Leave a Reply

2 Comments on "another fake companies house complaint malspam delivering a banking trojan"

Notify of
avatar
10000
Sort by:   newest | oldest | most voted
drsolly
Guest
drsolly

In my experience (showing such spams to virustotal) most antivirus software fails to flag emails like this.

There was a time when antivirus software did what you expected it to. Not now.

Nyebodnye
Guest
Nyebodnye

The problem is, they use macros like WorkBook_Open, AutoOpen, autoopen, Document_Open to run the malicious code. Financial institutions might also use these same macros for formatting columns in a spreadsheet or something, so the antivirus companies can’t blanket ban these macro names. What we did was check the email body for base64 encoded versions of these words, and quarantine the emails if they contain something that could potentially be malicious. Only problem is you have loads of different capitalisations and you have to check for 3 versions of the same word because of how base64 works (4 byte boundary and padding).
Any time anything slips through, we add a new base64 string to our suspect/quarantine list.

wpDiscuz

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close