[OT} ZIPs (was: Re: [Vol-users] IAT hook question)

Darren Spruell phatbuckett at gmail.com
Thu Jan 17 22:11:11 CST 2013


On Thu, Jan 17, 2013 at 1:49 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> MHL,
>
> I've tried sending twice, 2nd time passworded. Rejected both times. I've not
> seen anything on the Vol-list either. May be a size problem.
>
> ----
> Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com
> Received-From-MTA: dns;SNT118-W46
> Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800
> Final-Recipient: rfc822;michael.hale at gmail.com
> Action: failed
> Status: 5.5.0
> Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on
> your message. Please
> 552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to
> 552 5.7.0 review our attachment guidelines. m1si2744262obl.114

Gmail does pretty deep inspection of attachments, in this case
noticing a .exe file in the header of the ZIP archive:

$ zipinfo Rocra_svchost-exe_464_exe-dump.zip
Archive:  Rocra_svchost-exe_464_exe-dump.zip   29582 bytes   2 files
-rwxa--     2.0 fat    60928 Bl defN 16-Jan-13 14:44 svchost_executable.464.exe
-rw-a--     2.0 fat    10543 Tl defN 16-Jan-13 14:46
130115b.w32_suspect_PID_464_volatility20_info.txt
2 files, 71471 bytes uncompressed, 29202 bytes compressed:  59.1%

I tend to strip extensions and send in encrypted zips when dealing
with Google services. Fantastic for everything except threat sharing.
:)

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Vol-users mailing list