This is the second part of the How We Stop Email Malware article.
PDF files have been around since 1993 and their successful exploitation in delivering malware started as far back as 2001. Nowadays used to deliver invoices, tax payments and pretty much every kind of document, PDF files are one of the most appealing document format for cyber-criminals.
Mostly embedding malicious scripts that leverage critical vulnerabilities in PDF reader applications, especially buffer overflow vulnerabilities, PDF files are used at large in spam and phishing emails. Another way to infect victims would be to attach an executable file and control the message output by the Reader application, ultimately using social engineering to persuade the victim to open and run the executable.
This paves the way for hackers to attach scripts to PDF files, especially when the script leverages reported and unpatched vulnerabilities or zero-day flaws. A good example can be found back in 2001 when Peachy Worm used PDF embedded malicious scripts and other dynamic features to deploy malicious payloads and steal credentials. The only things that changed over the years, are the payloads and how they leverage vulnerabilities, as the method of embedding scripts in PDF files remains almost the same.
The modus operandi is similar to the malicious macros. Cyber-criminals embed the malicious script into the PDF file, that automatically runs when the user opens it, delivering the already-attached payload or just downloading it covertly in the background.
Archived Files – ZIP, RAR, TAR, GZIP
In an attempt to trick security solutions, malicious actors have been using archived malicious applications as a cloak from security scanners. Malware obfuscation is basically a technique to make binary code or textual data unreadable or just a bit harder to understand. To add another layer, scammers and phishers use password-protected archives to prevent the malicious applications from being scanned. To gain access to the password-protected archive, users are prompted to click on certain links and be redirected to phishing websites or just use the password presented in the email’s body.
How does SpamExperts stop all these?
As stated in the beginning, we bundle more filters and techniques than any traditional email security solution. For all of the above examples and executable files, we have proprietary signatures, but also bundle third-party antivirus scanners. Our filters block attachments based on filename, extensions, attachments with scripts embedded, by using our scanning technologies. We also scan URLs in the email’s body, as cyber-criminals may link the malicious payload rather than attaching it.
Archived executable files, regardless of their format (zip, rar, tar, gzip, etc), can be automatically blocked and our technologies scan into multiple layers deep. This means that we are able to scan an archive within an archive within an archive, for example. We also use heuristic checks on top of signatures.
Most importantly, we proactively detect spam and phishing emails. Our edge is that not only we block the message based on the attachment, but also based on other anti-spam filters that check its sender, IP address and so on.
This means that we immediately block the spam/phishing message itself, thus giving us the possibility compared to other security solutions to proactively protect customers. Our plethora of filters is actively ensuring email security for billions of email addresses, in a joint effort with our proprietary large intelligence database.
If you’ve found this article helpful, drop us a line in the comment section or spread the word on social media! Until next week, stay free of spam, phishing, viruses and malware!