tag:blogger.com,1999:blog-8932940317431555433.post5743373458109986199..comments2023-11-23T09:22:35.682-05:00Comments on Ghetto Forensics: Is Google Scanning Malware Email Attachments Between ResearchersBrian Baskinhttp://www.blogger.com/profile/06612606264670329434noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-8932940317431555433.post-90156280989177747302016-11-02T01:44:40.225-04:002016-11-02T01:44:40.225-04:00You can get the list of files in a zip file which ...You can get the list of files in a zip file which has a password.<br />so i guess google won't crack your zip file. it just tries to list the file names in zip file and checks if there are any "executable" files (.exe, .jar, etc) in it. so you can rename the file. For instance, you can rename a.exe to a.old, and zip it with a password. This zip file is accpetable for gmail. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-33299313383934995462016-07-12T04:46:39.744-04:002016-07-12T04:46:39.744-04:00Here's the bad news: when you set up your Inte...Here's the bad news: when you set up your Internet email sign in, you were asked to set up secret questions, password hints, and an alternative email address to use, and other information. What were these for? <a href="http://public.fotki.com/gmailsuport/ways-to-consult-wit/ways-to-consult.html" rel="nofollow">http://public.fotki.com/gmailsuport/ways-to-consult-wit/ways-to-consult.html</a>Sarahhttps://www.blogger.com/profile/01618128254174522484noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-89723133854336241752014-03-23T15:40:20.348-04:002014-03-23T15:40:20.348-04:00Also confirmed on my end. I recently worked a sup...Also confirmed on my end. I recently worked a support case where a ".jar" file needed to be emailed to a Google Apps user. The ".jar" file wasn't malicious, but Google blocked it anyway. Only password-protecting the zip enabled it to make it through, and we only knew that after reading your post, so thanks for the help!<br /><br />Make me curious, though. I'm sure Google is scanning for signature-based recognition, but are they also using heuristics or extension-based scanning? Those are the only two other methods I'm aware of that would've flagged this support file as malicious.Aggregate Obscurityhttps://www.blogger.com/profile/12461346880210257742noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-83627700971987628332014-02-22T20:54:30.681-05:002014-02-22T20:54:30.681-05:00(Thank's to Brian to brought this & really...(Thank's to Brian to brought this & really appreciate what Alex's said that Google Antivirus Infrastructure is working on disabling the "infected" password checking feature. )<br /><br />All that Vess said is true. But in practical we really need to receive malware samples from victims / end users (read: non-researchers) by (mostly) email, and zipping the sample with "that password" is already in "ad hoc" scheme and if possible we'd better stick to it considering that any new scheme is difficult to be implemented 'that wide' nor 'that fast'. <br />I and my team really look forward to see how Google Mail would do to fix this matter. unixfreaxjphttps://www.blogger.com/profile/03820036912869056071noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-60999297979463611422014-02-22T20:15:05.797-05:002014-02-22T20:15:05.797-05:00Wow such all-encompassing intrusion and monitoring...Wow such all-encompassing intrusion and monitoring.<br /><br />So, WTF can't Google and 99.99% of the AV vendors find Sefnit related malware on a system when scanned?!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-61569305313617288242014-02-20T16:07:39.437-05:002014-02-20T16:07:39.437-05:00This is certainly ideal, but keep in mind that man...This is certainly ideal, but keep in mind that many employers use Google Mail as their primary email infrastructure, and may or may not provide or sanction encryption solutions for mail or files. Also, few security teams have the luxury of working with 'professional malware researchers' indefinitely. If I have to get an end user to send me a sample of something on a hard drive I can't access remotely, password-protected zip may unfortunately be the only option at his or her disposal and technical capability.Tisiphonehttps://www.blogger.com/profile/07994026531678834438noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-62339383959536436922014-02-20T16:02:19.172-05:002014-02-20T16:02:19.172-05:00Super interesting! Thank you very much for the upd...Super interesting! Thank you very much for the update, Alex.Tisiphonehttps://www.blogger.com/profile/07994026531678834438noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-8080688910378434892014-02-20T05:36:15.347-05:002014-02-20T05:36:15.347-05:00Self-respecting anti-virus researchers do NOT send...Self-respecting anti-virus researchers do NOT send malware by e-mail in ZIP archives. Not even password-protected ZIP archives. Not only is the encryption used by ZIP archives insecure and easily broken - one does not even need to break it, in order to detect that the archive contains some kinds of malware.