> Date: Thu, 17 Jan 2013 21:11:11 -0700
> Subject: [OT} ZIPs (was: Re: [Vol-users] IAT hook question)
> From: phatbuckett@gmail.com
> To: dragonforen@hotmail.com
> CC: vol-users@volatilityfoundation.org; michael.hale@gmail.com
>
> On Thu, Jan 17, 2013 at 1:49 PM, Mike Lambert <dragonforen@hotmail.com> wrote:
> > MHL,
> >
> > I've tried sending twice, 2nd time passworded. Rejected both times. I've not
> > seen anything on the Vol-list either. May be a size problem.
> >
> > ----
> > Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com
> > Received-From-MTA: dns;SNT118-W46
> > Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800
> > Final-Recipient: rfc822;michael.hale@gmail.com
> > Action: failed
> > Status: 5.5.0
> > Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on
> > your message. Please
> > 552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to
> > 552 5.7.0 review our attachment guidelines. m1si2744262obl.114
>
> Gmail does pretty deep inspection of attachments, in this case
> noticing a .exe file in the header of the ZIP archive:
>
> $ zipinfo Rocra_svchost-exe_464_exe-dump.zip
> Archive: Rocra_svchost-exe_464_exe-dump.zip 29582 bytes 2 files
> -rwxa-- 2.0 fat 60928 Bl defN 16-Jan-13 14:44 svchost_executable.464.exe
> -rw-a-- 2.0 fat 10543 Tl defN 16-Jan-13 14:46
> 130115b.w32_suspect_PID_464_volatility20_info.txt
> 2 files, 71471 bytes uncompressed, 29202 bytes compressed: 59.1%
>
> I tend to strip extensions and send in encrypted zips when dealing
> with Google services. Fantastic for everything except threat sharing.
> :)
>
> --
> Darren Spruell
> phatbuckett@gmail.com