Malware analysis of email attachments and body

Detect viruses ,worms, Trojans & trapdoors using malware API

Malware scanning of attachments

What is malware?

Malicious software is what is called as malware. They somehow hurt you and most malwares are spread using email either using attachments or URL clicks. This page however talks about how SpamCheetah stops malware in the payload or attachment of the email.

Though various types of malicious software, some 100,000 variants of DOS boot loader virus and several others exist, for malware to do its job it needs to run. And to run it needs the right environment. It is a known fact or open secret that right from the beginning of Internet and easy access to remote machines or connected devices the most effective way to deliver malware is via email. That fact has not changed in all these years.

To counter an attack vector or technically IOC(indicator of compromise) we must build an arsenal of powerful defense at multiple levels. Hence SpamCheetah has malware URL scanning as well as attachment scanning both using API , as well as ClamAV virus scanning in which the entire MIME envelope is fed raw to look for bad actors.

A malware in attachment can be written in any programming language and it is important that the detection system is able to check against the latest compendium/database of known malware samples. Sometimes there could be lag between detection and discovery. So SpamCheetah relies on a live checking mechanism via an API to ensure that each attachment that sails through SpamCheetah is malware clean.

A malware must be characterized via the property labels by taking at least one of

The above is a comprehensive list of malware categories. Most malware families are dangerous and cause serious harm, some only a minor annoyance. And SpamCheetah attempts to stop all from hitting you.

Malware almost always propagates using email only. And an email network level spam filter is most suited to arrest its spread since once it infects then it propagates rapidly.

How malware brings down your network or in many cases does nothing but silently spies and passes on information to adversary varies from time to time but the point is that the presence or absence of malware in most cases cannot even be proven in today’s world where software is ubiquitous and every device is connected to one another.

How can you detect it?

Malware is basically software that executes in a given environment. It could be an MS Word macro, it could be a windows Exe, it could be a linux elf file. Without being able to run, malware cannot do anything.

Tools like yara help you detect malware modifications that often attackers employ to evade detection in spam filters.

But yara is just a rules engine, some sort of pattern match that cannot predict the dynamic behavior of malware families. For that you need a sandbox environment like Joe Sandbox or Cuckoo Sandbox

Yara rules are very powerful to detect malware but SpamCheetah does not use them. At least not yet.Should a future need or customer request mandate it we can begin using it. For now we make do with signature matches. Yara rules are more capable at detecting modification in content which attackers do to defeat spam filters.

Usually tools like DCC and cymru malware hash registry only look for specific fingerprints which attackers are able to trivially modify to evade detection. In such cases a well written yara rule can help.

Malware is often hard to detect particularly if it is brand new and not well understood. Still by using the API based query that SpamCheetah uses we are able to stop most malware attachments from slipping through.

Role of emails in malware spreading

Malware is almost always spread by the e-mail channel since this has been the traditional method of carrying malware before it runs and replicates in its host environment.

A worm or Trojan or backdoor or whatever else must be transported to run in a given network. Before the interconnection of computers malware spread could be contained but in today’s Internet this is no longer an option.

How to stop malware is not only in scanning attachments but also in scanning URLs like we do in URL scanning. Even with these two enabled still in exceptional situations malware could slip through. Then you must quickly take corrective/remedial action.

Can SpamCheetah stop all malware?

Malware analysis of attachments is essential component in SpamCheetah using which you can detect dangerous payloads and drop emails before it hits the mail server.

Malware check happens at two levels in SpamCheetah. One is using an API service after unpacking the MIME envelope.

Another is the ClamAV antivirus server that can look into MIME envelope and detect malware.

What is the backend used here?

SpamCheetah relies on for its malware analysis. Basically how it works is we compute the sha256 checksum of the attachment and query against the API endpoint.

But to compute the sha256 checksum we must first deconstruct the MIME envelope and parse each attachment load the attachment into memory and build the checksum, all that is done at wire speed whilst mail flows.

Malware is actually caught by ClamAV as well but you can disable virus scanning in your web interface. In that case malware API check will catch it. In today’s world malware is a big threat to safety and there are plenty of threats to your clients and as MSPs, it is your foremost responsibility to ensure your clients are protected from such traps.

At times like the Sunburst incident you might not even know you have been attacked since malware does not ostensible damage.

There could be many goals of spreading malware least of which is espionage, it could be stealing data, or money or blackmail. Since email is usually the starting point of it all you are pretty much covered with SpamCheetah. With its malware API.

How can you fight spam without focusing on malware? Since spam is just an annoyance, malware is more than that. It endeavors to hurt you and abuse your resources. Any content in mail that is not having benign intent is bad but curating all that is no easy task. But we do our best in given circumstances.There is PUA/PUP , spyware, adware, stuff which you cannot prove to be without user consent, but email has always been subject to this user consent issue.

If you read the fine print you may have agreed to install some additional tools which maybe slowing down your machine or phone but then you cannot call it malware since technically you agreed to it.

Whatever it is, just like spam is subjective as you can see from above, malware can also be subject to user judgement in some cases. In very sophisticated attacks where entire country’s governments are behind infiltrating some powerful adversary things get a whole lot more murkier and insidious. And also harder to detect and address.

Finding the enemy hiding behind several layers of obscurity is easier said than done. In most cases you cannot even know that the enemy has infiltrated since given modern day computing speeds things are always working even if extra software components suck up some processing power or memory.Disk space is abundant as well.

In today’s world with plenty of file sharing services and online dropbox like cloud providers, malware need not always be part of the mail body/payload. SpamCheetah deals with that using the SURBL scanner