Stop clicking on unsolicited .DOCs! Right now. STOP!

Word
The truth is that most malware attacks are not highly sophisticated.

Although some security vendors might be keen to demonstrate how clever their analysts are, and scare the bejesus out of you with descriptions of advanced malware that exploits new zero-day vulnerabilities in order to burrow into your network and steal your data, most aren't quite like that.

Often the attackers will use the oldest trick in the book, exploiting human weaknesses to trick users into opening a file that can contain malicious code, or clicking on a link to a boobytrapped website.

It's not that clever. But it works.

And because it works, the bad guys who are trying to infect your PC (and yes, it normally is your PC - although Macs are not somehow magically immune) keep using the same tricks.

Earlier today I received an unsolicited email, with a file attached.

Now, I'm a battle-hardened skeptical security guy so I'm probably more wise to these kind of attacks than the typical internet users, but the fact is that we all need to be careful not to let down our guard.

In this particular case the email claims to contain an invoice.

Malicious email

Would you open the .DOC file?

I hope not. Hopefully you know to be wary of .DOC files (which can either contain malicious macros, or have malicious code embedded inside them).

Hopefully you also know to be wary of .EXE files, and .PDF files, and .VBS files, and .SCR files (which are just .EXE files with a different name), and indeed to be suspicious of pretty much any attachment that is sent to you unexpectedly out of the blue.

Word docBecause, if you stopped opening unsolicited attachments, you would no longer be falling into that particular trap set by the hackers.

And if you convinced your colleagues in the office, and your friends and family, to be equally wary - well, you would be doing a lot of good.

Maybe you would go one step further, and teach them that delivery companies like FedEx, UPS and DHL aren't going to email you about a failed delivery, and that if they weren't speeding in New York there's very little chance that they would have got a speeding ticket from NYC (and how would the cops have got your email address anyway?), and that sexy Russian woman with a webcam who wants to be email buddies with you didn't see your profile online, and... I could go on.

I did what I always try to do. Rather than open the Word document, I uploaded it to VirusTotal which does the grunt work of running it past scores of different anti-virus scanners and then shares the files with anti-virus labs so analysts can take a look at it.

Virustotal report

But even if it had come up with a clean bill of health (it didn't - six of 54 scanners identified it as malicious) I wouldn't have opened it.

And that's because I've never dealt with the company who was claiming to have sent me an invoice. And even if I had, I knew I wasn't expecting an invoice. The email was unsolicited.

So after uploading it to VirusTotal I deleted the email message (including the attachment) and moved on with my day.

If everyone stopped clicking on unsolicited .DOCs (and .PDFs etc etc) the internet would be a safer place.

Spread the word, not the malware.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

12 Responses

  1. drsolly

    November 17, 2015 at 12:16 am #

    I got that one too.

    A) the fact that only 6 out of 54 products flagged it as malicious, tells you something important about anti-virus products' ability to handle the threat of incoming malware via email.
    B) I agree with "don't click on attachments", but I would add "and disable Word from running macros". In LibreOffice, that's Tools … options … Security … Macro Security … Very High. Then under the tab "Trusted sources" I have nothing. I have zero trusted sources. Likewise set up your spreadsheet.

  2. coyote

    November 17, 2015 at 2:24 am #

    'and yes, it normally is your PC – although Macs are not somehow magically immune'

    For that matter, it's all operating systems. It doesn't matter what kind of 'computer' you have (it might not even be a computer in the most common sense of the word!).

    As for extensions: something that really perplexes me with Windows is it by defaults (last I knew) hides extensions (or at least the last extension). Problem with that: what if you have:

    prog.dat.exe
    readme.txt.scr

    … and the .exe and .scr are stripped off ? What then if prog.dat.exe (poor name but can't think of anything else at this time) or readme.text.scr are malicious ? For all you knew you were looking at (presumably) a data file and a text file!

    Of course, file extension alone doesn't necessarily equate to file type (file header/magic/etc.) but Microsoft makes it more risky for whatever reason I don't know (they think people don't care about extensions ? Misguided in any case; and once again you have to opt-out of this after being aware of this – but it shouldn't be an option at all; you should always have the extension visible).

  3. Phil J

    November 17, 2015 at 11:39 am #

    "If everyone stopped clicking on unsolicited .DOCs (and .PDFs etc etc) the internet would be a safer place."

    Would it? I wonder about this sometimes.

    What are the bad men going to do when we stop clicking on .DOCs, shrug their shoulders and say "well I guess I better get a job then"? Or are they going to to find some new more subtle way of getting malware on my machine. A way I'm less likely to spot.

    • coyote in reply to Phil J.

      November 17, 2015 at 7:41 pm #

      Yes it would. Malware that is ITW (in the wild) increases the vulnerability of all possible targets; and each vulnerable target (and more so those compromised) decreases the Internet security on a whole. This is obvious: it's just like the immune system in the human body; it normally has the ability to fight off diseases but if you have an auto-immune disease you have much more to worry about (like say getting illnesses that most people can easily fight off). Of course there are other reasons you might have to worry more than the people not at risk but the point is the same. Yes, that's a very, very basic simplification of what happens in the body but it is enough for the analogy.

