Sponsored by..

Showing posts with label Microsoft. Show all posts
Showing posts with label Microsoft. Show all posts

Tuesday 29 November 2016

Fake eFax spam uses hacked Sharepoint to spread malware

This fake fax leads to a malicious ZIP file:

From:    eFax [message@inbound-efax.org]
Date:    29 November 2016 at 16:01
Subject:    eFax message from "61 2 97855412" - 2 page(s)


Fax Message

You have received a 2 page fax at 11/29/2016 5:01:13 PM.

* The reference number for this fax is syd1_did12-5405183509-083357256-5.

Click here to view this fax message.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home     Contact     Login
Powered by j2

© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.


The link in the email goes to a hacked Sharepoint account, in this case:

https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1

It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise.

The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named

Fax_11292016_page1.js
Fax_11292016_page2.js

that look like this. Hybrid Analysis of the script indicates this is Nymaim, downloading a component from:

siliguribarassociation.org/images/staffs/documetns.png

A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56. The malware then phones home to:

stengeling.com/20aml/index.php

The domain stengeling.com appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:

4.77.129.110
18.17.224.92
31.209.107.100
37.15.90.12
43.132.208.7
45.249.111.213
52.61.200.235
61.25.216.8
67.25.164.206
74.174.194.169
88.214.198.162
92.74.29.236
111.241.115.90
115.249.171.24
119.71.196.177
135.55.94.211
143.99.241.18
147.89.60.135
156.180.11.60
162.74.9.51
168.227.171.254
176.114.21.171
184.131.179.44
207.77.174.212

Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:

butestsis.com
sievecnda.com
specsotch.com
crileliste.com
stengeling.com


Wednesday 16 November 2016

Phishing: "Office 365 Tax Refund Service" / updatemicrosoftonline.com

Microsoft Office 365 offering a tax refund service? Really? No, of course not, it's a phishing scam..

From:    Microsoft Office 365 Team [noreply@cloud.baddogwebdesign.com]
Date:    16 November 2016 at 10:58
Subject:    Office 365 Tax Refund Service

     Office 365 Microsoft


Office 365 Tax Refund Service.
    –
–    

CONFIGURE TODAY

Thanks for using Office 365. We are delighted to present our new service associated with HM Revenue & Customs. To continue processing your tax refund please configure your bank account.

It's easy to configure your bank account:

1     –    

Sign in to your account.
1     –    

Configure your bank account.
1     –    

You are eligible to receive a tax refund of £537.25 GBP

Thanks for subscribing to Office 365. We hope to continue serving you.
    –

–     Helpful resources

How to reactivate your Office 365 subscription
Already renewed? Verify your subscription here
What happens to my data and access when my subscription expires?
Get help and support for Office 365
    –
–    

This is a mandatory service communication. To set your contact preferences for other communications, visit the Promotional Communications Manager.

This message was sent from an unmonitored e-mail address. Please do not reply to this message.
Privacy | Legal
    –
–    

Microsoft Office
One Microsoft Way


The link in the email leads to updatemicrosoftonline.com on 89.248.168.13 (Quasi Networks LTD, Seychelles). Despite the email and the domain name it leads to an HMRC-themed phishing page..

This multi-phish page has twelve UK banks set up on it:

  • Barclays
  • Halifax
  • HSBC
  • Lloyds Bank
  • NatWest
  • Royal Bank of Scotland
  • Santander
  • TSB
  • Metro Bank
  • Clydesdale Bank
  • The Co-Operative Bank
  • Tesco Bank
Clicking on any of the links goes to a pretty convincing looking phish page, personalised for each bank and carefully extracting all the information they need for account theft.  The screenshots below are the sequence if you choose TSB bank.





Once you have entered all the information, the process appears to fail and you are directed to a genuine HMRC site instead.

A list of sites found in 89.248.168.0/24 can be found here [pastebin]. I suggest that the entire network range looks questionable and should be blocked.

