I was passed the following email today regarding an evolved version of the Zberp Trojan
"An evolved version of the Zberp Trojan has recently been used to target business’ financial data through low-volume email campaigns. It disguises a Windows ‘PIF’ (Program Information Files) file extension as a PDF. Once the link to the file is clicked, the PIF can access information including names, IP, data in HTTP form, and FTP/POP accounts."
Now I know I could simply use Symantec Messaging Gateway's Content Filtering to remove .pif extensions in the same way that I can currently remove executable file extensions, however the email indicates that the attachments are disguised as .pdf files. I can see no legitimate reason for sending or receiving .pif files but I do need to allow .pdf files in and out of the business.
As such, my question is does anyone know if it's possible to configure a Content Filtering Policy that looks deeper than the file extension for detecting .pif files, allowing me to detect and remove them at the gateway? Alternatively, does anyone know whether SMG with the latest virus definitions is picking up all variants of Zberp (especially considering Symantec Tweeted about Zberp back on May 29th 2014 - https://twitter.com/symantec/status/471957884772044800)
Any help would be much appreciated
Regards
John