Identifying an email as malicious, before opening any attachments, is very important. Some common techniques that attackers use include:
Identifying malicious files in email attachments has become increasing difficult. Over the last few years, malicious emails generally use file attachments from popular business applications (primarily Microsoft Office documents and PDFs). This practice makes it harder to distinguish malicious documents from legitimate ones, especially as malicious documents may use content that appears normal.
However, there are some ways of identifying suspicious attachments, including the following:
If you open a document (DOC, PPT, XLS, PDF) and it exhibits the following behavior, it is likely that your machine has been compromised:
Example of a targeted malicious email (this example is from Contagio Malware Dump) 1. Email address
The email may appear to come from someone you know within or outside of your organization. Attackers can spoof the sender email address to make it seem to originate from the real institutional address of the individual. Alternatively, they can register a fake account through a popular email service like Gmail that appears to be associated with the individual. In this example the name of the sender refers to a real person, but the Gmail account used is probably fake.2. File Attachment
The file attachment is often a PDF, Word document, or other commonly used workplace file format, and is typically used as the delivery mechanism for malware. If you open the attachment it will appear to be a normal document with relevant content. In this example the attached file is a real essay written by the actual person from whom the email appears to be sent (see figure 2). However, the file is not a normal document and will contain an exploit that can compromise a vulnerable version of the software used to read the file (e.g. Acrobat Reader, Microsoft Word, etc.) and execute malicious code on your computer. Once your computer is compromised attackers can extract documents, email, and other data, and possibly use your infected computer to exploit stored contacts or other computers on your network.3. Email Body
The body of the message may reference topics that are relevant to your organization and will typically urge you to open a file attachment or visit a website URL, which may contain malicious code.4. Email Signature
The email may end with the signature of the supposed sender that provides real contact information. In this example the signature accurately lists the name, position, and institution of the person from whom the message appears to be sent.
Example of a document used in a targeted malicious email (this example is from Contagio Malware Dump)
Analysis of the malware attached to this email revealed that it is poorly detected by antivirus software. Only 8/42 (19.05%) anti-virus products detected that the file was malicious. The malware contains malicious code that, if opened by a user, exploits programming flaws (CVE-2009-4324) in the Adobe Reader software allowing the attackers to compromise the user’s computer. The compromised computer then attempts to connect to a control server (www.whaha.Jkub.com) in order to report that it has been compromised and to receive instructions from the attackers.
Please send emails (with attachments and full headers) that you suspect to contain malicious attachments or links to the email address supplied to you by the Citizen Lab malware study coordinator.
Sending emails with header information
All emails contain headers that track each server they have passed through on the Internet. This information can be used to help determine whether an email is malicious or not. Each “Received:” header in the email corresponds to a server that the email has been through. By watching the path the email has taken, a lot of information can be determined on where it originated and how it was sent. The headers look like this:
Received: from exmf016-4.msoutlookonline.net (126.96.36.199) by EXHUB016-4.exch016.msoutlookonline.net (188.8.131.52) with Microsoft SMTP Server id 184.108.40.206; Fri, 14 Jan 2011 01:33:19 -0800 Received: from localhost (localhost.localdomain [127.0.0.1]) by exmf016-4.msoutlookonline.net (Postfix) with ESMTP id 208A114A7B; Fri, 14 Jan 2011 01:33:20 -0800 (PST) Received: from exmf016-4.msoutlookonline.net ([127.0.0.1]) by localhost (exmf016-4.msoutlookonline.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulz2zUmNcimh; Fri, 14 Jan 2011 01:33:18 -0800 (PST) Received: from psmtp.com (exprod7mx238.postini.com [220.127.116.11]) by exmf016-4.msoutlookonline.net (Postfix) with SMTP id 27D4A14AC0; Fri, 14 Jan 2011 01:33:17 -0800 (PST) Received: from source ([18.104.22.168]) by exprod7mx238.postini.com ([22.214.171.124]) with SMTP; Fri, 14 Jan 2011 04:33:17 EST Received: by pzk28 with SMTP id 28so433969pzk.35 forWhen forwarding an email to the Citizen Lab submission address, these headers are not kept intact by default. There are two ways to preserve the headers: the first is to configure your email client to show them, then copy/paste them into the forwarded email. The other way is to include the entire email as an attachment (e.g. as an EML file attachment). Receiving emails in this format with the headers intact gives us a lot more information to work with, please do it when you can. Please see the next section for step-by-step instructions for submitting samples with full headers.
; Fri, 14 Jan 2011 01:33:16 -0800 (PST) Received: by 10.142.216.1 with SMTP id o1mr522054wfg.419.1294997585898; Fri, 14 Jan 2011 01:33:05 -0800 (PST) Received: by 10.142.242.19 with HTTP; Fri, 14 Jan 2011 01:33:05 -0800 (PST)
Submitting emails from Gmail
1. View the bad email by clicking on it. If it asks to display images, do not click on the link.
2. Click on the arrow to the right of the “Reply” button at the top of the message, then select “Show original”.
This will open a new window with a text-only version of the email:
3. Save the page. In the program menu, “File - >Save As” in IE, “File- >Save Page As” in Firefox or Chrome; or, right click and select “Save Page As” in Firefox or Chrome. Choose a descriptive filename, and have it end with an .eml extension, e.g. “bademail -fakeresume.eml”.
4. Compose a new email, and attach the saved file as a regular attachment.
Submitting emails from Thunderbird
1. Compose a new email.
2. Drag the bad email from your inbox to the attachments list of the new email. It will show up as “Attached Message” in the attachment list.
If drag and drop doesn't work do the following:
3. Compose a new email, and attach the saved file as a regular attachment.
Submitting emails from Outlook
1. Compose a new email.
2. Drag the bad email from your inbox to the new email. It will show up as an attachment with an envelope icon and the subject of the bad email.