<br /><br />A ZIP archive (as well as most other kinds of archives) contains, among other things, the CRC-32 of each uncompressed (and unencrypted) file. If the file contains static malware (i.e., not a program infected by a parasitic virus or a self-modifying Trojan horse), its CRC will be the same, no matter what password is used to encrypt it. An external program can detect it in the archive without even having to bother with the encryption.<br /><br />In addition, as far as I know, McAfee's scanner automatically tries the password "infected" when scanning password-protected ZIP archives; probably other scanners can do it too. The reason for this is not anything nefarious - it is because the developers of the scanner use their own product as a tool when examining incoming virus samples and these are often contained in ZIP archives protected with the password "infected". There are simply way too many people who ignorant about cryptography and don't take sufficient precautions when sending malware by e-mail, alas.<br /><br />That's why professional anti-virus researchers always use PGP when sending mailware to others. It is way more secure and responsible. It also ensures that only the intended recipient can decrypt the sample - not just about anyone who knows (or can guess) the password. Sure, this method is not suitable for samples that are made publicly available (e.g., on a web or ftp site) - but responsible anti-virus researchers don't do that.Vesshttps://www.blogger.com/profile/09226866181634905270noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-36317955200276453742014-02-19T13:42:51.452-05:002014-02-19T13:42:51.452-05:00Alex, Thank you for your attention and response. I...Alex, Thank you for your attention and response. I will update the post to reflect this information.<br /><br />If myself, or others, have any issues like this in the future is there an 'best way' to contact Google to report it?Brian Baskinhttps://www.blogger.com/profile/06612606264670329434noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-56058565534718515402014-02-19T13:26:48.425-05:002014-02-19T13:26:48.425-05:00Hey - to protect our users from downloading malici...Hey - to protect our users from downloading malicious files, we use a combination of third party antivirus software and internal virus scanning solutions to detect whether or not attachments or other downloadable files may be harmful. Your post alerted us to the fact that one of our third party software components was checking for encryption using 'infected.' as a password.<br /><br />As a result, it decrypted a limited set of zipped payloads in attempts to search for malware. We're currently working on disabling that feature and appreciate you bringing it to our attention.<br /><br />- Alex Petit-Bianco, Google Antivirus Infrastructure.Anonymoushttps://www.blogger.com/profile/11179694773924408906noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-47533019308639175532014-02-19T11:10:42.933-05:002014-02-19T11:10:42.933-05:00@Jamie.Be carfeul with encrypting with OpenSSL, a ...@Jamie.Be carfeul with encrypting with OpenSSL, a slight change in the version of OpenSSL being used between sender and receiver, and you wont be able to decrypt it. GPG encryption would be betterAnonymoushttps://www.blogger.com/profile/15549387581751995595noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-4374308208239528672014-02-18T23:38:34.984-05:002014-02-18T23:38:34.984-05:00Please note: these are my personal comments, not t...Please note: these are my personal comments, not the comments of my employer.<br /><br />I've played with this quite a bit because it drives me bonkers when Gmail blocks me trying to share samples with people. One thing to keep in mind is that depending on the utility, and how you're creating the archive, a password-protected ZIP may still have a readable table of contents (file listing).<br /><br />To recreate this, on my Mac using the standard zip util:<br /><br /># Make archive, password infected<br />argv-macbookair2:~ argv$ zip -e protected.zip suspicious.exe <br />Enter password: <br />...