a kill level score for anything with either
> "zip" or "compressed" in the CT, and which does NOT have ".zip"
> as the file extension. I do have a robust FP pipeline, so what
> makes me feel good, may not work as well for everyone. :)
> Does anyone know if any mainstream email client can open such a
> I don't use Outlook, so maybe someone who does could zip up
> something benign, email it to themself, grab the network image,
> hack the CT filename as above, re-inject it, then try opening it.
> - "Chip"
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1