[OT} ZIPs (was: Re: [Vol-users] IAT hook question)

Mike Lambert dragonforen at hotmail.com
Fri Jan 18 11:00:51 CST 2013


Hi Darren!
 
I think I'll have to start doing that.
 
Thanks,
Mike
 

> Date: Thu, 17 Jan 2013 21:11:11 -0700
> Subject: [OT} ZIPs (was: Re: [Vol-users] IAT hook question)
> From: phatbuckett at gmail.com
> To: dragonforen at hotmail.com
> CC: vol-users at volatilityfoundation.org; michael.hale at gmail.com
> 
> On Thu, Jan 17, 2013 at 1:49 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> > MHL,
> >
> > I've tried sending twice, 2nd time passworded. Rejected both times. I've not
> > seen anything on the Vol-list either. May be a size problem.
> >
> > ----
> > Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com
> > Received-From-MTA: dns;SNT118-W46
> > Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800
> > Final-Recipient: rfc822;michael.hale at gmail.com
> > Action: failed
> > Status: 5.5.0
> > Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on
> > your message. Please
> > 552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to
> > 552 5.7.0 review our attachment guidelines. m1si2744262obl.114
> 
> Gmail does pretty deep inspection of attachments, in this case
> noticing a .exe file in the header of the ZIP archive:
> 
> $ zipinfo Rocra_svchost-exe_464_exe-dump.zip
> Archive: Rocra_svchost-exe_464_exe-dump.zip 29582 bytes 2 files
> -rwxa-- 2.0 fat 60928 Bl defN 16-Jan-13 14:44 svchost_executable.464.exe
> -rw-a-- 2.0 fat 10543 Tl defN 16-Jan-13 14:46
> 130115b.w32_suspect_PID_464_volatility20_info.txt
> 2 files, 71471 bytes uncompressed, 29202 bytes compressed: 59.1%
> 
> I tend to strip extensions and send in encrypted zips when dealing
> with Google services. Fantastic for everything except threat sharing.
> :)
> 
> -- 
> Darren Spruell
> phatbuckett at gmail.com
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130118/c51dabd5/attachment.html


More information about the Vol-users mailing list