Andrew Martin

In a previous post I discussed using the technique of watching for the transfer of executable files around the network as a method of intrusion detection. This is a great way of discovering machines that were attacked where IDS failed to detect the exploit(s) due to obfuscation.

Another method I’d like to highlight is looking for password protect zip files. Like the transfer of executables, password protected zips are perfectly legitimate. Lets take Zeus as an example.

Zeus/Zbot/WSNpoem spreads both via web exploits and SPAM runs. In order to get the payload past AV detection, the malware author encrypts the file and provides the password in the body of the message. AV cannot scan within the archive and can only match on a specific signature for the encrypted archive itself.

There was one of these runs earlier this week (June 24th) which is easily detected by a signature that looks for password protected zips. You might think that a signature like this would generate a lot of events, and it does, however it is easy to sort through and find the attacks. The file name used in this attack was “djellow.zip”.  A quick search leads us to this article over at abuse.ch.

The messages were sent from a number of IPs, including:

95.25.108.154
95.24.3.119
89.248.207.69
88.227.199.86
86.105.126.142
85.100.177.112
84.92.85.139
84.204.112.15
84.104.97.35
83.5.144.32
78.176.8.64
78.166.216.115
78.161.81.160
78.158.51.103
77.77.15.208
77.255.254.214
76.175.144.40
72.179.5.10
71.124.158.42
209.239.38.24
201.22.7.148
201.15.77.229
201.0.136.67
200.68.63.226
200.56.79.179
190.175.133.38
189.78.200.43
188.47.4.252
187.14.9.68

The two worst offenders are Brazil and Turkey with 5 IPs each.

Attacks using password protected zips can now be identified and their sources uncovered without having to rely solely on exploit or attack related signatures. All that’s needed is a detective hat and knowledge of current threats.