Increase in Office Documents Using DDE to Distribute Malware

Thursday, October 26th, 2017 | Mark Bedford | Comments Off on Increase in Office Documents Using DDE to Distribute Malware

I note from our monitoring that we have seen an uptick in tainted Office attachments or inline RTF documents that use DDE to launch malware or a downloader. The edge email gateway is now detecting the current batch of these as “Troj/DocDl-xxx” and Sophos end point is detecting these as “Torj/DocXX-xxx”.

Most people are “macro” savvy but DDE (which has been around for a long time) is a new method of propagating malware.

So if you receive an Office attachment via email and when you view it or open it you get a warning such as:

Clicking No will prevent the DDE attack from launching.

For those who click “Yes” at the first dialog then you will get another dialog warning that a command is about to be started similar to:

The “No” option is the way to prevent the attack.

If you do get documents that contain these, you should validate the senders email address and use an alternative method (not email) of contacting the sender to confirm their intent in sending the DDE documents.

Sophos Security Facebook video (no authentication required to view) https://www.facebook.com/SophosSecurity/videos/10155119823700017/

Naked Security article on the DDE attack https://nakedsecurity.sophos.com/2017/10/22/office-dde-attack-works-in-outlook-too-heres-what-to-do/

Also this Microsoft article on how to view all email messages as plain text https://support.microsoft.com/en-ca/help/831607/how-to-view-all-e-mail-messages-in-plain-text-format

 

Email “Virus” Outage Incident Report

Tuesday, March 7th, 2017 | Jim Cheetham | Comments Off on Email “Virus” Outage Incident Report

Summary

On Thursday 2 March 2017, email to and from the Internet between approximately midnight and 7am was being incorrectly classified as containing a virus, and this caused some messages to be permanently lost. Inbound email was described as having been quarantined, but this was not correct; the original messages had not been preserved.

Between 7am and midday on the 2nd, the email service was effectively shut down for investigation and repair. By midday, all services had been restored. All email sent from 7am onwards would eventually be delivered normally.

Although not yet officially confirmed by the vendor, the cause of the problem was a corrupt or absent antivirus update to the edge email servers.

Timeline

Thursday 2 March 2017

  • Midnight to 1am : Inbound email is increasingly being marked as [PMX:VIRUS] and notification versions of the originals are being delivered to end-users.
  • 2:30am : outbound email is now being marked as infected, and is rejected (i.e. the senders are being notified that their messages are not being sent out).
  • 6:30am : The Information Security Office becomes aware of the issue, and halts all of the inbound and outbound email services in order to investigate.
  • 7:15am : Vendor documentation describes the error that is being seen, but the recommended fix does not work.
  • 8:10am : Our external support partner pro-actively contacts ISO to inform them that there is a current issue affecting multiple customers globally.
  • 8:30am : First ITS Service Notice published – updated with current information at 10:30, 11:30, 12:30 and 3:30
  • 10:00am : Announcement “Email delivery issues” emailed to all-depts@ and CITSP@
  • 10:20am : Outbound email services are restored, but only by disabling the normal antivirus checks. This is not a suitable choice for inbound email, however; this remains shut down.
  • 11:50am : Vendor supplies a working update to the antivirus; testing confirms that this fixes the problem properly.
  • 12:15pm : Inbound email services restored. All email sent to us since 6:30am will eventually be delivered normally.
  • 3:20pm : efforts to restore original copies of the incorrectly-marked inbound email are unsuccessful, and are halted. A further announcement “Re: Email delivery issues” is sent to all-depts@

Remediation

We will review the vendor’s incident report when this is published in order to identify any improvements we need in our configuration.

We will investigate the failed quarantine action that caused the mis-categorised email to have been lost.

We will discuss this incident within the context of Disaster Recovery and Business Continuity Plans, to see if any improvements need to be made to these.

What is Ransomware?

Monday, March 7th, 2016 | Mark Borrie | Comments Off on What is Ransomware?