Thursday 11 September 2014

"rooms reservation" spam leads to a malicious Word document

This fake hotel booking email has a malicious Word document attached:
From:     Zorita [info@convividautore.it]
Date:     11 September 2014 15:02
Subject:     rooms reservation

Dear Hotel Manager,

I would like to reserve accommodation for 5 single rooms in your hotel for 7 nights for 5 guests.

Arrival date will be on 16 September.

List any special requirements attached to letter.

Thank you for your prompt attention to the above, I look forward to receiving a letter confirming my reservation.

Kind Regards
The Word document attempts to persuade the victim to remove the security settings from the application:


The text says:
This error usually occurs because of macro security settings.  To check your macro security settings, click the Microsoft Office Button, click Microsoft Word Options, click Trust Center, and then click Trust Center Settings. If macro security is set to Disable all macros without notification, all macros are automatically disabled. Use the following procedure to enable the macro. In the Trust Center dialog box, click Macro Settings, and then click Disable all macros with notification. Click OK in the Trust Center dialog box to apply the new setting. Click OK to close the program options dialog box. Close the file and the Microsoft  Word. Open the file again. A Security Alert appears in the Document Information Bar just below the ribbon. Click Enable Content to allow the macro to run.
The document itself has a VirusTotal detection rate of 9/54.

If you are foolish enough to do this, the document will then download an additional component from colfdoc.it/cart/update.exe (77.81.241.104) which in turn has a detection rate of 5/55. The ThreatTrack report [pdf] shows that the malware attempts to communicate with:

cityhotlove.com/datastat/datacoll.php (109.120.177.164)
cyklopesek.cz/css/r.pack (90.182.221.59)



I would recommend blocking the following:
109.120.177.164
cityhotlove.com
cyklopesek.cz
colfdoc.it

Friday 5 September 2014

Shakira death hoax email comes with a malicious Word document

This Spanish-language spam email reports the (fake) death of Shakira in a car accident. Attached is a Word document that contains a malicious macro.

From:     El Universal [eluniversal@eluniversal.org]
Date:     5 September 2014 14:50
Subject:     Shakira muere en grave accidente

Muere Shakira en grave accidente

Esta madrugada a las 1:10 A.M. en el barrio la Macarena, Colombia. La conocida cantante e intérprete Shakira Isabel Mebarak Ripoll, sufrió un grave accidente automovilístico en el cual perdio la vida. Abordo del vehículo también se encontraba su manager, que quedó con heridas graves. Testigos, dicen que el auto conducido por este último, se dirigia a exceso de velocidad..

Para ver imágenes exclusivas y detalles de la noticia adjuntamos un documento con toda la información sobre este trágico acontecimiento.

Ampliaremos.

El Universal © todos los Derechos Reservados  2014.
This approximately translates as:

Shakira dies in serious accident
This morning at 1:10 A.M. in the neighborhood La Macarena, Colombia. The well-known singer and performer Shakira Isabel Mebarak Ripoll, suffered a serious car accident in which she lost herlife. Aboard the vehicle was her manager, who was seriously injured. Witnesses say the car driven by the latter, was speeding ..

To view exclusive images and details of the story, we have attached a document with all the information about this tragic event.
When attempting to open the Word document (IMAGENES_01.doc), the potential victim sees the following:


The rest of the document explains to the victim how to remove the security settings from Word, supposedly to enable them to view the pictures. But what will actually happen is that the malicious macro in the document will try to infect the PC.

This malicious document has a VirusTotal detection rate of just 2/54. According to an analysis of the document, it then appears to download additional components from an insecure Joomla site at [donotclick]www.papeleriaelcid.com/aurora/ajax/

This type of spam seems to commonly target Spanish-speaking South American victim (like this one).

In this case the originating IP was 207.150.195.247 (a SouthWeb Ventures IP allocated to a customer supposedly called "Microinformatica Gerencial, S.A. de C.V.").

Blocking the papeleriaelcid.com site and rejecting emails from 207.150.195.247 might be wise if you have Spanish-speaking users.