<br /><br /># Use hex editor to see that the filename is visible<br />argv-macbookair2:~ argv$ xxd protected.zip | grep -i suspicious<br />00000a0: 0073 7573 7069 6369 6f75 732e 6578 6555 .suspicious.exeU<br /><br />My theory is that Gmail looks at the archive's table of contents. Gmail will by default reject any attempt to attach a .exe directly, and so I suspect it also rejects a ZIP archive with an .exe inside it as long as it can tell it has one. Would be interesting to see what happened if you could get an archive without that listing in it, and whether Gmail would pass/deny it. My testing showed it would go through.<br /><br />Another interesting test, also pointed out by others here, is that A/V scanners are pretty dumb about signaturing, and ZIP's compression algorithms are highly predictable. Here's an "encrypted" archive of eicar.com:<br /><br />https://www.virustotal.com/en/file/3365fbb7a0c847f38fcbd4cc1f4a5126e63e2992c1cfaeeb9d07c230807291e4/analysis/1379967790/<br /><br />That is, the ZIP compression is predictable enough to write an A/V signature based on the expected compressed representation of eicar.com. So depending on what sample you're transferring around, it's possible some malware researcher wrote a signature not only for a section of code in the malware, but also what that section might look like when archived in a zip file.<br /><br />--Heather Adkins (Googler writing in her free time)<br />argvhttps://www.blogger.com/profile/07572959772336499672noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-5427923548267762962014-02-18T19:20:56.045-05:002014-02-18T19:20:56.045-05:00Upload your encrypted ZIPs to virustotal.com. You&...Upload your encrypted ZIPs to virustotal.com. You'll be surprised. I don't think this is a Google trick.<br /><br />The only obvious conclusion is to stop pretending ZIP is secure.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-74428822873909620082014-02-18T17:28:47.734-05:002014-02-18T17:28:47.734-05:00My theory is that a back-end antivirus that Google...My theory is that a back-end antivirus that Google's using may have signatures for certain specific .zip files that have the password "infected". In other words, the hash of that exact encrypted .zip file got added to a malware signature database at some point, probably by mistake.<br /><br />Antivirus software shouldn't flag .zip files with the password "infected" as infected—but I *have* seen it happen before, which makes me wonder if that's part of what's going on here.<br /><br />(Google's further step of blocking any attachment with the same file name within 5 minutes is obviously something Google is doing to try to foil automated or weak attempts to send someone malware on purpose. If my theory is correct, then Google doesn't actually know you're using the password "infected"; all it knows is that their back-end AV identifies the file as malicious.)<br /><br />You could easily test this theory by uploading the same encrypted .zip files that Gmail flags as malicious to VirusTotal, and see whether it gets any hits. I wouldn't be surprised if it does. You might even be able to figure out which antivirus Google is using.<br /><br />I'm also curious whether you'd see the same results with the same files when trying to e-mail them from the same Gmail account over SMTP. It's clear from your screenshot that you were testing this with the Gmail site, not an e-mail application.the JoshMeisterhttp://security.thejoshmeister.comnoreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-17897525328500172422014-02-18T15:12:13.508-05:002014-02-18T15:12:13.508-05:00Trying to replicate the issue on my side with a st...Trying to replicate the issue on my side with a standard VirusShare zipped sample download which uses the 'infected' password, but the filename is simply a hash of the file with no extension and also made a point of not having the password appear anywhere in the email. Sent to my GMail account and the sample has been sitting there waiting for me to download it for the last 23 minutes. <br /><br />Will continue to monitor things on my side and see if I can determine if/when it is detected.Anonymoushttps://www.blogger.com/profile/14489622341788956300noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-32339782420250329912014-02-18T12:09:54.987-05:002014-02-18T12:09:54.987-05:00I imagine Google is just scanning the body of the ...I imagine Google is just scanning the body of the e-mail and isolating keywords to unzip the file for scanning. It's still ominous even if this is something that is being beta tested on the power users of malware (researchers), but as far as the technique used, I think that's the best explanation as many researchers will zip and include the password in the body. For example, try the contagio convention for testing.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-30021273905657870032014-02-18T08:02:42.670-05:002014-02-18T08:02:42.670-05:00Try the same thing with RAR + encrypt file list. (...Try the same thing with RAR + encrypt file list. (Its not just a Google thing, lots of AV can detect malware in a pass protected ZIP).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-17199694187420033462014-02-18T06:43:13.491-05:002014-02-18T06:43:13.491-05:00Bernardo,