In recent years another new term has emerged to describe yet more malicious software that attacks users. This one is called ransomware.

So what does ransomware do?

When a computer become infected with this software, all the files on the computer get encrypted. The user is then notified and offered an option of paying a ransom to get the secret decryption key in order to recover the files. If the user refuses to pay up all the encrypted files are lost.

There has been a large increase in ransomware attacks worldwide in recent months. The Information Security Office team is seeing large numbers of spam emails being intercepted here at Otago that are connect to ransomware attacks.

A recent attack

Many staff recently received an email claiming to be from a lawyer that suggested the user had breached copyright on some material. This spam was deliberately sent during the weekend so that users would not have the usual support channels available (Alarm bell #1). This email was sent to many other Universities.

An analysis from another institution of the email revealed that some interesting things.

  • The email had a zip file attached (Alarm bell #2)
  • The zip file attached to the email contained a pdf that had a script in it.(Alarm bell #3)
  • This script requested the user to install a special font in order to read the pdf (Alarm bell #4)
  • If the user (or their IT support person) finds the font and installs it then the ransomware is installed and immediately starts encrypting all the user’s files INCLUDING those on file shares.

Protecting yourself

Targeted spam attacks are getting more sophisticated. They use real companies and individual’s names. They are sent outside normal work hours, i.e. during weekends or holidays, or overnight. They often appear to be relevant to the target people, i.e. copyright issues for academics, or account information for financial staff.

Things to do (or not do)

  • Do not respond to unexpected emails outside work hours (It really isn’t that urgent)
  • Do not respond to requests to “take an action” (It truely is not that urgent)
  • Check with IT staff or colleagues if you get an unusual email. Chances are it will be a known attack, or it will alert staff of a new one under way
  • Be prepared. Make sure all your data files are properly backed up. Some of the ransomware attacks are now targeting backups as well as file shares so backups should not be accessible to the attack

For more information or assistance, contact the ITS ServiceDesk or the Information Security Office.

Malware – more than just a virus?

Thursday, March 3rd, 2016 | Mark Bedford | Comments Off on Malware – more than just a virus?

Seems that the term malware is causing confusion as the term itself covers a wide variety of malicious activity and is a contraction of the two words “malicious software”. It is generally used in the information security area to refer to software that is malicious in intent but does not cover unintentionally bad or faulty software.

There is a type of malware called spyware which is sometimes embedded in applications that appear useful but may have additional hidden functionality that gathers marketing information.

The SANS Ouch this month contains information describes it in more detail and provides some tips on ways to protect yourself.

Psychological trick used for spam

Friday, June 26th, 2015 | Taichi Nakamura | Comments Off on Psychological trick used for spam

Subject Title “stop spamming me”

There was an interesting spam today caught on the university email spam filter system.
It used a psychological trick manipulating people’s behaviour.
The subject title and the content contained a complaint towards spams being sent continuously from a certain department and had a Microsoft Word document attached with the details of the spam they were receiving.

The uniqueness to this spam was that it avoided being deleted instantly by not using the common subject title and its following sentences that spammers use.
Then carefully sent to a third party employee that is interested in helping.
Hope for the spammer next was that the employee will try and be helpful. Otherwise from the human nature of curiosity the employee would click the attachment.

Of course after that, the malware hidden in the Word document would be infecting the PC.

More Specific

The spam looked like a genuine complaint. But the complaint was not real.
The sender and receiver’s email address was forged. But with the recent standard email applications usually hiding the headers by default, it would be difficult for the receiver to have spot it.

How the subject line and contents looked was not like the commonly computer generated spam. But rather a complaint written by a native English speaker.
It had nothing to identify it was a spam. It had enough but minimal information gaining more necessity to investigate further to understand the full picture.
With that it gained more possibility to have the employee read the contents rather than throwing the spam straight away, and then checking the attachment.

The receiver wasn’t associated to the department being complained on the spam’s contents. But it did look like a genuine complaint having real department names included.
So if the employee tried to be helpful he/she could have easily been tricked to check the attachment and then be infected by the malware.