Thursday 17 July 2014

"Notificación de transferencia de fondos a su favor" spam

This Spanish-language spam has a malicious Word document as an attachment.

From:     HSBC Transferencias [Mexico_contacto@hsbc.com.mx]
Reply-To:     respuesta@hsbc.com.mx
Date:     17 July 2014 11:01

¡BIENVENIDO A HSBC!

El motivo de este correo es informarle que el día de hoy recibió una transferencia SPEI la cual se encuentra retenida debido a anomalías en su cuenta. Para mas detalles sobre esta situación le adjuntamos un documento en formato Microsoft Word donde explicamos el motivo de la retención y los pasos a seguir.



Banco emisor: BBVA BANCOMER
Importe: $94,000.00
Fecha: 17/07/2014
Folio: 89413


Estatus: Retenida
Recomendamos seguir los pasos descritos en el documento adjunto en este correo.


Para cualquier duda o aclaración  nos ponemos a sus órdenes en contacto@hsbc.com.mx o si lo prefiere,  puede comunicarse a Banca por Internet en los siguientes teléfonos:
     México D.F. (55) 5721 1635
     Desde cualquier estado de la República al 01800 4722 638 LADA sin costo.

Con gusto le atenderemos

The attachment is essentially the same as the one mentioned here which tries to lure the victim into removing their Word security settings so that a malicious macro can run.

The VirusTotal detection rate is a pretty poor 4/54. You can see some of the text strings in the Malwr report which feature a reverse URL of exe.ss/pw/arc/lc.paip//:ptth which is reverse to try to download a file from http://piap.cl/cra/wp/ss.exe (currently 404ing). The VBA in the document can be found here [pastebin].

As mentioned before, this is a long-running campaign apparently targeting users in Mexico, and as yet I have not seen this in any language except Spanish.

Thursday 10 July 2014

"Estado de Cuenta Datallado en Línea (Statement Datallado Online)" spam contains a Macro virus

This Spanish-language spam comes with a Word document containing a Macro virus.

From:     Banco Santander [altacuentas_cash@santander.com.mx]
Reply-to:     noreply@santander.com.mx
Date:     10 July 2014 09:52
Subject:     Estado de Cuenta Datallado en Línea


Estimado Cliente:

Por este medio le enviamos el estado de su cuenta del día 08/Jul/2014.
Le recomendamos descargarlo y así mantener un registro de sus activos.

El estado de cuenta se encuentra adjunto en este correo en formato Microsoft Word.

Para cualquier duda o aclaración puede comunicarse a Súper Línea Empresarial.

Atentamente,
BANCO SANTANDER.

******************PRIVACIDAD DE ESTE MENSAJE**********************
Este mensaje esta dirigido exclusivamente a las personas que tienen las direcciones de correo electronico especificadas en los destinatarios dentro de su encabezado. Si por error usted ha recibido este mensaje, por ningun motivo debe revelar su contenido, copiarlo, distribuirlo o utilizarlo. Le solicitamos por favor elimine dicho mensaje junto con cualquier documento adjunto que pudiera contener. Los derechos de privacidad y confidencialidad de la informacion en este mensaje no deben perderse por el hecho de haberse trasmitido erroneamente o por causas de interferencias en el funcionamiento de los sistemas de correo y canales de comunicacion. Toda opinion que se expresa en este mensaje pertenece a la persona remitente por lo que no debe entenderse necesariamente como una opinion del Grupo Financiero Santander y/o de las entidades que lo integran, a menos que el remitente este autorizado para hacerlo o expresamente lo diga en el mismo mensaje. En consideracion a que los mensajes enviados de manera electronica pueden ser interceptados y manipulados, el Grupo Financiero Santander y las entidades que lo integran no se hacen responsables si los mensajes llegan con demora, incompletos, eliminados o con algun programa malicioso denominado como virus informatico. Este mensaje no debe interpretarse, por ningun motivo como una oferta de venta o de compra de valores ni de instrumentos financieros relacionados. Los acentos en la leyenda de confidencialidad se han suprimido para una mejor lectura
This translates roughly as:
I hereby send you the status of your account on 08/Jul/2014.
We recommend you download and keep track of your assets.