      Recent world epidemic: Ebola strikes back. Look at the problems it causes, the quarantines required. Hint: when you cough tiny particles are released from your body. Guess what that means?

  4. drsolly

    November 17, 2015 at 1:00 pm #

    There was a time when the main threat to PCs was the boot sector virus, spread via floppy disks. There were no emailed file viruses or trojans. Today, there are no boot sector viruses (when did you last see a floppy disk?) and the main threat is emailed file trojans.

    If we all stop clicking on emailed trojans, the Bad People will have to find an alternative, but the alternative won't be as good (for them) as emailed trojans, because if it were, that's what they'd be using today.

    So yes, the internet would be a safer place.

    • coyote in reply to drsolly.

      November 17, 2015 at 9:07 pm #

      'when did you last see a floppy disk?'

      Approx one minute from when I first wrote this response (unfortunately the client check completely destroyed my post – once it checked I had a very strong fear it would happen and it did). Granted this house still has computers with floppy drives but they do indeed exist (and I know there are more around here including soft floppies). And even if MBR/BS infecting viruses are exceedingly rare, they can still exist. You know this, of course, and you would probably argue they wouldn't be effective – if they were capable of doing anything at all. I wouldn't argue that point, either.

  5. SteveP

    November 17, 2015 at 1:06 pm #

    I wonder what happens in Apple's Mail if you use the "quick look" action for an attachment?

  6. BradF

    November 17, 2015 at 2:33 pm #

    I use LibreOffice. Does this confer any immunity to these kind of attacks?

    • coyote in reply to BradF.

      November 17, 2015 at 9:10 pm #

      That depends on how far you go: would a Windows macro virus work ? If you're not under Windows and there isn't some plugin (too lazy to open libreoffice and I'd rather not bother looking for Windows macros anywhere at all) to run them then no. But anything capable of running a macro (or other executable code) has risks because code has risks itself (even if it is source code you never know that the compiler wasn't manipulated and maybe you're missing something – or the code is obfuscated enough to fool [you]).

      So yes and no.

  7. A. Lee

    November 17, 2015 at 4:15 pm #

    I've spent about 8 years developing a system to deal with the spam and viruses I get on my servers – they are all reported to Spamcop mostly automatically, with docs and pdfs etc quarantined before deciding whether to report or reinsert into the queues.

    If there are any javascript attachments, I deofuscate them, add the urls to the mail and also report to Spamcop so the owners also get a notice.
    I have reported a little over 3 million spams and viruses now to help the common good, and they are all archived in a distributed database as evidence and research.
    The spams are fed back to train spamassassin and Bayesian filters, and the source addresses are added to a relay blacklist and a dodgy netblocks list.
    So much scanning involved that I have a few servers working on them 24/7, and offer the filtering services commercially for trustworthy clients.
    The servers are protected with a distributed adaptive firewalls to respond to threats on all services and share and expire amongst servers – has to be a wider use for this!
    Maybe it is time to publicize it a bit…

    • furriephillips in reply to A. Lee.

      November 18, 2015 at 10:19 am #

      Hi A. Lee,

      Seems like that sort of learned system inteligence, shared between multiple MTAs would be quite useful – Do you have the stuff on GitHub or a wiki/website?

      @GCluley I second this person's activities & would even go so far as to say that your article isn't complete, without reporting the spam to the relevant authorities…

      SpamCop (https://www.spamcop.net/) is an excellent resource. Once dodgy files are submitted to VirusTotal and before deleting the offending email, you forward the mail as an attachment, to SpamCop and they process the headers, determine who the abuse should be reported to, then you get to press a button and let them know that they're hosting a compromised system or homing a nefarious entity. They should clean up their act and you've helped the rest of the digital society, not just kept yourself safe.

      Cheers,

      ChrisP

      • A. Lee in reply to furriephillips.

        November 18, 2015 at 5:56 pm #

        Thanks Chris, yes it works fairly elegantly using mysql replication with tables used as a multiple access FIFO to distribute updates and spam among the participating servers to unpack new arrivals, so they can learn the spam or ham, or ban or unban ip addresses.
        Servers are i7 machines on a VPN using a geoip aware transparent proxy on a hosted public ip, so I can run a cluster of dozens of machines, but only need to host one! :-)

        Usually have between 10,000 and 20,000 banned ip addresses from bad actors, http probes, wp-login attempts, other backdoor attempts, port probes, dos attacks, dns abuse etc. These are linux services that monitor various system log files and react appropriately.

        I haven't yet thought deeply about how to distribute updates to external participating servers in real time bidirectionally – that would require establishing trust relationships to avoid poisoning – the ability for one server to control access and ban half the internet to another server is not something to do lightly! Still, it should be solvable.

        Unfortunately, running such a service would open me up to attack, which is one reason I have been reluctant to advertise – I haven't put it up on github as it would still need bombproofing for others to use, but it would be good to see how it would perform in the wider world, and see some return for all the hard work!

        Graham could pass on my email address to you if you are interested in learning more.
        Cheers,
        Andy

Leave a Reply