New Exploit Uses Disk Images to Deliver Malware

There is a new email attachment exploit making the rounds, that uses a file type called a disk image.  The file extension for this kind of file is ISO.  ISO files are not inherently dangerous, and in the exploit work much the same way that a ZIP attachment works.  This file type can sneak past email security filters because it is generally seen as benign, while containing anything that the creator wants to include.

If you have ever installed Linux on a computer, then you are familiar with the ISO packages that can be downloaded to install the Linux operating system.  But ISO files do not have to contain an operating system.  You could create an ISO of a CD or DVD in order to create a copy of a music album or a movie.  Clever cyber-criminals are putting executable malware files in these ISO attachments.

The way this works is diagrammed above.   A phishing email with an ISO attachment shows up in your inbox.  Maybe you are not familiar with the ISO file type, or maybe you are, but in either event, if you decide to open the file, the Windows operating system will treat the ISO as if it were an optical drive or USB drive, and mount it to the operating system. Windows will even give it a drive letter, and an icon in the Windows Explorer applet.  Then windows will “play” the content.  If the content is an executable file, your computer will install the malware program.

Many of these attacks also use a double file extension, something like fakedocument.pdf.exe.  The terminal EXE indicates the file is executable.  Because Windows no longer displays common file extensions, you may only see fakedocument.pdf.  Looks like a PDF file, should be safe, right?  In this case, not so much.

Lately this exploit has been coupled with a BitCoin related hook, with the ISO file going out as attachment to an email advising you of a large deposit of BitCoin in your BitCoin wallet.  You are asked to open the ISO file for details about the transaction and instruction on how to collect your crypto-currency.

Ways to protect yourself from this type of attack include:

  • Watch for spelling and grammar mistakes.  These guys are seldom native English speakers, so wacky syntax can be a clue.
  • ISOs aren’t a common file attachment type.  This should just be added to your list of attachment file extensions to avoid.
  • Reveal your file extensions.  Microsoft decided we don’t need to see file extensions any more, because people didn’t understand what they are for.  I disagree.  Open Windows Explorer, click on the View tab, and turn on File name extensions.
  • Don’t trust links or attachments.  Find your own way to the web site, through typing the address or using a saved favorite or bookmark.

Additionally, if you never set up a BitCoin wallet, then you DON’T HAVE a BitCoin wallet.  And strangers are not going to send you a pile of money, regardless of the currency type.  Don’t be tricked just because it is new, exotic and kind of exciting.  “Ooh!  Someone sent me BitCOin!”  Probably a Nigerian Prince, no doubt.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment