Cyber criminals use password protected archives to conceal malware

15 March 2016

Worm:Win32/Gamarue.F is an old friend. Directly attached to an email, e.g. as ‘Ihre-Rechnung.exe’, the worm is detected by 31 of 56 virus scanners now. Even if wrapped in a zip or rar archive the malware is detected by most of the antivirus scanners. From an economic point of view, it’s waste of energy to start a new campaign with Win32/Gamarue.F today.

Yesterday morning, I got 2 emails with password protected rar-archives attached. Packaged this way anti-malware scanners cannot scan the attachment because they can’t enter the password for opening the attachment, although it is stated in the email body:

Password for opening rar Attachment in email body

Password for opening the rar attachment in the email body

This is a new, so far unbreakable way of delivering malicious software. The number of false positives will go up dramatically. Users may force the mail proxy administration to relax policies. In the worst case, zero-day malware, against which we are completely defenseless, is delivered to the endpoint.

In my opinion, it is about time to start the evaluation of next generation endpoint protection systems…

Have a good day!