Cyber criminals use password protected archives to conceal malware

15 March 2016

Worm:Win32/Gamarue.F is an old friend. Directly attached to an email, e.g. as ‘Ihre-Rechnung.exe’, the worm is detected by 31 of 56 virus scanners now. Even if wrapped in a zip or rar archive the malware is detected by most of the antivirus scanners. From an economic point of view, it’s waste of energy to start a new campaign with Win32/Gamarue.F today.

Yesterday morning, I got 2 emails with password protected rar-archives attached. Packaged this way anti-malware scanners cannot scan the attachment because they can’t enter the password for opening the attachment, although it is stated in the email body:

Password for opening rar Attachment in email body

Password for opening the rar attachment in the email body

This is a new, so far unbreakable way of delivering malicious software. The number of false positives will go up dramatically. Users may force the mail proxy administration to relax policies. In the worst case, zero-day malware, against which we are completely defenseless, is delivered to the endpoint.

In my opinion, it is about time to start the evaluation of next generation endpoint protection systems…

Have a good day!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s