Monday, 25 April 2016

Slightly unusual malware

From: Peyton <>
Subject: Non-Disclosure - Personal Details

Respected Madam,

As requested we attach our company the document with the personal info
alongside with the list of the transaction for the last six months. If you
require any additional assistance, do not hesitate to write us.

Find the document attached to this email.


So, there was no attachment. I'm supposed to go to the URL, and get the malware for myself (although I suspect that some mail clients might display this as an attachment). So, naturally, I did, and downloaded the rar file. I unrared it, which gave me a file I looked at it, and the first two characters are MZ (the initials of Mark Zbykowski, who designed the Dos exe format, not a lot of people know that), which means it's an exe file. So, clearly malware.

Of the 56 products that it was shown to, only one flagged it, as a trojan downloader. So that's what I'd call a 98% failure rate, a far cry from the 99% success rate that products tend to claim.

Something interesting at the end of the file:

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

That's a chunk of xml, telling the application to run at the same security level as the user. I don't know why that's there; maybe it's an unflushed buffer.


  1. The XML is a UAC manifest, it tells Windows (Vista and above) what user privilege level the program would like to run as. AsInvoker means it will run in the same security context as the process that spawned it, RequireAdministrator means it would like Admin rights, so Windows would show the UserAccountControl prompt (as long as UAC is not disabled).

  2. This comment has been removed by the author.