[OT} ZIPs (was: Re: [Vol-users] IAT hook question)
17 Jan
2013
17 Jan
'13
11:11 p.m.
On Thu, Jan 17, 2013 at 1:49 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
MHL,
I've tried sending twice, 2nd time passworded. Rejected both times. I've not
seen anything on the Vol-list either. May be a size problem.
----
Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com
Received-From-MTA: dns;SNT118-W46
Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800
Final-Recipient: rfc822;michael.hale(a)gmail.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on
your message. Please
552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to
552 5.7.0 review our attachment guidelines. m1si2744262obl.114
Gmail does pretty deep inspection of attachments, in this case
noticing a .exe file in the header of the ZIP archive:
$ zipinfo Rocra_svchost-exe_464_exe-dump.zip
Archive: Rocra_svchost-exe_464_exe-dump.zip 29582 bytes 2 files
-rwxa-- 2.0 fat 60928 Bl defN 16-Jan-13 14:44 svchost_executable.464.exe
-rw-a-- 2.0 fat 10543 Tl defN 16-Jan-13 14:46
130115b.w32_suspect_PID_464_volatility20_info.txt
2 files, 71471 bytes uncompressed, 29202 bytes compressed: 59.1%
I tend to strip extensions and send in encrypted zips when dealing
with Google services. Fantastic for everything except threat sharing.
:)
--
Darren Spruell
phatbuckett(a)gmail.com