Possible malware email
August 26, 2016 11:46 AM   Subscribe

I may be paranoid, but someone sent me an email with a very suspicious attachment. How can I find out what's in it?

It was from an address I don't recognize, but not trying to advertise or sell anything and Gmail didn't classify it as spam.

The attachment has "Content-Type: image/bmp". (Can you really put malware in an image file?) Of course I didn't download or open the file, but I saw Gmail's preview (which I assume was rendered by Google on the server side, not in my browser) it and looked black and white with some text in it.

I saved the whole email in a text file, since I figured looking at base64 encoded text is OK, but I haven't tried to extract the attachment.

Ideally I want to know what's in the attachment and who sent it, but if that's not possible I at least want to know if it contains malware or not.

I'm using Mac OS and don't have any anti-virus software installed.
posted by Chicken Boolean to Computers & Internet (12 answers total) 2 users marked this as a favorite
You could try a site like VirusTotal. It's essentially an online virus scanner. It might tell you what type of malware is in the file, if there is any.
posted by LightMayo at 11:52 AM on August 26, 2016

"Can you really put malware in an image file?" Yes, but that sort of thing generally depends on a very specific bug in whatever viewer software you use. Since malware in file attachments is often targeted at big markets, you can reduce your risk by saving this file to the filesystem , and then using some tool that's somewhat niche to try to read it.

GIMP is large enough to be a target, but it looks like the only current warning out there is for XCF files, and even that's likely just a crash. So save it as a file, open it with GIMP, should be a relative safe operation.

If you want to be even safer, you can use a hex dump program to verify that the first two bytes of the file are "BM" (hexadecimal "66 77"), that way you know that this isn't a file trying to masquerade as something else by trying to change its extension (because some applications look at the extension to try to figure out what's in the file, and some applications look in the file itself...).
posted by straw at 12:09 PM on August 26, 2016 [1 favorite]

You can put malware in an image file, in the sense that you can construct an image file to exploit flaws in specific image decoding software in such a way as to be able to execute arbitrary instructions when (e.g.) the image is viewed using that software. This would typically be done using a buffer overrun or similar.

Note that many applications use the same libraries for image decoding; an exploitable flaw in such a library would mean all applications that use it are potentially vulnerable.

I know of no specific exploitable holes in BMP decoding in MacOS. However, my knowledge of MacOS is limited and zero-day exploits are a thing.

You can also have a file where the MIME type of the file (image/bmp, in this case) and the actual contents don't match. Software exists which will "helpfully" try to guess the actual file type from either the file name or the contents, then act accordingly.

In general, and with lots of exceptions, I would suggest that if the sender is unknown and the contents are not plain text, and the subject line doesn't indicate specific, personal applicability to you, then bit-bucket it without further thought.

This is 2016. BMP has not been an image file format of first resort for at least twenty years. Factor that into your calculation.

Hang on; I've got the Admiral on the phone...

[Yeah. Uh huh. Ok, I'll tell him. ]

It's a trap!
posted by sourcequench at 12:15 PM on August 26, 2016 [1 favorite]

When I get unsolicited emails from people I don't know with suspicious-looking attachments on them, I just delete them without a second thought. The chances of it being anything remotely important or even interesting are minuscule next to the chances of it being some kind of malware. The fact that it slipped through the spam filter doesn't mean much; sometimes the algorithm just doesn't catch things.

However if I really wanted to see what was up, I'd open the file in a sandbox app. Mac OS X apparently comes standard with one, appropriately called "Sandbox." I'd fire it up and load the image in there. And I'd run a virus scanner over it first, as well. Then I might run a scan on my whole system afterward, just to make sure. I'd feel pretty safe about that.
posted by Anticipation Of A New Lover's Arrival, The at 12:25 PM on August 26, 2016 [5 favorites]

Can you get infected via a BMP, if you're not patched up to date on Apple gear-- yes: CVE-2016-4637

CoreGraphics in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted BMP image.
posted by Static Vagabond at 12:48 PM on August 26, 2016 [2 favorites]

If it were from someone you knew, you could ask if they deliberately sent you an image. But it's from a stranger, and I can't imagine the circumstance where it would be crucial.
posted by jeather at 1:10 PM on August 26, 2016 [1 favorite]

I would delete wouthout a second thought, but if you're curious: You can save the BMP to your computer without (or minimal) risk, then change the extension to TXT and open it in Notepad (or, preferably, Notepad++). If it truly is a BMP file, the first two character should be BM, even if the rest of the file is gibberish. I'm betting you'll find PK, which indicates a ZIP or self-decompressing archive with a nasty payload. But, that's one trick of hiding files is to send it with the wrong mimetype, on hopes that your computer will be 'smarter' and open the file in the correct program that the payload was designed for.

Edit: didn't see you were on a Mac, so the programs I recommended might not behave the way I'm describing, but you can still open the file in a text editor to examine those first few characters
posted by AzraelBrown at 1:16 PM on August 26, 2016 [2 favorites]

You could download it and use something like the file command in linux/unix (probably also available on Macs) to try and figure out if it looks like an image without actually loading it in an image viewer.

Boot from a live cd if you are extra cautious.
posted by Dr Dracator at 1:23 PM on August 26, 2016

Have you already tried Googling the From: address, the Subject: line, and the image file name? That's one thing to try.
posted by amtho at 1:41 PM on August 26, 2016

You are putting way too much faith in gmail's less-than-perfect spam filter. It's from a sender you don't know and it contains an unsolicited attachment, so be smarter than gmail, and call it spam. Also, how can you know the sender is "not trying to advertise or sell anything"?

If it turns out to be something important, your clueless friend/boss/relative will eventually ask you about it.
posted by sageleaf at 2:17 PM on August 26, 2016 [1 favorite]

On a mac i use TextWrangler (the awesome free version of BBEdit) to look at files (as well as for most of my plain text editing needs). You can drag a file like this to the TextWrangler icon in the dock to easily view non-text files as text.

In this case, though, i think it’s very possible that this really is a malformed BMP file made to exploit that known CoreGraphics bug. It’s also very possible/probable that the header to the files designed for this exploit look like what you’d expect from a valid BMP file, so i wouldn’t open it on an unpatched system even if it “looked okay” in TextWrangler.
posted by D.C. at 9:29 PM on August 26, 2016

Is it possible you have a bmp exploit? yes. is it likely? are you a journalist or dissident? otherwise, probably not. I've not heard of this anywhere in the wild. my money is on standard image spam telling you to visit pharmacy.ru for best prices.

open the file on a patched system, or use a different file viewer, or use a windows system, or a phone, or upload it to one of the many bmp viewer sites. could even just use an online converter to change it from bmp to jpg. that will show you the contents without malware risk

don't fully trust virustotal - they use signature-based scanning and so by definition can't catch new threats. do use it - its an important step, but only a step.
posted by anti social order at 6:09 AM on August 28, 2016

« Older How many backup layers to secure my hard-drive...   |   Self-Cleaning Litter Box? Too good to be true? Newer »
This thread is closed to new comments.