Hello, welcome to the Monday, January 7th, 2019 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich and the day I'm recording from Jacksonville, Florida.

The DE came across some Windows malware that was distributed as a tar file. TAR files are very common for Unix

users, it's well the tape archive file format, but less common in Windows. And Windows itself

actually can't usually open TAR files. You need additional software but Winsip which most use install on Windows is able to open TAR files.

And as D.D.E points out, there are a couple of reasons why an attacker may select to send a TAR file.

First of all, well, like I just mentioned, it's not that uncommon that users actually have

software like WNSIP to open TAR files.

And secondly, TAR files may not be inspected by anti-malware and even if they are inspected,

that standard signatures may not necessarily

find the malware.

Didier also pointed out another trick that specifically applies to TAR files.

And that's in Windows.

If you download a file normally over the internet, Some metadata is added as an alternative data stream

that labels the file as downloaded from the internet and if you try to execute it, it will pop up

a warning if it's an executable. Well, the tar file is labeled as such, but you can open the tar

file without seeing a warning because you're not

executing anything. And then if you extract the executable inside this tar file, this metadata,

this alternate data stream is not transferred to the file. So now you can execute the file without any warning. And that may be why they're

doing this, why they're using tar files. Yes, they may lose some victims that are not able to

open the files, but on the other hand, they may gain more by actually not displaying this warning.

Patrick Waddle came out with yet another free security tool for Mac OS. Now this tool, Raykey, I think that's how you pronounce it, is able to detect some keystroke loggers.

...