Thursday 19 January 2017

How to fool 50 antiviruses

Subject: Fwd(98):the payment confirmation from In Hendrerit Inc.


Please see the payment confirmation attached.

You also need Word doc Password: 22lZ34

Winter I. Vazquez
In Hendrerit Inc.

Enclosed was an encrypted word doc file. I showed it to Virustotal, and 50 out of 50 products passed it as clean.

Because it's encrypted.

Inside the encryption could be anything. It could even be non-malware - fat chance. And because the password is given in the email, a foolish user might click on the attachement, give the password, and then what happens is whatever the criminal wanted. Ransomware is currently fashionable.

So how to deal with this?

I don't see how any scanner could handle this technique. The only answer is to A) use a word document reader that cannot run macros, or B) block all attachments.

My preferred method would be C), which is to block all attachments unless they can be "sanitised". In the case of a word doc, it would have all macros removed before giving access to the user. And in this particular case of an encrypted file, just strip off the attachment.

No comments:

Post a Comment