Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Targeting OWA users - A report from the Mailbag

Published: 2010-01-08
Last Updated: 2010-01-08 21:57:40 UTC
by Patrick Nolan (Version: 3)
1 comment(s)

We received a report from Ted of an email campaign targeting OWA users that leads to malware infections, thanks Ted!

UPDATE:  Additional information has been provided, there are changing "Subject;" lines and changing obfuscated links for users.

UPDATE 2; ISC contributor Martin Ireland reports message mispelling - "If the OWA message received by server or a user is html text, the word "autentication" can be detected and user alerted, or message be deleted by server etc". Thanks Martin!

UPDATE 3; We've received a few more ISC contributor reports from targeted organizations, and contributor Andrew Yourtchenko had a comment for blacklist mainters and a pointer to a related post last year at Gary Warner's site. His comment was since the ISC "is probably frequented by those who handle these kinds of blacklists, may be useful to draw their explicit attention that there might be users reporting "goodsite.com" - and they should verify before blocking".

Ted's contribution;

"The Help Desk forwarded me a new version of a SPAM / Spyware  e-mail. It makes it look like the recipient is getting an auto response from our e-mail system and wants them to click on a link.  Once you go to the website it asked you to download and install an exe that will fix your issue.  Of course this is nothing but a Trojan that will only help out the bad guys!  Below I have included a sample of the e-mail and the site it goes to. 
 
When you review the SPAM, notice the link that is displayed shows it is from our.org but the actual hyper link is to our.org.molendf.co.kr.  I have traced the IP and am blocking it so if others get through the SPAM filter our users will not be able to get to the site.  The Hyperlink is disabled in the copy below.

I submitted the file to VirusTotal to see what they found and it is very new.  They first received it yesterday.  McAfee’s latest DAT file does not see it but the Artemis part will detect it.  I have included that data and links to VirusTotal if you want to check it out".
 
From: notifications@our.org [mailto:notifications@our.org]
Sent: Friday, January 08, 2010 09:06 AM
To: Targeted User (at our.org)
Subject: For the owner of the targeteduser@our.org mailbox
 
Dear user of the our.org mailing service!
 
We are informing you that because of the security upgrade of the mailing service your mailbox (targeted.user@our.org) settings were changed. In order to apply the new set of settings click on the following link:
 
httx://our.org/owa/service_directory/settings.php?email=targeted.user@our.org&from=our.org&fromname=targeted.user
 
Best regards, Our.org Technical Support.
 
Letter ID#DRYCFEDYU4NUKP7MFGG
 
VirusTotal’s Scan of the file I uploaded today:
File settings-file.exe received on 2010.01.08 15:13:58 (UTC)
Current status: Loading ...
queuedwaitingscanningfinishedNOT FOUNDSTOPPED
Result: 17/41 (41.47%)

McAfee
5854
2010.01.07
-
McAfee+Artemis
5854
2010.01.07
Artemis!3025B97428A1
McAfee-GW-Edition
6.8.5
2010.01.08
Heuristic.BehavesLike.Win32.Trojan.H

VirusTotal’s archived scan when the first received the file:
 
 
File settings-file.exe received on 2010.01.08 12:24:53 (UTC)
Current status:
finished
Result: 16/41 (39.02%)
 
ThreatExpert Report

 

Keywords:
1 comment(s)

Microsoft OfficeOnline, Searching for Trust and Malware

Published: 2010-01-08
Last Updated: 2010-01-08 19:26:49 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

Several readers have commented on today's Websense alert, found here ==> http://securitylabs.websense.com/content/Alerts/3519.aspx?cmpid=slalert

Websense discusses how, if you are on http://office.microsoft.com and use the search functions, you may receive links to sites that are not on Microsoft's domain.
This in itself is not too troubling, but the real issue is that these links are all referral links, which start with http://office.microsoft.com - so they look like they're Microsoft links (if you don't look too closely).   Clicking on links within these referred pages may then navigate away from the office.Microsoft lead url.

What Websense reports is that they've found malware, specifically "Fake Antivirus" malware  within some  of these referral links.

What makes this an issue is that, on the face of it, you might expect a web filtering application to allow these links, as they start with "office.microsoft.com".  The Websense apps figure this situation out correctly, but it is an easy thing to miss for the user driving the keyboard and mouse, and I suspect might be an easy thing to miss if you are coding a content control application.

What this highlights is that on the internet, "trust" is often misplaced.  When you search on Google, Yahoo or some other large search engine, you do not expect that all the results that you get on a search will be "safe".  But in this case of Microsoft's "captive" search function on this page, you can see how people might trust the results based on the url, especially as the search function is worded as "Search Office Online", not "Search the Internet" or "Search for the Answer"

So I guess the message of the day is, be careful who you put your "trust" in !

Surf Safe all !

 

1 comment(s)
Please participate in our reader survey: http://www.surveymonkey.com/s/2MH25ZC
Diary Archives