Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Corrupted Nyxems - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Corrupted Nyxems
The news about Nyxem (CME-24) are slowly ending, but the number of infected messages which are sent around still seems to be pretty high. Besides "normal" e-mails with Nyxem, we had couple of submissions (and noted this on couple of servers as well) about corrupted attachments.

Message bodies in these samples are completely the same as those being sent with working attachments, and the only difference seems to be in corrupted attachments.

If you remember, in some cases Nyxem will send MIME attachments; this was probably an attempt by the author to circumvent various filtering engines which may not expect an uuencoded file embedded in a base64 encoded MIME message part.

Beginning of those encoded files is almost always OK, and after couple of lines it gets corrupted.
The corrupted part will look similar to the one below (first line is from the good version, second from corrupted):

M3%!T;T10``!#;U1A<VM-96U&<F5E````1V5T1$,`````````!X;<,@````#V
M3%!T;T10``!#;U1A<VM-96U&<F5E````1V5T1$,`````````````````

The letter 'M' at the start of each line indicate the unencoded line length, which in this case should be 60 (77d - 32d = 45d = M; 45 characters were encoded to 60). You can see that the line length in the second example is less than 60, so it is clear that the encoding is damaged.

If you now try to decode this (for example, uudecode will try to decode this and will complain about an error), you'll get a corrupted executable. This file still has a valid header, so if you policy dictates blocking of executables on the e-mail gateway, this will be blocked.

Majority of AV vendors doesn't detect this. Of course, the file is harmless so theoretically there is no reason why they should detect this, but it would probably be nice to add definitions for these corrupted attachments, just so they don't confuse end users.
We've received submission from one of our readers that McAfee detects this as Generic Malware.a!zip.

Thanks to Mark Ackermans for a nice analysis of what's going on with the corrupted attachments.

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!