The statement is attached to this email in Microsoft Word format.

For any question you can contact Super Business Line.

Best regards,
BANCO SANTANDER. 
Attached is a file ESTADOCUENTA_2457.doc which contains a Word Macro virus. However, because most people's settings would stop a Macro virus running then it actually contains detailed instructions on how to remove your security settings.


The first page reads:
El contenido no puede ser mostrado.
Para poder ver el contenido de este documento debe habilitar los Macros de Microsoft Word, luego cerrar y abrir el documento.

Pruebe lo siguiente:
Habilite los Macros y luego vuelva a abrir el documento.
En este documento podrá encontrar una guía proporcionada por www.santander.com para poder habilitar los macros en su Microsoft Word.

Grupo Financiero Santander México - 2014
which roughly translates to:
The content can not be shown.
To view the content of this document should enable macros Microsoft Word, then close and reopen the document.

Try the following:
Enable Macros and then reopen the document.
In this document you will find a guide provided by www.santander.com to enable macros in your Microsoft Word.

Grupo Financiero Santander Mexico - 2014

There then follows several pages with screenshots on how to disable the security in Word and Excel.. doing which of course is a bad idea. Reloading the document will then execute the Macro virus. I have defanged the document and converted it to a PDF file here. A copy of the VBA code is here (thanks to @Techhelplistcom).


The VirusTotal analysis shows just 1/54 virus scanners detect it. The Malwr analysis gives some clues as to what is going on in the string dump, especially the reference to baulretro.cl/tienda/cache/wp/ss.exe (186.64.120.59 / Zam Ltda, Chile) which appears to be a malicious binary (at the moment the file is 404ing, but it was working recently).

The properties of the Word document don't give much of a clue:



Authors are "OFEyDV", last saved by "clein" which matches to a few other recent malicious Spanish-language documents [1] [2] [3] [4]. The creation date indicates that perhaps this started off life as a genuine document and has been adapted for evil purposes.

Originating IP for the spam is 124.42.127.221 (Langfang University, China) via 199.192.145.152 (web17.gohost.com).

It's a lot of hard work to get your computer infected, but it does also look quite convincing. Word Macros are very rarely used by anything and you should definitely not fiddle with them if you don't need to.

Monday 30 June 2014

Several no-ip.com domains seized by Microsoft

It appears that the nameservers for the following dynamic DNS domains belonging to no-ip.com may have been seized by Microsoft as the namesevers are pointing to NS7.MICROSOFTINTERNETSAFETY.NET and NS8.MICROSOFTINTERNETSAFETY.NET

3utilities.com
bounceme.net
hopto.org
myftp.biz
myftp.org
myvnc.com
no-ip.biz
no-ip.info
noip.me
no-ip.org
redirectme.net
servebeer.com
serveblog.net
servecounterstrike.com
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servemp3.com
servepics.com
servequake.com
sytes.net
zapto.org

This seems to have had the effect of taking down any sites using these dynamic DNS services. This will probably impact a lot of things like webcams, home security systems, personal VPNs any anything else that uses these domains.

Usually this happens when Microsoft gets a court order prior to legal proceedings. Now, although these domains are widely abused it is not no-ip.com themselves doing the abusing. I do recommend that businesses block access to dynamic DNS sites because of the high level of abuse, but I do feel that it something that network administrators should choose for themselves.

UPDATE 1:  Microsoft's statements on the takedowns is here along with details of an accompanying lawsuit targeting Mohamed Benabdellah, Naser Al Mutairi and  Vitalwerks Internet Solutions LLC (who operate no-ip.com).

UPDATE 2:  The Nevada lawsuit mentioned above also includes some domains that I have added in italics. Also, the domain noip.me has been seized which is specifically excluded from the Nevada lawsuit, which indicates that legal action has also been taken in Montenegro which indicates just how pissed-off Microsoft are.

