Thursday, May 5, 2016

We need your help

Locky Malware in Email:
While processing the latest batch of what is called Locky or Nemucod malware in my mini honey-net I came across some pretty surprising stuff.  For those that don't know what Locky is, it is zipped Javascript attachments.  They can be zipped with either RAR or ZIP, which means that you need either unrar or unzip which is kindly provided in all browsers (webmail) and all POP/IMAP email clients.

Okay, the first surprise was in how I analyze (triage, not full analysis) them.  I am on a Unix-like system so I unzip them or unrar them manually which gives me one or more files with at least one of the files being a Javascript which means a file with a ".js" extension. All of the email clients will obligingly unzip the zipped files for you when you click on the attachment. So if this is far as you can read, just don't click on those attachments or links in email! So far, so good.  But next I edit the main Javascript file (some times they have multiple copies of it as well) with an editor called Vim.  Well, this time the start of the file had such a huge comment that vim could not see the whole comment or past it.  So I loaded the JavaScript files in a binary editor called hexedit.  Now I could see the obfuscated Javascript at the very end of the file.  Can your browser or POP/IMAP email reader scan past that huge long comment when the Vim editor fails?  Right off hand I don't know.  I kept giving the AV companies a heads up to stop looking at zipped JavaScript too carefully in the comments section.  But the reason for the comments was to tell them to just mark these as bad ASAP with some sort of heuristic.  How many of them are really bad?  I estimate less than 20% of them.  But even if they are bad, the detection at VirusTotal is deplorable.  usually only 4 out of 56 AV packages show it as bad in 24-48 hours.  Even after a month, I rarely get more than 32 out of 56 marking them as bad and have never got higher than 36 out of 56 of the AV at VirusTotal detecting them as bad.  So you cannot depend on your AV to protect you.  You have to depend on your own, hopefully not flawed judgement to protect yourself.

Dumb Hackers:
I unzip them with an ad-hoc shell script I key in manually. The command line on Unix is far more powerful than even PowerShell on Windows.  For one of them I got an error.  It turned out that despite the fact the file had a ".zip" extension, it was zipped not with ZIP, but GZIP.  Even doing this manually, either gunzip or "gzip -d" does not like that ".zip" extension and refuses to do anything with the file.  So I renamed the (not the real name) to be badboy.gz.  Now I could gunzip it.  I expected a file named InnerJavascript.js. The names vary all over the place and I used InnerJavascript as just a way to say that the Javascript base file name is NOT the same as ZIP base file name.  What came out of my badboy.gz file?  If you are thinking it would be a file named InnerJavascript.js you are wrong.  If you are thinking it would even be a file named badboy.js you would still be wrong.  What was its name?  Just badboy with no extension.  Does that pose a threat  to anybody (all of these pose no threat to me on my Unix-like systems)?  No?  Maybe, but I doubt it.  I have had these posing a threat to both Android and Windows.  But this should not pose a threat to anybody.  Do the hackers (and I have had Russian in some of the files and in URLs) know it doesn't work?  I don't know, but I can assure you a properly gzipped Locky Javascript file can be gunzipped on Windows or Android and does pose a threat to those systems.  The problem was that this one wasn't gzipped properly.  The hackers don't care because frequently they design only about 5% to 15% of their attachments to be malicious.  What they are counting on is that fools you into believing that since the last one did nothing bad, all of them are that way.  Well, you can count on at least 5% of them doing something bad, especially when they are new.  So I say again, just don't click on those attachments or links in email!

What are the hackers counting on? You being distracted by screaming children, burning breakfast, or a myriad of other things that take your attention off of being careful and one little woops and there it goes.  The reason it is called Locky or Ransomware is because they encipher your files and promise you can get the files back if you send them money.  Can you trust them?  If they will lock the files in the first place, can you really trust them?  Maybe not.  I don't trust them to do just unlock them.  Use of a one-time card is all you should use if you think that is all they will do is unlock the files.

We need help from Email Reader Creators:
Okay, so you got an email message from your good pal Joey.  You can trust his links (but maybe not attachments), right?  Wrong!  I received two email messages supposedly from a friend just like this.  Was it really from them?  I read my POP email from that Unix-like system in Thunderbird.  Thunderbird won't render any all HTML messages.  Unlike the phish URLs I see stripped of everything so us reviewers at Phishtank can see if they still pose a threat, there are various ways hackers can hide the true URL inside email readers from you and substitute a fake URL that you see.  That doesn't work on me because all I will see is white space.  But these email messages were insistent that they came from my friend.  Why?  Because they showed only the visible first name rather than the the entire email address.  All email readers do this!  They should not do it!  But even Thunderbird shows only the name and omits showing the purported sending email address.  So I saved the email messages to files and looked at them in the vim  editor. I could see that the email messages MAYBE came from another email address.  Even that is dubious since you can fake the sending email address and have email sent from special purpose send-only SMTP email servers on both Android and Windows.  You should be able to count on a SMTP receiving server to at least faithfully record the sending IP address.  So what does a receiving Microsoft Exchange SMTP server do?  It strips that IP address off (that IP address is given to you by the routers and just cannot be substituted out by the sending SMTP server), does a look up of the DNS MX (Mail eXchange) records for the purported sending email address domain, does a lookup of the DNS A records of the MX host(s), and then puts those into the headers.  It is enough to drive you nuts.  Why doesn't Microsoft Exchange just faithfully give you the REAL sending IP address?  I can assure you that there really is only ONE user at my domains.  With the qmail SMTP server I KNOW that what I am getting is the REAL sending IP address.  qmail is what powers my mini honey-net. I got the mini honey-net whether I wanted it or not, no thanks to the IMSP.  How good were these hackers with these emails faked to look like they came from my friend?  So good that they had fake domains and MX records that looked like the real thing.  I could even send replies to the phishy looking email messages addresses.  But after a few days, everything fell out of DNS and my reply email messages would then boomerang.  I did look at the URLs in the message (remember, even downloaded Linux binaries won't run on a Linux system because the file permissions don't set the execute bit on download).  Spam.  All that effort for spam?  I expected at least a phish!

So emai reader developers, either make your email readers capable of showing the entire email address or just display the whole email address in the email reader.  With this real (er, purported) email address people can at least see whether the email  address is from instead of a pretender at  Hackers can count on this behavior mostly for phish.  Just because you have a Macintosh you are not immune.  My friend uses a Macintosh.  They clicked on a link in an email.  The hackers were able to read the contents of their email address book in a webmail account!  Get the idea?  All platforms are vulnerable to phish.  Only email readers like Thunderbird give you a leg-up for phish that are all HTML messages.  For those, Thunderbird just gives you a nice white blank message and there is nothing to click on.

If all else fails and your email message really does look like it came from your friend, call your friend on the phone and ask them if they sent you an email message with a URL in it.  Ask them what was in the email message.  Usually you can use your common sense to say "they would never send me something like THAT."  So this advice is only for those email messages you believe REALLY came from them.  That means this particular email  message looks valid.  If it is a targeted attack and the hackers have the time to see what your friend is really like then they can make an email message really look like it came from your friend, right down to even faking the sending email address.  Thus my warning about using your phone.  Don't assume anything, including that you are so unimportant that you won't have a hacker pretending to be somebody you know.  Well, I guess I am that unimportant.  But I use Linux which shrugs off almost everything but phish.  Ubuntu-Mate and Xubuntu are recommended.  They are even more secure than Micintosh as long as you don't offer services. I don't provide services and hide behind two hardware firewalls as well.  Am I paranoid?  Yes!  Am I paranoid enough?  Maybe.

No comments: