There's an interesting new zip attachment obfuscation that uses
an encoded EMPTY filename.
I've seen barely a trickle, but so far, all have had VERY low
SA scores ("1.1" with generally unremarkable test hits).
I'm still waiting for permission from the recipient to publish
a complete sample.
Here's an actual set of the zip's Content headers:
Content-Type: APPLICATION/X-ZIP-COMPRESSED; name="=?iso-8859-5?B?NjI=?="
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="=?iso-8859-5?B?NjI=?="
There's one HTML part, followed by the zip part.
Probably the best general defense is to decide that if the
filename is encoded, it implies the sender committed to putting
something there, and since it was empty, it's a reasonable trait
to score medium to high on.
At first, the unusual "Content-Type" seemed worth a modest score,
however I did find (business) Ham samples using that form.
Currently, I've got a kill level score for anything with either
"zip" or "compressed" in the CT, and which does NOT have ".zip"
as the file extension. I do have a robust FP pipeline, so what
makes me feel good, may not work as well for everyone. :)
Does anyone know if any mainstream email client can open such a
file?
I don't use Outlook, so maybe someone who does could zip up
something benign, email it to themself, grab the network image,
hack the CT filename as above, re-inject it, then try opening it.
- "Chip"
