OT: Mailware

In case anyone missed it, A new mailware virus locks your files.

Back to blocking zip files...

Cheers

Reply to
Martin Riddle
Loading thread data ...

Don't open unsolicited mail? Don't open attachments? (exp those known to be executables) Run mail reader in a sandbox?

I presume the aforementioned virus is a payload in a ZIP file? But, opening the file shouldn't cause execution -- unless the ZIP implementation has exploits?

Reply to
Don Y

  • ------- ESP -------------^^^

Excuse me, but there have been self-extracting ZIP files since at least 1993! And that is all that is needed to start the ball rolling.

Reply to
Robert Baer

A friend of mine got stung by this malware. The file was an executable that had a file name that looked like a PDF (to the casual PC user). Fortunately, he did have a relatively recent backup and didn't have to pay the $300 ransom...

Bert

--
Bert Hickman 
Stoneridge Engineering 
 Click to see the full signature
Reply to
Bert Hickman

A self-extracting ZIP file is an executable, last time I checked! Using MS's concept of "file type" indicated by the file's extension, that means it would be .exe, .com or .bat (the latter being batch files but MS considers those executable).

You could similarly have a script file (.cmd/.vbs), Excel/Word/etc. file with a startup macro, yada yada yada.

Unless you KNOW it can't invoke code (directly or indirectly), why open it outside of a sandbox? And, if not from someone you recognize, why bother giving it a "FIRST look" at all?!

Reply to
Don Y

I can't believe the disk's *contents* get encrypted. Takes a LONG time to process many gigabytes -- and NOT stomp on anything the OS needs, etc. At best, possibly something scribbles on an allocation table or hooks a driver routine intercepting disk accesses.

Would have been nice to examine such a system afterwards to verify the data was still intact -- just obfuscated! E.g., mount the drive in another machine as a secondary disk and examine it with a "real" system.

Reply to
Don Y

Not realistic in an environment where you get enquiries with attached Excel or Word 2007/10 documents which *are* in ZIP file envelopes.

It is impossible these days to educate users to only use safe plaintext.

The trouble is by default Windoze hides the potentially lethal .exe file extension from the most vulnerable ordinary users.

Ostensibly to "help" them to avoid clutter. The OS warning do you trust this unsigned executable program to run probably comes up but users are habituated to ignoring it and clicking run because so many major manufacturers fail to sign their driver update packages properly.

If we are really out of luck then the cryptographic signatures on exes has been broken and then even experts are up shit creek.

Depends just how good your sandbox is. I favour running a mail reader that isn't from Microsoft and so not quite so riddled with buffer overrun exploits and defective rendering engine, JPEG and TIFF decoders.

Arguably the first time any new unrecognised unsigned executable is run it should be stuffed inside a tough virtual machine and observed for any potential attempts to subvert the OS. It makes no sense to run anything untrusted in the main machine unless it *needs* to update the drivers or make genuine permanent alterations to installed programs or data.

It isn't like we don't have convenient virtual machine capability and ISTR some AV products do now try to run mail clients this way (or provide an option for wizards to do so). Third party programs like Sandboxie (no idea how good it is in practice offer this functionality).

The exploit works because the file is really something like

wreckmycomputer.zip.exe

But with a visible name like Fedex_012345_InvoiceToPay.zip (.exe hidden)

Windoze in its infinite wisdom strips the last recognised common filetype extension off the end to make things easy for dummies.

Most of these fakes come from Fedex or USPS and as such look a bit fishy in the UK although I do sometimes get Fedex deliveries I never get USPS ones for obvious reasons. Others claim to come from your bank.

If you are paranoid and use paranoid settings on your PC and examine headers there isn't that much risk but if you click on every last attachment (as monkeys in a corporate environment are inclined to do) you had better have a very recent backup and a way to detox and sterilise the PC completely. Ordinary users are sitting ducks now!

Funnily enough I spent most of yesterday afternoon rescuing a client from a similar but not quite so virulent piece of ransomeware. He had about three other lesser infections - all of them had got past and then disabled his AV product without the latter even noticing :(

--
Regards, 
Martin Brown
Reply to
Martin Brown

No. It is an executable *pretending* to be a ZIP file.

A self extracting ZIP file is an EXE executable. They are potentially lethal and should be always treated like a UXB from the outset. Arguably the warning about running unsigned executables isn't strong enough or scary enough to prevent end users clicking on malware :(

The problem here is that by default Windows hides common file extensions from basic users and .EXE is one of the types it hides. The ZIP file the poor sucker users see is really called:

wreckmycomputer.zip.EXE

With the final .EXE "helpfully" hidden by the OS for "clarity".

