Why Friends Don’t Let Friends Run Windows: Virus Scanning

So an email made its way through all the spam filtering:

From:     USPS Service <us@usps.com>
Reply-To:     USPS Service <us@usps.com>
To:     (me)
Subject:     Failure to deliver


Your parcel can’t be delivered by courier service.
Status:The size of parcel is exceeded.

STATUS OF YOUR ITEM: not delivered
SERVICE: One-day Shipping

Label is enclosed to the letter.
Print a label and show it at your post office.

Information in brief:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $12.70 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for your attention.
USPS Customer.

It had, of course, an attachment:
Zip archive attachment (Label_Parcel_USPS_ID.45-123-14.zip)

Not having sent a package using “one-day shipping” (which the USPS would call Express Mail), this seemed odd, as did the somewhat stilted phrasing.

We all know how this is going to work out, but let’s do the exercise anyway.

Save the ZIP attachment in /tmp, then …

Apply ClamAV: run freshclam to update the virus signatures and fire clamscan at the ZIP file:

/tmp/Label_Parcel_USPS_ID.45-123-14.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 1201128
Engine version: 0.97.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.04 MB
Data read: 0.02 MB (ratio 2.00:1)
Time: 7.549 sec (0 m 7 s)

Huh. Well, then, it must be safe, right? (The alert reader will note that my version of clamav is one click back from the latest & greatest. Maybe that would make a difference. Probably not.)

Let’s see what VirusTotal has to say:

SHA256: febe98371e5b327118f5a703215f6f55ab47760764c68b0b9a64d1e5bdb28e25
File name: Label_Parcel_USPS_ID.45-123-14.zip
Detection ratio: 3 / 42
Analysis date: 2012-04-20 11:40:44 UTC ( 0 minutes ago )
More details
Antivirus Result Update
AhnLab-V3 20120420
AntiVir 20120420
Antiy-AVL 20120420
Avast 20120420
AVG 20120420
BitDefender 20120420
ByteHero 20120417
CAT-QuickHeal 20120420
ClamAV 20120419
Commtouch W32/Trojan2.NQWF 20120420
Comodo 20120420
DrWeb 20120420
Emsisoft 20120420
eSafe 20120419
eTrust-Vet 20120420
F-Prot 20120420
F-Secure 20120420
Fortinet 20120420
GData 20120420
Ikarus 20120420
Jiangmin 20120420
K7AntiVirus 20120418
Kaspersky 20120420
McAfee 20120420
McAfee-GW-Edition 20120420
Microsoft TrojanDownloader:Win32/Kuluoz.A 20120420
NOD32 a variant of Win32/Kryptik.AEKY 20120420
Norman 20120420
nProtect 20120420
Panda 20120420
PCTools 20120420
Rising 20120420
Sophos 20120420
SUPERAntiSpyware 20120402
Symantec 20120420
TheHacker 20120420
TrendMicro 20120420
TrendMicro-HouseCall 20120420
VBA32 20120419
VIPRE 20120420
ViRobot 20120420
VirusBuster 20120420

Obviously, this blob of slime arrived still warm from the oven: even though the Big Name AV checkers have up-to-date signatures, they detect nothing wrong and would happily let me run a Trojan installer. That’s what malware protection buys you these days.

To a good first approximation, whatever virus scanner you’re using won’t save your bacon, either; the advice to keep the signatures up-to-date is necessary, but not sufficient. Of course, you know enough to not autorun random files on your Windows box, but this attack works often enough to justify sending messages to everybody in the world. Repeatedly.

I recently had a discussion with someone who wanted a system secured against email and web malware. She also insisted that it had to run Windows and share files with other Windows machines. I declined to bid on the job…