How to Avoid 

Best practice is to never open an email attachment unless you know who it is from, expecting them and absolutely sure it is legitimate.
If there is an attachment that you are not expecting it is best to be suspicious and contact the sender or Information Security Office to receive clarification.

Recent Type of Spams

Often spams provide the notion that the matter is critical to be responded immediately and requesting to do something.
It often contains malicious attachment sor links.

Recent spam types:
Bank requesting change of passwords
Helpdesk informing your email account being out of quota and to click on a link to avoid getting locked
Someone wealthy overseas wanting to send money or funds
Unknown parcels having difficulty to be delivered
Copyright and other infringement notices that you do not recognise the reason for
Conference and paper submission invites
Sales of equipments and goods
Apple iTunes and other vendor’s apps and services requesting to go to a website and authenticate

Phone-to-email Spam

Wednesday, November 26th, 2014 | Jim Cheetham | Comments Off on Phone-to-email Spam

Can I send you an email?

In the last few months there has been a rise in “pretexting” phone calls from legitimate marketing organisations, probably in response to anti-spam legislation around the world.

The usual script is an unsolicited phone call from a real live human, asking for permission to use your email address in order to send you some marketing material, usually described as a “White Paper”.

The calls are often made over a low-quality connection (i.e. cheap VoIP) and come from non-native English speakers (a kind way to suggest “offshore call centres”). However, they do generally respond well to a polite “No thanks” as an answer, and to requests to not be called again in the future. If permission is given the eventual email usually represents a legitimate trading company of some sort.

All in all, no real problem.

I have a business opportunity for you!

However, we’re beginning to hear of the same approach being used by spammers, particularly of the advance-fee fraud variety. A small amount of research (i.e. get your name and job title from a website), a hacked VoIP system (which lets them call anywhere in the world for free), and a fresh email address from one of the big free webmail providers potentially gives these criminals a much more direct line to your mailbox and your attention.

This is a particular worry because it won’t be long before these techniques are used for distributing fresh malware – you receive a difficult-to-understand phone call from someone with urgent information to send to you, and a couple of minutes later in comes the email, along with a juicy PDF attachment. Would you resist the temptation to click? How can you tell the difference between an attack, and a real foreign student or academic trying to work with the University?

(Some of you reading this might suddenly realise that you already open too many attachments without stopping to check fully the source!)

What should you do?

The best defence if you are unsure would be to check with your colleagues, see what they think; to check with your IT support; or to ask the ITS Information Security Office for an opinion.

If you don’t have an opportunity to get a second opinion, you have a few technical opportunities to reduce the risk. Firstly, wait a while … come back to the message in a couple of hours time. If the message came out of hours, just don’t open it until you are back at work. Remember that just because it seems to be urgent to someone else it is not necessarily urgent to the University!

Instead of just opening the attachment, ask your anti-virus software to scan it. This is best combined with the “wait a while” approach – if this is a new malware sample (there are tens of thousands per day automatically created), give your AV software time to get an update from the vendor.

Finally, open the attachment in an unusual program. For example, malware PDFs often only successfully attack Adobe Acrobat Reader, so if you have a different PDF reader available you could use that. Instead of opening untrusted attachments with Microsoft Word, open it with a copy of Libre Office. If your job role means that you will be receiving unsolicited attachments regularly, get your IT support to help you install these alternatives.

Finally, if you are in any doubt, leave the file alone and refer the whole thing to the Information Security Office. We can check a lot more details to find out what is going on, and we really don’t mind being asked.

Thursday, November 21st, 2013 | Mark Bedford | Comments Off on

Well it is hard to believe that we are well into November and what a month it has been. With the recent Adobe password debacle where 150 million email addresses, their password hashes and the hints were exposed on the internet. Then there was Kiwicon, the New Zealand hacker conference in Wellington, where “AmmonRa” took us for a ride.

With the Christmas shopping season just around the corner many will be purchasing online and there are the usual reminders. Things to watch out for are nicely organised in this SANS article by Lenny Zeltser.

