Executable files are the basic tool used to run software so all dangerous programs including viruses, Trojans, malware, spyware, adware and worms are spread through executable files of one type or another. These are either sent as attachments through email messages or downloaded by users who click on a malicious link contained in an email. Once the attachment is opened or the malware downloaded, the executable file is unleashed and carries out its mission.
Ransomware spammers want to make sure these dangerous files make it to your user's inbox and get opened. To encourage them to do so, they resort to compression, masquerading or both. Compressing executable files works nicely for spammers since many Anti-Spam solutions won't bother to analyze the contents of such attachments. Any zipped file will simply go through the filters right to the user’s inbox. Masquerading executable files helps spammers lower the guard of those users who are wary of opening attachments. They change the name of the extension so the recipient will think the file is harmless. It's very easy to rename an executable file .pdf, .txt, .eml, .gif, .jpg, or .png. Some spammers even resort to disguising executable files as folders. Often times, spammers will use a subject and body copy that will encourage the sender to open it.
Here are some examples we have seen:
Subject: Unpaid invoice - sent with a file renamed as a .pdf
Subject: Voice message - sent with a file renamed as a .wav
Subject: FWD: Daily Report - sent with a .zip file
Subject: UPS Delivery Notification - sent with a file renamed as a .txt
The vast majority of users may not be sufficiently aware of the potential danger of executable files and will easily be tricked into opening them, thereby exposing their organization to the above-listed risks. Find out how ZEROSPAM protects you from your own users.
Like a parcel at the airport, every attachment sent to ZEROSPAM customers by email goes through a strict security checkpoint to determine whether or not it is in fact an executable file.
Windows and Mac OS executables are the most common but we also recognize Linux and other executable files because we use a multi-factor analysis system. This system detects executable code hidden in any type of file.
None of the tricks commonly used by spammers to avoid detection can interfere with our analysis. If the file is compressed, we open it to analyze the contents. If several archives are enclosed in a single zipped file like a Russian doll, we dig down past several levels, opening archive after archive to get to the real content. Once found, we look at the declared MIME type, file extension and use a special tool kit of heuristics to determine the true nature of the archive's contents.
By default, all types of executable files are recognized as such and automatically quarantined, preventing them from causing harm unless they are released from the quarantine by an administrator or by the recipient.
ZEROSPAM scans every link contained in every email. Each link is analysed in multiple ways to make sure it’s safe. This includes:
- Scanning by our two antivirus engines
- Analysis using Sane Security signatures on Zero-Day and Zero-Hour malware
- Analysis against real-time data from Google SafeBrowsing on dangerous websites (malware sites, attack sites and phishing sites)
- Analysis against real-time data from Phishtank on active phishing campaigns
- Compared to a wide set of highly reliable URIBLs (URL blacklists) .
When a dangerous link is detected, the email is automatically quarantined and marked with a red warning symbol in the quarantine interface (P for a possible phishing attempt)
Cybercriminals also use infected macros in Microsoft Office documents to propagate ransomware since these are excellent ways to hide executable code. They often opt to use older versions of Microsoft Office files since as of 2007, Microsoft created seperate extensions (docxm, pptm, xlsm) to clearly indicate the presence of macros in a file.
ZEROSPAM enables full blocking of all Pre-2007 Microsoft Office file containing macros by default. Messages containing these files are automatically quarantined and marked with a with a red warning symbol in the quarantine interface (B for a possible phishing attempt).
For added protection, ZEROSPAM also integrates with Sanesecurity's signature database on active Zero-Day and Zero-Hour campaigns using infected macros. These signatures are updated every hour and integrated in our filtering architecture in real time.
ZEROSPAM further protects you by drastically reducing the chances your own users will release dangerous messages. Find out more about how ZEROSPAM protects you from your own users. Plus, ZEROSPAM’s agile rule master team and vast feedback loop ensures that Zero-Day campaigns are quickly blocked, often beating virus signature updates by 24 to 48 hours. Find out more about ZEROSPAM’s feedback loop.
Ransomware, spear phishing or spam ? Send us a sample for analysis.
" I just love not having to take care of spam. That's the way I want it. "- N. Bouvrette Hector