Gateway Anti-Virus

M470
12.4
Full Security Suite

Twice this week I have received emails with a .rar compressed file attached that contains Malware.
I don't know whether to be impressed by the perpetrators of this exploit to avoid not only my ISP's scanning engines, but my Watchguard SMTP Proxies, and Kaspersky Enterprise Security running on my desktop and Exchange Server, or be disappointed in the performance of these security measures. Yes, all software is up to date.
Ironically, AVG, the AV company Watchguard left detected the Malware.
Now I did not open the file to see if TDR would prevent anything because according to VirusTotal, Cyren (the TDR engine), did not recognize the exploit either.
To be fair, according to VirusTotal, only 14 of the 59 AV companies recognized this exploit.
Guess this goes to prove that one needs a multi-layered approach to security and protection, but the best and final layer is the end user who recognizes suspicious files and emails.

Email excerpt:

Good day,
Please find attached Purchase Order & request to send material on Urgent
Basis.
Awaiting your reply ASAP.

Thanks & Regards

PERICON VISION PRINTING LLC;

Snippet of VirusTotal scan:

AVG
Win32:Malware-gen
W32/Autoit.DZZ!tr
Ikarus
Trojan.Win32.Injector
Malwarebytes
Trojan.MalPack.FrSh
McAfee
Artemis!0A78402BA797
Microsoft
Trojan:Win32/Fuerboos.D!cl
BitDefender
Undetected
Cyren
Undetected

Just some information to keep us on our toes, and remember, be safe out there. :-)
Doug Tathwell

It's usually something simple.

Comments

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    Good morning Doug. TDR does not use the Cyren engine in any of it's functionality. TDRs Cloud signature list is a combination of various Threat Intelligence sources. Cyren powers our spamBlocker feature in the Firebox SMTP proxy. Would it be possible to post the MD5 of the offending File so we can test it internally? If not you can send it via Support Case. Hope to hear from you!

    Ricardo Arroyo | Sr. Technical Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • Good Morning to you Ricardo (since we are in the same time zone)
    First, I apologize for the misinformation regarding TDR and the Cyren engine. The only thing worse than no information, is the wrong information. Thank you for clarifying it.
    Here are the hashes from VirusTotal. Hope this works for you. If not I can upload the file in a support case.

    MD5 fbd85be0016d453bb2df4823c80d2711
    SHA-1 aa9f7fe8e8f7b4fff9e8f1f2e1053feae3879188
    SHA-256 ffdd7764a13cd516b7dd6de3fcfc41d2deb9626e2ea4bc781d412aa9ef99585d
    SSDEEP 12288:Ug2AWetJ2xxuO5OrRBz2EOiNxNMOfOBYPb4KrUlkhYqguAbYWktjDHBg75qC:v/458Bz2EOiDNCS8zShYq5c+a75h
    File type RAR
    Magic RAR archive data, v1d, os: Win32
    File size 706.47 KB (723424 bytes)

    Have a great day.

    • Doug

    It's usually something simple.

  • edited June 7

    I have one client left with an onsite Exchange server, and in the inbound SMTP proxy, I drop all compressed file formats except for .zip extension because they get a fair amount of legitimate email in ZIP files. I have never seen a legitimate RAR file sent in email in 20 years in this business...I guess all of my clients' vendors have been using ZIP files. I have this client's Exchange 2010 server set to drop EXE files and Trend Micro WFBS Advanced set to scan them, even in ZIP files. For Office 365 clients, I have executable files and many other file types set to reject, even inside of compressed files. Send a ZIP file with an EXE in it, and it gets dropped, regardless of whether or not the EXE is bad.

    I'll have to check again, but I think that Exchange and/or Trend Micro can strip an EXE from a ZIP, and not just AV scan it and hope it catches something. My clients have ZERO need to ever get an executable file via email, so dropping/stripping works for me.

    If you don't need executable files in email, look into stripping rather than scanning the files. I block all compressed other than ZIP format due to what I said above, and it has worked well for me.

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5 Update 1 build 599856
    WSM 12.5 build 596863
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • RalphRalph WatchGuard Representative

    Hello Doug,

    This file has all the ingredients to be RAR-5 format which GAV cannot detonate at this time. If you still have the sample, you can confirm using a RAR archive analyzer or if you prefer, open a support case and we'll verify it for you. Please password protect the file before attaching.

    We're working with our dev team on a solution. For now, I'd block files with .rar, .r00 and similar file extensions via SMTP Proxy Filename rules in addition to what Gregg had suggested.

  • Sorry for the late reply gents, actually got a vacation. Over a week in the mountains with no cell reception. Being disconnected never felt so good.

    I'll adjust my SMTP Proxies to strip all compressed files other than .zip

    Thanks for the help.

    • Doug

    It's usually something simple.

  • Make sure that your server is set to strip executables inside of ZIP files, too. Add other file types to strip from ZIP files, such as .VB*, .JS, etc.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5 Update 1 build 599856
    WSM 12.5 build 596863
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

Sign In to comment.