While you are shopping, perhaps this Microsoft blog article from Holly Stewart will encourage you to finally ditch your old XP computer. A couple of noteworthy points in the article are that XP is six times more likely to get infected than Windows 8, and when XP service pack 2 went out of support there was a huge disparity of infections as much as 66% higher than the supported XP service pack 3. So plan now to buy your Windows 8 replacement computer before it gets infected.

 

There isn’t a police investigation under way

Monday, June 25th, 2012 | Gene Teo | Comments Off on There isn’t a police investigation under way

Update: Graham Cluley at Sophos has also blogged about this email variant, with some additional detail.

A new variant of the “Do [Something Important] by opening the attached file” scam has arrived. The goal is to trick you into running the malware that is attached. While most Antivirus software will detect and prevent you from running known malware, 100% accuracy is impossible, and new malware variants may not be detected whey they have just been released. Here’s what the email looks like:

Subject: The police investigation is under way now. You’ll be really sorry about what you have done.
Hello there
Do you know who posted these photos online?? This is strange cause there’s your FB acc there. Why did you do it and how did you get my photos?? This is a crime actually do you know?? I put one photo in attachment. We have to clear this thing or else I’ll have to contact my lawer!

Flashback Malware Infecting Macs

Thursday, April 12th, 2012 | Gene Teo | Comments Off on Flashback Malware Infecting Macs

Screenshot - Java for OS X Lion 2012-003 update

Java for OS X Lion 2012-003 update

Edit: 9:29am 13 Apr 2012 – Apple have just released “Java for OS X Lion 2012-003” – a security update that removes the most common variants of the Flashback malware, and also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

A new variant of Java-based malware dubbed “Flashback” has been spreading rapidly on OSX – some reports suggested over 550 thousand Macs were infected as of 4 April 2012. It gains a foothold on a vulnerable system and can be used to download more malware at a later date.

There has been lots of publicity about Flashback, mainly because Apple contributed significantly to the problem by release a fix 8 weeks late. Ed Bott summarizes the situation very well in a blog post at zdnet.com.

It is caused by attackers exploiting several bugs in Java to trigger a “drive-by” infection of vulnerable computers. This means viewing a malicious website is enough to infect your computer. Java is used to run various applications and comes built in to most Apple computers. The official Apple support document (HT5228) is very brief – and only notes that that “Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7” fixes multiple vulnerabilities in Java 1.6.0_29. While Java is made by Oracle, Apple manages Java updates to OSX independently.

Lessons:

  • Macs and OSX should not be viewed as “more secure” than Windows or other operating systems, especially since Apple has a history of being slow in releasing security fixes.
  • Antivirus software should be installed on all computers – it is cost effective protection against most threats.

What you should do:

Detection and removal (Technical users only):

  1. Check the DYLD_INSERT_LIBRARIES environment variable in web browsers, or visit flashbackcheck.com or www.drweb.com/flashback/?lng=en to detect infected computers.
  2. Rebuild infected machines from known good media. Cleanup should only be opted for where a rebuild is prohibitively costly
  3. Manually cleanup the infection, or use a removal tool: We know of tools from Apple (via Software Update), Kapersky and F-Secure.

 

 

Sophos report

Thursday, August 4th, 2011 | Mark Bedford | Comments Off on Sophos report

The folks over at Sophos have released their mid year report on security threats: Sophos Mid-Year 2011 Security Threat Report [PDF] (free registration required to view).

Some highlights include:

  • 60% increase in malware over 2010, with Sophos seeing more than 150,000 new malware samples daily
  • 19,000 malicious webpages identified daily, with 80% being pages on legitimate websites that have been hacked or compromised
  • 81% of people surveyed by Sophos said Facebook posed the biggest social networking risk with increased amounts of scams, click-jacking, survey spam, and identity theft
  • 30% of all malware detected by Sophos served via black hat SEO poisoning

For those in a hurry, Naked Security have a short summary available.