ESA scanning for a file inside of a zip inside of another zip.

imarks005 · ‎02-09-2015

There is a new file-encrypting ransomware called CTB-Locker going around that places a malicious .cab file inside of a .zip file inside of another .zip file. Two questions:

1) How far will an ESA scan depth wise into zips inside of zips.

2) Is a .cab file considered an executable by ESA or something else? If it is considered an executable, would a block based off of this match (attachment-filetype == “Executable”) catch this type threat?

Reference to the CTB-Locker: https://www.f-secure.com/weblog/archives/00002788.html

Thanks

Ken Stieers · ‎02-09-2015

The AV engines on the ESA (Sophos and McAfee) do detect this, so yes the ESA will catch this. (the zip unwrapping is more a function of the AV engine than it is of the ESA itself).

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25696/en_US/McAfee_Labs_Threat_Advisory-CTB-Locker.pdf

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ransom-ALO.aspx

Mathew Huynh · ‎02-09-2015

As an additional safe-gap measure, i would also suggest (unless of course you're receiving a lot of emails with .cab attachments normally) to put in an extra filter to quarantine emails with .cab attachments as most of the attacks seen are coming as .cab formats at the moment.

In terms of how deep it'll look in.

for .zip .rar filetypes, it will look as deep as you've set it.

So if it's a viral file inside a zip (where the viral file is an executable) it will be unable to unpack up the zip and capture the executable at the content/filter levels.

However normally the AV engine itself (mcafee and sophos) should be able to sort it out for you assuming the viral definition is available already.