Thursday 2 January 2014

Windows.old, and the Windows XP to Windows 8.1 gotcha

So I finally got around to the long over-due task of migrating my main system off Windows XP 32-bit (because it is going out of support soon) to Windows 8.1 64-bit because.. well, it's cheaper to go the Windows 8.x route than Windows 7 and 8 does have some interesting features.

You can't really upgrade Windows XP to Windows 8.1 in the traditional sense, it is basically a completely new installation but it does retain your original Windows XP data so you can get to it later. But there's a gotcha here.

Windows 8.1 is a free upgrade to Windows 8, and I already had a Windows 8 upgrade disk that I bought a few months back. Upgrading from Windows XP to Windows 8 does create a set of backup files in a folder called windows.old so you can recover your data, including what was in the C:\Documents and Settings folder. So, in theory you just copy the old data from that folder into your new Documents folder.

Here's the gotcha. If you're like me, you've probably been putting off the Windows 8 upgrade until you can have Windows 8.1 which brings back the Start button. So the obvious next step is to do that (although you need to install KB2871389 to show Windows 8.1 in the app store). You can then do the 3GB+ download to install Windows 8.1 over Windows 8 which runs pretty smoothly. But before you do that.. remember to take your data out of the windows.old folder!

The trap here is that when you upgrade from Windows 8 to Windows 8.1, the contents of the windows.old folder are deleted and overwritten again, destroying the backup data from Windows XP. 

Uh-oh. It's a good job that I'm paranoid about backups, so nothing was lost. But it's easy to see that people could lose data if they don't recover it from windows.old  before they did the Windows 8.1 upgrade.

It really, really is worth investing in some offline storage or other backup medium before you do this. I took the opportunity to clone Windows XP to a new SSD drive before doing the upgrade and I disconnected the original hard disk, and I also made an offline backup to be on the safe side. But if I had just ploughed on and done the deed then I would have lost irreplaceable data. 

Windows 8.1 is.. well, weird. But it does run very quickly on my four-year-old Dell Precision workstation with the SSD drive and a memory upgrade. Apart from the vanishing data it all went remarkably smoothly (if you are knowledgeable about Windows systems) and it didn't require any unpleasantness such as driver disks. The application troubleshooting is pretty awesome for apps that don't run properly under the new OS, and there are only a few really ancient 16-bit apps that I can't get to work that need recoding. Ah well, it should keep the computer up-to-date with security updates until 2023 which should easily be longer than the expected lifespan of the machine..


Wednesday 6 November 2013

"Invoice 17731 from Victoria Commercial Ltd" spam leads to DOC exploit

This fake invoice email leads to a malicious Word document:

From: Dave Porter [mailto:dave.porter@blueyonder.co.uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd

Dear Customer :

Your invoice is attached to the link below:
[donotclick]http://www.vantageone.co.uk/invoice17731.doc
Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Victoria Commercial Ltd
The email originates from bosmailout13.eigbox.net [66.96.186.13] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone.co.uk/invoice17731.doc which appears to be a hacked legitimate web site.

Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.

A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys.com
feeds.nsupdatedns.com

It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60
feed404.dnsquerys.com
feeds.nsupdatedns.com
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
static.invoice-appmy.com
vantageone.co.uk

Friday 18 October 2013

"Microsoft Windows Update" phish

A random and untargeted attempt at phishing with a Windows Update twist.

From:     Microsoft Office [accounts-updates@microsoft.com]
Date:     17 October 2013 02:54
Subject:     Microsoft Windows Update

Dear Customer,

Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.

Thank you,

Copyright © 2013 Microsoft Inc. All rights reserved.
The email originates from 66.160.250.236 [mail.andrustrucking.com] which is a trucking company called Doug Andrus Distributing.. so perhaps Microsoft are farming out the updates to a random Idaho company. Or perhaps they have had their email system compromised (maybe by someone using the same phishing technique).

