Out of amusement I decided to take one of those strange email spams telling me about an order that I never made (“Order no. 7160668120”), and see if the attachment was detected as a virus.
To make things interesting, the attachment was in the form of an unusual archive format – perhaps to make it harder for gateway security products to scan. Installing the arj tool allowed me to unpack it … and surprisingly enough some order data is actually an executable!
It turns out that our standard anti-virus detection doesn’t detect it. To dig further, I uploaded it to Virus Total which ran 55 anti-virus tools against the file and it was detected as a virus just three times. And each time it was detected, it was given a different name :-
- Win32.Katusha
- Win32/Kryptik.CKEY
- Malware.QVM20.Gen
Now these could all be different names for the same thing … or not. And it could be that with such a low detection rate, it is not really a virus. 24-hours later and the detection rate has gone up to 12 out of 39. But it has been delivered to my system (or at least mailbox) in a very suspicious manner.
So let us take a closer look; as it happens Virus Total has a behavioural analysis tab which shows what the uploaded file appears to do when run in a specially configured environment. The details of this are long and tedious, but in brief the code appears to indulge in some “unusual” activity which is almost certainly behaviour only exhibited by malicious code.
So it is a virus … or at least some form of malware.
The moral of the story is that you cannot rely on anti-virus products for protection; ultimately you have to use an anti-virus product alongside other means of determining whether an attachment is a virus or not.
And there were plenty of indications that this email was more than a bit suspicious :-
- It was from a sender I’d never corresponded with.
- It was from a sender whose company I’d never corresponded with.
- It mentioned an order invoice and I’ve not ordered anything recently.
- The attachment was an archive format that very few people have heard of (“ARJ”).
- The attachment when manually unpacked proved to be an executable.
Plenty of reasons there not to blindly click on the attachment – even if at the time the anti-virus protection wasn’t saying it was nasty.