Five Easy Steps To Bypass Analysis of Mails in Antivirus by Manipulating MIME
In Summary : Traditionally mails where ASCII-only and limited to 1000 characters per line. The MIME standard defines a way to have a mail ...
https://updatesinfosec.blogspot.com/2018/07/five-easy-steps-to-bypass-analysis-of.html
In Summary :
Traditionally mails where ASCII-only and limited to 1000 characters per line. The MIME standard defines a way to have a mail structured (multiple parts, including attachments) and to transport non-ASCII data. Unfortunately, the standard is unnecessary complex and flexible, makes contradicting definitions possible and defines no real error handling.
The result of this is that different implementations interpret edge-cases of valid MIME or purposely invalid MIME in different ways. This includes the interpretation in analysis systems like mail filters, IDS/IPS, mail gateways or antivirus, which often interpret specifically prepared mails differently to the end-user system.
This post shows how easy it is to modify a mail with a malicious attachment in a few simple steps, so that at the end no antivirus at Virustotal will be able to properly extract the attachment from the mail and detect the malware. After all this modification it is still possible to open the mail in Thunderbird and access the malicious payload without problems. [...]
kindly refer the following link as follow up :
https://ift.tt/2J0Vv2y
Traditionally mails where ASCII-only and limited to 1000 characters per line. The MIME standard defines a way to have a mail structured (multiple parts, including attachments) and to transport non-ASCII data. Unfortunately, the standard is unnecessary complex and flexible, makes contradicting definitions possible and defines no real error handling.
The result of this is that different implementations interpret edge-cases of valid MIME or purposely invalid MIME in different ways. This includes the interpretation in analysis systems like mail filters, IDS/IPS, mail gateways or antivirus, which often interpret specifically prepared mails differently to the end-user system.
This post shows how easy it is to modify a mail with a malicious attachment in a few simple steps, so that at the end no antivirus at Virustotal will be able to properly extract the attachment from the mail and detect the malware. After all this modification it is still possible to open the mail in Thunderbird and access the malicious payload without problems. [...]
kindly refer the following link as follow up :
https://ift.tt/2J0Vv2y
