another fake companies house complaint malspam delivering a banking trojan — 3 Comments

  1. In my experience (showing such spams to virustotal) most antivirus software fails to flag emails like this.

    There was a time when antivirus software did what you expected it to. Not now.

  2. The problem is, they use macros like WorkBook_Open, AutoOpen, autoopen, Document_Open to run the malicious code. Financial institutions might also use these same macros for formatting columns in a spreadsheet or something, so the antivirus companies can’t blanket ban these macro names. What we did was check the email body for base64 encoded versions of these words, and quarantine the emails if they contain something that could potentially be malicious. Only problem is you have loads of different capitalisations and you have to check for 3 versions of the same word because of how base64 works (4 byte boundary and padding).
    Any time anything slips through, we add a new base64 string to our suspect/quarantine list.

Leave a Reply

Your email address will not be published. Required fields are marked *