Wednesday, June 2, 2010

How I deal with suspicious email attachments

We have all received emails which (a) have attachments and (b) might be legitimate. An engineer at one of my clients recently came to me with just such email-with-attachment that might have been from a possible client, asking me if it was safe to open the attached Word .DOC file.  I told him "no", and explained how I test any email attachments, especially ones which I am not expecting.

First, I *-=NEVER=-* double-click on unexpected attachments or open them from my email program.  I always save them to disk.  The act of saving them to disk gives my local anti-malware program (VIPRE, Norton, McAfee, AVG, whatever) a first chance to scan them, and it prevents Windows from deciding which program to use to open them.

Once I have the attachment(s) saved to disk, I open the folder where I saved them.  I then right-click the suspicious file(s), choose "Send To" then "VirusTotal":
Send to VirusTotal image
If you don't have "VirusTotal" on your "Send To" menu, you can install it from the VirusTotal downloadable installer, which you get here:

For the truly careful, the file's MD5 hash is listed on the VT download page:

After you choose "Send To" -> "VirusTotal", a small window will open:
Send to VirusTotal image
After it has completed sending either the file's MD5 hash (if someone else has submitted a file with the same hash) or the file itself (if this is the first time this MD5 has been submitted), the uploader will launch your Internet browser at the VT page for that hash.  If the file is clean, you will see something like this:
Send to VirusTotal image
If you are unlucky and the file is malicious, you will see something like this:
Send to VirusTotal image
This last screen is from a file that VIPRE found on one of my clients' computers last week, and which I originally thought might be a "False Positive".  I submitted it to Sunbelt Software for further analysis on it, and after a week they told me that it looks like real malware to them.

If the file has ANY malicious detections on VirusTotal, and I still think it might be a legitimate attachment, I'll look at the file with a binary viewer like Lister from the publisher of my favorite file browser, Total Commander.

In addition to using the above technique to test attachments, if I have any suspicions about the actual source of the email, looking at the message's headers tells me a lot about where the message came from.  For example, if the email address of the sender shows "" but the originating computer is " []" instead of server on the .mil network, that's a good clue that something is wrong. 

Also, if you forward a suspicious email to me for diagnosis, I really need the full email headers to be able to study it properly. Since each email program display email headers in a different way, telling you how to find them is too much for this email.  Let me know if you need help with this, and let me know what email program you're using, and I'll let you know how to send me the email with headers.

No comments: