Poisoned Emails
-
Unfortunately, C, I can't give you timing data, because I've never been daft enough to get infected in the first place! [Ambles away, whistling the theme to Goldfinger)
I wanna be a eunuchs developer! Pass me a bread knife!
-
That's a good point. 64GB or higher flash drives are relatively inexpensive and you can plug them into one of the mobo's usb ports. I could easily fit local files onto one. I don't think ransomeware encrypts executable files or libraries yet so no need to back those up. Heck, I could just write a program myself to perform the backup.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
-
Quote:
I've never been daft enough
Mark, Innocent websites that you trust may become infected through hacking. If you browse to such a trusted website, are your prepared for the consequences?
Get me coffee and no one gets hurt!
You'd probably be surprised at how few sites I visit (on my own machines -- on work machines, who gives a banana?. I mean, the Interwebs are only useful for knowledge that you don't already have, and that's mostly a curiosity thing (and curiosity kills computers) The people who get hit by these viri are mostly facebookers and twatters. The rest of us aren't so dumb, so the scare stories don't apply to us.
I wanna be a eunuchs developer! Pass me a bread knife!
-
Quote:
Are you backing up to a NAS?
Nooooo! A Ransom virus will encrypt all files on the network, especially files in servers or a NAS! Look what happened to the hospital in LA, who was forced to pay $17,000 to have files on their network unencrypted. You need to back up to an "air gap" device, that is only briefly connected to the network while the backup is being saved. That applies to backing up data files, as well as system drive images that are vital in case of an attack.
Get me coffee and no one gets hurt!
Air gap backups seem like a lot of trouble for my home since there really isn't much there that I couldn't go without and now they have malware designed to target 'air gapped' computers (Microtrend article). I guess the only way to prevent such attacks is not to become a target.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
-
Re-imaging your systems drive may take 10 minutes and will completely get rid of the virus if done right. How does that compare with the time to re-install an entire operating system and all apps?
Get me coffee and no one gets hurt!
True, but re-imaging requires constant updates that consume actual resources every day (and quite a lot of them), for the few files that you actually need to be backed up. Its only advantage is that it backs up the OS. Not giving a damn about the OS allows you to back-up a comparatively tiny amount of files, which consumes only petty system resources.
I wanna be a eunuchs developer! Pass me a bread knife!
-
Air gap backups seem like a lot of trouble for my home since there really isn't much there that I couldn't go without and now they have malware designed to target 'air gapped' computers (Microtrend article). I guess the only way to prevent such attacks is not to become a target.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
-
True, but re-imaging requires constant updates that consume actual resources every day (and quite a lot of them), for the few files that you actually need to be backed up. Its only advantage is that it backs up the OS. Not giving a damn about the OS allows you to back-up a comparatively tiny amount of files, which consumes only petty system resources.
I wanna be a eunuchs developer! Pass me a bread knife!
For me, re-imaging is the way to go. However, I can do it in my sleep, so I don't see it as much of an obstacle. If you ever have a few spare moments, download and try imaging software like Macrium's Reflect or AOEMI Backupper Standard (all free). And see what it's all about. Good Luck! :-D
Get me coffee and no one gets hurt!
-
Um, clicking a button on a web-site that purports to tell you if a file is OK might not be a wise thing to do.
I wanna be a eunuchs developer! Pass me a bread knife!
From the about page:
VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.
Nothing will ever detect 100% of the maliciousness out there but at least you can throw about 54 antivirus scanners (at the time of this writing) at a suspicious file.
-
I and family members have seen a nasty increase in malware emails that most likely will plant a Ransom Virus if the attachment is acted upon. We now get several every week and sometimes several in one day. One of the most insidious is an email where the sender is spoofed to be Amazon. The "Amazon" message will seem to announce a shipment having been sent. However, there are two tell tale warning signs: 1) It is sent to an email address that only my friends and family know. I use a different email address for Amazon. 2) The message is empty, except for an attached Word document. Amazon never attaches Word documents to their emails. Like I'm going to open such a Word document and run the risk of a malicious macro getting run on my machine. :| The other type will be an empty email from myself to myself. It has an attached zip file that contains a Javascript file. If you look into the message header it is full of Arabic characters and is sent from a domain in Iran. Of course I am in the habit of running Javascripts from unknown sources on my machine. :| Now here's the bummer: If I scan these obviously malicious messages with Defender and Malwarebytes, they come up clean! I was wondering if anyone else has had similar experiences?
Get me coffee and no one gets hurt!
-
I get a few dozen of these every day. "Past due bill" "Invoice Payment" "Fax sent" etc, etc...
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
I and family members have seen a nasty increase in malware emails that most likely will plant a Ransom Virus if the attachment is acted upon. We now get several every week and sometimes several in one day. One of the most insidious is an email where the sender is spoofed to be Amazon. The "Amazon" message will seem to announce a shipment having been sent. However, there are two tell tale warning signs: 1) It is sent to an email address that only my friends and family know. I use a different email address for Amazon. 2) The message is empty, except for an attached Word document. Amazon never attaches Word documents to their emails. Like I'm going to open such a Word document and run the risk of a malicious macro getting run on my machine. :| The other type will be an empty email from myself to myself. It has an attached zip file that contains a Javascript file. If you look into the message header it is full of Arabic characters and is sent from a domain in Iran. Of course I am in the habit of running Javascripts from unknown sources on my machine. :| Now here's the bummer: If I scan these obviously malicious messages with Defender and Malwarebytes, they come up clean! I was wondering if anyone else has had similar experiences?
Get me coffee and no one gets hurt!
My sister forwarded me an email with an attachment she couldn't open. Because it was from my sister, and I thought she was expecting it, of course I try to open it to see what it's about and what's wrong. :doh: Thank goodness she reads her mails on her iDevice, and I similarly tried to open it on a Mac, so no damage, but she got a hot, sharp lecture on common sense and looking at email addresses to see where it originates from :mad: :mad: The downloaded attachment was obfuscated, but some of the variable names still conveyed intent. If I had time/inclination, would've liked to try figure out what it actually does.
-
I and family members have seen a nasty increase in malware emails that most likely will plant a Ransom Virus if the attachment is acted upon. We now get several every week and sometimes several in one day. One of the most insidious is an email where the sender is spoofed to be Amazon. The "Amazon" message will seem to announce a shipment having been sent. However, there are two tell tale warning signs: 1) It is sent to an email address that only my friends and family know. I use a different email address for Amazon. 2) The message is empty, except for an attached Word document. Amazon never attaches Word documents to their emails. Like I'm going to open such a Word document and run the risk of a malicious macro getting run on my machine. :| The other type will be an empty email from myself to myself. It has an attached zip file that contains a Javascript file. If you look into the message header it is full of Arabic characters and is sent from a domain in Iran. Of course I am in the habit of running Javascripts from unknown sources on my machine. :| Now here's the bummer: If I scan these obviously malicious messages with Defender and Malwarebytes, they come up clean! I was wondering if anyone else has had similar experiences?
Get me coffee and no one gets hurt!
Cornelius Henning wrote:
If I scan these obviously malicious messages with Defender and Malwarebytes, they come up clean!
AFAIK, that's because the attachments don't contain any malware. They just contain code that downloads the malware from somewhere on the interwebz, and then launch the downloaded file. Your antivirus should pick up the downloaded file as malicious, but I wouldn't want to risk it. :~
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
And the fake tax refunds, had one that looked very much like an HMRC mail, but they don't send attachments.
HMRC definitely don't send attachments with refunds, that's for sure.
I may not last forever but the mess I leave behind certainly will.
-
Don't worry. Letting windows update own your computer and rule your life will solve all your problems. Oh, wait... No it won't. It'll just "fix" things that work. The best process security and peace of mind is, and has always been, "don't do anything stupid". If you use Outlook (the MS Office version), one trick is to drop suspect files into the "Junk E-mail" folder before opening them. That disables anything that could do a nasty. But I prefer the "If in doubt, delete" method. Failing to open a genuine e-mail will not add or remove a second to or from your lifespan.
I wanna be a eunuchs developer! Pass me a bread knife!
The old Yahoo web client used to show the contents of a link when the mouse pointer was hovered over it. Very useful for spottig fake addresses. Sadly that doesn't seem to exist anymore.
I may not last forever but the mess I leave behind certainly will.
-
Quote:
if you have a backup, you probably won't need it
Yup! And having full backups takes fear out of the equation, doesn't it? Knowing you can recover from an attack gives you peace of mind, even if it never happens. ;)
Get me coffee and no one gets hurt!
Some of the latest viruses put out by the NSA implant themselves into the firmware of hard drives or bios, so that the machine is ruined. You cannot do a restore and expect to be rid of the virus.
-
I and family members have seen a nasty increase in malware emails that most likely will plant a Ransom Virus if the attachment is acted upon. We now get several every week and sometimes several in one day. One of the most insidious is an email where the sender is spoofed to be Amazon. The "Amazon" message will seem to announce a shipment having been sent. However, there are two tell tale warning signs: 1) It is sent to an email address that only my friends and family know. I use a different email address for Amazon. 2) The message is empty, except for an attached Word document. Amazon never attaches Word documents to their emails. Like I'm going to open such a Word document and run the risk of a malicious macro getting run on my machine. :| The other type will be an empty email from myself to myself. It has an attached zip file that contains a Javascript file. If you look into the message header it is full of Arabic characters and is sent from a domain in Iran. Of course I am in the habit of running Javascripts from unknown sources on my machine. :| Now here's the bummer: If I scan these obviously malicious messages with Defender and Malwarebytes, they come up clean! I was wondering if anyone else has had similar experiences?
Get me coffee and no one gets hurt!
-
I kinda want a copy of the JS file to dissect.
i cri evry tiem
I could send you a few - well, could if I wasn't anon. Oh well. Let me tell you, from what I've dissected from every single one of them, is they go thru about 1 or 2 levels of obfuscation of the code (eval'ing one segment to run another segment that eval's a third), plus a bunch of weird function calls (like calling one function to get a bit of a string, calling another that evals it and returns the result, calling a third to get another piece and multiply it by 5, then calling yet another to take all those pieces as arguments and return a concatenated string of substrings - that kind of stuff), ultimately what resolves/results is a URL that is then queried using an XMLHttpRequest object (aka, AJAX), or something similar - that goes out to some server (ident'd by IP or some domain), grabs an EXE, saves it, and executes it. It's obvious from all the layers of obfuscation that the code is made this way - likely by some kind of "trojan generator" (which can probably be easily found on the dark web or elsewhere) - to both get by filters for trojans, as well as make it difficult for most people to decipher what is going on if they see the code. Ultimately, none of this is very interesting or unique - it's all a well known form of attack and documented. Generally, though, that IP/domain has already been disabled, or the EXE has been deleted or wiped, at least in most of the cases I have tried. Only on a very few occasions have I been able to download the executable. In those cases, I try to alert the owner of the IP or domain if I can do a whois or reverse DNS search to know what provider I am dealing with - then I'll send an email to the admin contact or wherever. I find it funny, though, when I get these emails - I always try to figure them out, hoping someday that what I'll download is a bash script or something similar; you see, my main workstation has been a linux box of one form or another since 1995 or so - and I keep hoping that these guys move on to doing things targeting Macs, Linux, or some other *nix platform, but it hasn't happened yet. Even if it did run, the worst thing that will happen is that I have to re-image from a backup of my system - big whoop. The upside will be that I will know for certain that the "year of linux on the desktop" has finally arrived, and that linux has "jumped the shark", and I need to move to another obscure platform (maybe BSD? lolz) just to stay ahead of the game. I'm not holding my breath on that, though - and for that, I am thankful!