--
Regards, 
Martin Brown
Reply to
Martin Brown

Most of the latest generation purport to come from your bank, Fedex, PayPal, eBay, USPS and contain an EXE file masquerading as a ZIP or PDF file. There are soem direct exploits of .PDF too :(

The simulation of the actual layout of the main email body is *VERY* good indeed - only minor details like the form of salutation are wrong. Many links (but not usually all) actually point to the real site.

I fairly often get unsolicited mail from people I have not previously met asking for assistance that may lead to contract work. I can't afford not to open emails from people I don't immediately recognise.

These days they usually send a MS Office 2007/10 document which is actually a ZIP file encapsulation masquerading as .DOCX or .XLSX.

Hiding file extensions was always a bad idea as is letting an ordinary user run any kind of unknown unsigned executable received by email.

In a corporate setting the desk monkeys will click on any damn thing with hostile attachments that the mail filters happen to let through.

--
Regards, 
Martin Brown
Reply to
Martin Brown

Use a sandbox. It can't prevent *theft* of information (if you are online at the time) as things in a sandbox can still *read* files/registry -- but, at least it can prevent them from

*writing* to your media.

If you later decide this is a "safe attachment", you can always save it to the "Desktop" (which is actually the sandboxed portion of the desktop) and then drag it back onto your *real* medium just prior to shutting down/emptying the sandbox.

Yup. Even harder to teach them about sandboxes!

Ah. Uncheck "hide file extensions". Don't know how people can work with them hidden! You end up with lots of things with the same (apparent) name!

I think there are already "threats" introduced by bogus key certificates. I.e., would you know if an executable from AutoCAD (instead of AutoDesk) was valid -- even if *signed* by said entity?

Wanna buy a Rollegs watch? :>

See above. Not a perfect solution but a big step above alternatives!

Anything suspicious I run in sandbox. Then, look to see what it has altered in the "/Sandbox" version of the filesystem. If I see *any* suspicious scribbles (why are you writing to /Sandbox/Windows/system32?) I toss it. Folks shouldn't be sending me things that do that -- even if it has ACTUALLY been sent from a friend's account (possibly because the account was compromised)

[SWMBO has received a few emails *legitimately* from friends, recently, that she was smart enough NOT to open. I.e., none of them would ever use an ambiguous subject line of "Hey there!". I register all my accounts with bogus first names so I can recognize something that has been "harvested" blindly.]

I figured that out when you alluded to "hidden file extensions". Folks also hide bogus URLs behind "innocent" or misleading text (don't click on links in email, etc.)

Avoiding online accounts goes a long way to avoid these things. :> Folks also "respond" to unsolicited calls -- from all sorts of agencies!

"Wow, police, eh? Can you give me your number and I'll call you back in 30 seconds..."

*click*

(CID can be forged relatively easily. A lot harder to have an accomplice sitting by the phone *at* the police station!)

I don't let any of my machines talk to the outside world (except "disposable" ones). Suspect something funny? Restore the original disk image and start over again (so I lose anything I may have downloaded prior to that -- but, those would be suspect, as well!)

A fair bit of discipline but seems to work well.

Reply to
Don Y

PDF's are really hard to "check for malware". Any readers that become popular enough will soon find their exploits targeted, "conditionally" :-/

A sandbox is your friend.

Yup. Too easy to make (wrong) assumptions!

I've colleagues who simply strip attachments from incoming mail before it is delivered to mbox. Kinda Draconian but they;re also running mail servers so have more at stake.

Reply to
Don Y

drive encryptors aren't new. typically they work gradually from one end keeping track of where they are up to.

--
For a good time: install ntp 

--- news://freenews.netfront.net/ - complaints: news@netfront.net ---
Reply to
Jasen Betts

I don't know about the US phone system but in the UK the originating caller can hold the line open until they finally put the receiver down (or a very long timeout) and there is a very sophisticated scam script that relies on instructing the called party to look up the right trusted number from their bank statement and dial it.

It doesn't matter what you do. They fake the dailtone and when you dial you will be connected to your bank/CID no matter what number you actually dial. If I am in doubt I dial my own number or call from a different line or mobile. Many people have been badly stung by this one.

I have had one or two pretty silly ones with credit card companies where I had reported their unsolicited cold calls as possible fraud attempts. Banks are almost as bad. One was when they activated "Barclaycard (in)Secure" without first warning their customers of what looked like and still looks like a man in the middle attack.