Anyway, the link in the email goes to a legitimate but hacked site and then lands on a phishing page hosted on [donotclick]www.cycook.com/zboard//microsoft-update/index.php.htm. Despite the email saying "Windows Update", the landing page has had Office branding crudely pasted into it.


Entering your credentials simply takes you to a genuine Microsoft page:

Phishing isn't restricted to stuff like bank accounts, the spammers also like a fresh supply of email accounts to abuse, so as ever.. exercise caution.

Tuesday 16 July 2013

Half your video missing in Windows Movie Maker? MS13-057 to blame.

I couldn't quite figure out why Windows Movie Maker was suddenly chopping off the top half of a video I was making..


I didn't investigate the problem very closely because I finished the project using Sony Vegas instead. However, it turns out that I am not alone.. an InfoWorld post also indicates that there are problems with Adobe Premiere Pro, Techsmith Camtasia Studio, Serif MoviePlus X6 plus some games due to the MS13-057 update pushed out a week ago.

If you are experiencing critical problems with missing video, then the only thing to do seems to be to uninstall the Windows Media Player patch listed as KB2803821 or KB2834904. If this isn't causing a problem then you may as well keep the patch in place to protect your system. I would expect another patch to be re-issued soon.

Thursday 16 May 2013

HMRC spam / VAT Returns Repot 517794350.doc

This fake HMRC (UK tax authority) spam contains a malicious attachment:

From: noreply@hmrc.gov.uk [mailto:noreply@hmrc.gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350


Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack. VirusTotal results are just 1/46, so either this is something completely new or it is a corrupt sample.

UPDATE: ThreatTrack reports that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35

Tuesday 14 May 2013

Bank of America spam / RECEIPT428-586.doc

This fake Bank of America message has a malicious Word document attached:

Date:      Tue, 14 May 2013 10:16:05 +0500 [01:16:05 EDT]
Subject:      Your transaction is completed

Transaction is completed. $51317477 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.

*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved 

The attached document is RECEIPT428-586.doc which contains a CVE-2012-0158 / MS12-027 exploit, so a fully patched Windows system should be immune. Further analysis is pending, but the payload is likely to be P2P / Gameover Zeus as found in this attack. VirusTotal detections stand at just 11/46. Further analysis is pending.

Thursday 9 May 2013

Citibank spam / Statement ID 64775-4985.doc

This fake Citibank spam contains a malicious Word document that leads to malware.

Date:      Thu, 9 May 2013 01:22:21 +0200 [05/08/13 19:22:21 EDT]
From:      CITIBANK [noreply@citybank.com]
Subject:      Merchant Statement

Enclosed DOC is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ---------- Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank. ---------- THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. 
The attached document Statement ID 64775-4985.doc contains an exploit (analysis pending) with a VirusTotal detection rate of just 10/46. It appears to exploit a flaw in the RTF converter. I'm not all together sure which flaw it is, but making sure that your copy of Microsoft Office is up-to-date and fully patched will help to mitigate against this sort of threat.

Update: another version is using the filename Statement ID 4657-345-347-0332.doc. It looks like it is exploiting CVE-2012-0158 aka MS12-027.


Friday 12 April 2013

MS13-036 buggy, withdrawn

Uh-oh.. looks like the reports of problems with MS13-036 were correct.



********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: April 11, 2013
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS13-036 - Important
  * MS13-apr


Bulletin Information:
=====================

* MS13-036 - Important

 - Reason for Revision: V2.0 (April 11, 2013): Added links to
   Microsoft Knowledge Base Article 2823324 and Microsoft Knowledge
   Base Article 2839011 under Known Issues. Removed Download Center
   links for Microsoft security update 2823324. Microsoft recommends
   that customers uninstall this update. See the Update FAQ for
   details.
 - Originally posted: April 9, 2013
 - Updated: April 11, 2013
 - Bulletin Severity Rating: Important
 - Version: 2.0

* MS13-apr

 - Reason for Revision: V2.0 (April 11, 2013): For MS13-036,
   removed the links to security update 2823324 due to a known
   installation issue. See bulletin for details.
 - Originally posted: April 9, 2013
 - Updated: April 11, 2013
 - Version: 2.0


Other Information
=================

Follow us on Twitter for the latest information and updates:

Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email.

