Malware-peddling spammers are using a curious variation on the old custom file-extension dodge to evade scanning tools, according to Trustwave.
By using the .zipx extension to obfuscate EXE payloads, crooks might be hoping to sneak the elderly NanoCore remote-access trojan through users' email and endpoint-scanning software.
Trustwave highlighted this unusual move in research published today, highlighting how the technique relies on the "zipx" file delivered by the spammers but doesn't actually conform to the zipx spec.
Instead, said the email security firm, these malicious attachments "are actually image (Icon) binary files, with attached extra data, which happens to be RAR". Within the RAR (WinRAR compressed archive; like .zip but different) is a malicious EXE file containing the payload.
Trustwave's Karl Sigler, senior security research manager of its SpiderLabs research division, said in a statement: "The recent malspams have the same goal ..
Support the originator by clicking the read the rest link below.
