[Mimedefang] Missed executable attachments with empty Content-Type
Tomasz Ostrowski
tometzky at batory.org.pl
Tue Apr 28 08:34:59 EDT 2015
I've just received a trojan/exploit attachment with CHM extension, which
should be filtered by MIMEdefang but wasn't.
This attachment was send in a MIME part with broken header:
Content-Type: ;
name="SecureMessage.chm"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
name="SecureMessage.chm"
Please notice empty "Content-Type" in above header. Because of empty
content type my mail client (Thunderbird) displayed it as garbage, but
also defaulted to to save it as a file with original name
"SecureMessage.chm". Opening it would compromise a system, as it isn't
recognized as a virus by most antivirus programs yet:
https://www.virustotal.com/en/file/467f6d76802014ab671fa868b9b81b79497889f906c434620742e391aee17670/analysis/
I've retested it changing extension to EXE and it was also allowed.
I'm attaching the whole message (beware, contains virus) in 7z archive
with password "infected".
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NatWest Secure Message.7z
Type: application/x-7z-compressed
Size: 5833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20150428/05a969ba/attachment-0002.bin>
More information about the MIMEDefang
mailing list