Thank you for your time and attention t...Bernardo,<br /><br />Thank you for your time and attention to this posting. I've updated the post to clarify that VirusTotal is not being used by Google to scan emails. This will help resolve some speculation on the issue.Brian Baskinhttps://www.blogger.com/profile/06612606264670329434noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-57376838856977827202014-02-18T03:45:08.279-05:002014-02-18T03:45:08.279-05:00Hi Brian,
This is Bernardo Quintero, VirusTotal&#...Hi Brian,<br /><br />This is Bernardo Quintero, VirusTotal's manager. Google is not using VT for scanning all emails for malware, we have nothing to do with what you mentioned. Could you update your post to clarify it? and let me know if you need more info about VirusTotal (I have no idea how Gmail scans for malware, but it's not related to VT).<br /><br />Thanks,<br />BernardoBernardo.Quinterohttps://www.blogger.com/profile/17288490159411812678noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-10558189923204360432014-02-17T15:21:56.885-05:002014-02-17T15:21:56.885-05:00Why not PGP encrypt it to the other person using t...Why not PGP encrypt it to the other person using their public key?Kyhwanahttps://www.blogger.com/profile/12960713687707854272noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-56243933044785035142014-02-17T10:26:19.749-05:002014-02-17T10:26:19.749-05:00So if Google is passing it to VT, if you send a sa...So if Google is passing it to VT, if you send a sample through Gmail that VT has no record of, I wonder if you can you later search VT for it and have it show up?Dave Lassallehttps://www.blogger.com/profile/11247452583345130208noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-21800312892317791282014-02-16T22:45:13.701-05:002014-02-16T22:45:13.701-05:00Thanks, Steve. The word 'infected' didn...Thanks, Steve. The word 'infected' didn't exist anywhere within the email or subject at the time. I had attached files before even typing a recipient, subject, or message.<br /><br />The samples I sent were all on VirusTotal, and each had positive AV hits. I additionally took one sample and overwrote a handful of code caves in differing sections, making sure it would not be a hash match to anything on VT (in whole or per executable section). With a password of 'infected', GMail still flagged on it.<br />Brian Baskinhttps://www.blogger.com/profile/06612606264670329434noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-8368835854648325432014-02-16T21:57:57.407-05:002014-02-16T21:57:57.407-05:00Brian, interesting find. Thanks for doing such tho...Brian, interesting find. Thanks for doing such thorough research and sharing your findings. I hope we learn more about Google's rationale. Did you include the word "infected" anywhere else in the initial email you sent which was flagged? If you scan that unencrypted sample via VirusTotal do any of the engines detect it as malicious?Anonymoushttps://www.blogger.com/profile/10591640286231812965noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-82055557612993469492014-02-16T15:12:56.443-05:002014-02-16T15:12:56.443-05:00Currently they're only targeting standard ZIP....Currently they're only targeting standard ZIP. Maybe to just to get the low hanging fruit, or to send a message. Multiple ways around this, encryption would be one. Using a 7z archive, or any other password, would be others.Brian Baskinhttps://www.blogger.com/profile/06612606264670329434noreply@blogger.comtag:blogger.com,1999:blog-8932940317431555433.post-20918353849634554772014-02-16T15:00:29.274-05:002014-02-16T15:00:29.274-05:00Yep, I've been experiencing this for a while w...Yep, I've been experiencing this for a while when sending malware and research to friends. It's amazing that Google has the audacity to actually try to crack password protected archives and see what's inside. The fact that infected is on the password list seems to me an indicator that people like us are part of the target that they're trying to intercept. Not like the bad guys sending spear phishing are going to use 'infected' as their password of choice. Only us researchers do that....UUDDLRLABA_https://www.blogger.com/profile/00599112568750965741noreply@blogger.com