The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, it is not required to read security notifications, security bulletins, security advisories, or install security updates. You can obtain the MSRC public PGP key at https://technet.microsoft.com/security/bulletin/pgp.

To receive automatic notifications whenever Microsoft Security Bulletins and Microsoft Security Advisories are issued or revised, subscribe to Microsoft Technical Security Notifications on http://technet.microsoft.com/security/dd252948.


********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
********************************************************************

To manage or cancel your subscription to this newsletter, visit the Microsoft.com Profile Center at <http://go.microsoft.com/fwlink/?LinkId=245953> and then click Manage Communications under My Subscriptions in the Quicklinks section.

For more information, see the Communications Preferences section of the Microsoft Online Privacy Statement at:

For the complete Microsoft Online Privacy Statement, see:

For legal Information, see:

This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052

Tuesday 13 March 2012

MS12-020: this is not good

MS12-020.. what can I say except that this is NOT GOOD. If you're running RDP on your clients or servers then this is something you need to patch RIGHT NOW..

Update: the folks at the ISC think so too. This is wormable and apparently not difficult to exploit, assuming it is switched on. So, you either need to patch or disable it.. or a combination of both.

Update 2: a visitor left a note to say they were working on a vulnerability scanner at rdpcheck.com . It's not ready yet, but there's a signup form on the page for more information.

Update 3: Allegedly, there is PoC code available for this on Pastebin, although this has not been independently confirmed.

Update 4: The ISC have changed the INFOCON status to yellow because of the perceived high risk.

Update 5: There is now an nmap script available to scan for vulnerable machines here.

Tuesday 28 September 2010

MS10-070 - don't panic.. on second thoughts.. PANIC

Those of you who know Microsoft patch levels probably already treat "Important" patches with a shrug, because the really important ones are always "Critical". So when Microsoft does an out-of-band patch only rated as "Important" then there's something not right going on.

Well, MS10-070 is one such patch, and to be brutally brief it means that IIS servers are vulnerable to an information disclosure attack.. very bad news if you are running IIS.

The ISC have more here, but be sure to read the comments.. because this one is looking like a complete fragging disaster zone..

Tuesday 28 July 2009

MS09-034 is coming..

Just a reminder that Microsoft are announcing an out-of-band patch today to fix a critical IE / Visual Studio flaw. If you manually authorise updates to client PCs via WSUS, then you will need to break the usual schedule and deploy this as soon as you can.

More info here and here.

Friday 19 June 2009

FAIL: "Microsoft has released an update for Microsoft Outlook"

This email looks like it's from Microsoft, but it is really intended to load a trojan onto your PC:

From: Microsoft Customer Support [mailto:no-reply@microsoft.com]
Sent: 18 June 2009 22:47
Subject: Microsoft has released an update for Microsoft Outlook

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.
Instructions
• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
Quick Details
• File Name: officexp-KB910721-FullFile-ENU.exe
• Version: 1.4
• Date Published: Thu, 18 Jun 2009 16:46:55 -0500
• Language: English
• File Size: 81 KB
System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
• This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement


Although the link appears to be for the Microsoft web site, underneath is a hidden URL which is quite different. From samples I have plus some scraped from teh interwebs, I came up with the following samples:

hxxp:||update.microsoft.com.ijlijji.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijj1hjf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijjh.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijj1.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijji.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]

The reason why this is a FAIL? None of the domains are registered apart from the .com.mx one, so clicking the links will do precisely nothing. il1if1.com.mx is hosted on a botnet with presumably fake registration details, but it seems to be quite unreliable.

Even though this attack doesn't work, it might be a good idea to keep an eye out for it and advise any end users you have. Also checking your proxy logs for update.microsoft.com.i may well be useful.