--
Regards, 
Martin Brown
Reply to
Martin Brown

Excellent suggestion. Who is willing to stick out their PC (neck) and actually do this..and then report back DETAILS?

Reply to
Robert Baer

For the last ten years,i ALWAYS setup an Win OS for NO HIDE extensions, un-check ALL "hide" BS. And I have recommended the same to everyone. There is NO EXCUSE for this hidden crap.

Reply to
Robert Baer

I do not use a sandbox, and have been careful concerning attachments and unsolicited e-mails. I use FexEx and a few well-known banks, but when i GET something that LOOKS* like it is from one of those sources, i toss it IMMEDIATELY. *Looks in most cases are identical to real thing including copyright. If so, i make a text copy, add in headers and forward to their spam department. No problems yet.

Reply to
Robert Baer

I use webmail exclusively; adds one step of protection befoer incoming e-mail is seen. Gmail catches almost everything, and have yet to see a non-spam e-mail in their spam box. Your ISP can forward e-mail to Gmail and NOT keep it in their system.

Reply to
Robert Baer

I think that has been "fixed". I know ages ago I received a long distance call (when LD was expensive) and the calling party failed to return the handset completely to the cradle. Every time I picked up *my* phone (to make a call), I could hear their background conversations.

I finally called a neighbor to knock on their door and tell them to hang up the phone. I suspect it was a very expensive NON-call for them!

Now, the US system is so highly fragmented that I'm not sure you can count on any particular behavior. E.g., I suspect there may still be party lines in use, somewhere!

We don't use cell phones. And, are very keen on giving out home numbers to people. So, even if someone *does* call, the first thought we have is, "how did they get this number?". I.e., would *we* have ever given it to them? If not, we can be "cold" or outright *rude* (e.g., telemarketers, surveys, etc.).

Unlike most folks, we tend not to be "cowed" into behaving aa the other party *hopes*.

E.g., unsolicited calls tend to not pause for a breath -- thinking you will be polite and NOT INTERRUPT them (until there is a pause for you to interject, "I'm sorry, we're not interested". We neither wait for the pause nor bother to "apologize"... for *their* interruption!

The same trick is used by folks coming door to door -- just close it (no, not SLAM it) in their face. "Hey, you're the one who was rude and decided to deliberately interrupt my dinner -- cuz you knew I would be home at that time -- so why do I have to be 'polite' in how I respond to you?"

"May we please come in?" "Hell no!"

In theory (ha!) unsolicited calls are supposed to be prohibited, here. In practice, they come in spurts -- then the callers pack up and move to a new "location" and start over.

Law conveniently allows political calls. So, you learn to turn the ringer off immediately prior to elections.

Also allows "folks you have done business with" (in previous 6? months... mabe 18??) -- so, don't give any of those folks your phone number!

Pay with checks tends to want to see a phone number on the check. Of course, doesn't have to be the *right* phone number! "We need it in case there is a problem with the check..."

(Um, if there was going to be a problem with the check, do you really think I would give you a way to hunt me down?? :> )

Cash for anything modest. Credit cards for anything sizeable (esp if I want to "protect" my purchase/rights). Problem with the transaction? Call the CC company, not me!

Apparently, the next generation is reversing the CC trend to some extent. Avoiding cases where they can get into high debt. Of course, their "solution" is to use debit cards instead -- which also have fees, etc. Don't know why folks are so averse to *cash*!

Reply to
Don Y

But they would have to do so quickly -- or, expect the user to be a complete idiot to NOT notice that something is happening!

I.e., far easier to run an allocation table through a one-way function scrambling the entire disk in a very small effort than to methodically chug through everything byte by byte.

E.g., even at 50MB/s, a 500G disk will take 10,000s (3 hours?) to encrypt!

(obviously, they are being far more selective aout *what* they encrypt -- as they still want to be able to use the computer to inform the user that he's been screwed. And, presumably, *undo* their actions once ransom has been paid (else the scam falls apart once it becomes public knowledge that you WON'T get your files back).

Just don't expose anything to The Big Bad World unless you personally know it has been hardened against such threats. If the character string "MS" appears in the product name, the answer is "no".

You can't "back fill" security. You have to design with it in mind from the very beginning. Otherwise, someone will inevitably stumble on some scenario that you forgot about when you tried to "retrofit" the security.

Reply to
Don Y

It's not worth the "cost" of losing an email address. Get some "publication" to pony up some money for real details and I suspect folks will play with it!

Reply to
Don Y

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.