Apparent Data Types

One of the more common attacks in the email world is starting to filter over into the web world. In the email world, viruses are often distributed as the payload on an email message. Typically this payload is an executable, which means it has to be suffixed with .com, .exe, .bat or some other executable suffix. As end-users have gotten more savvy, hackers have started trying to obscure their attachments so that the end-user is fooled into thinking the file is a data type that's not an executable.

The easiest way of doing this is taking the extension suffix on a file and changing it to something that the typical end-user will want to click on, download and execute. A typical example of this would be of course to take an executable and disguise it as an image file or video clip.

In reality it isn't that easy to deceive an end-user into executing a virus, as changing the suffix on a file would make it not capable of being executed. The problem comes about when files are shuffled around the Internet, they are usually encoded or packed, using BASE64 or zip or some other encoding mechanism. This encoding can claim to have a jpg file (for example using MIME-Content-Type using MIME encoding), but the actual file when unencoded may actually have a name like "image.jpg.exe". For most people this is problematic as Windows by default hides the extension, and most end-users would think they are looking at a file called "image.jpg"

While many anti-malware programs will block known viruses and malware, a new variant could get past the malware scan. This is where a proxy with better security mechanisms could save your organization. Some proxies are capable of detecting mismatches in apparent data types in encoded files. This will help ensure that policies that block exe files or other executables actually gets enforced. Make sure your proxy is one that understands how to look for a mismatch in apparent data type.