Saturday, May 21, 2016

Thunderbird

I have heard that Mozilla is deciding to scrap Thunderbird.  I hope this is not true because I have standardized on it.  Why?  Because once you pick a POP / IMAP email client you don't want to change It.  Here is why.  I have mine configured for multiple email accounts which are separate from each other.  When I encounter messages I want to save I move them into the Local Folders area.  Ergo, if Thunderbird vanishes there went my history and it is back to thrashing around finding and taming a new email program that will inevitably be worse than Thunderbird.  Why did I select Thunderbird besides these book-keeping and history reasons?

I want a POP / email client program that won't render HTML  Remember that I am coming at this from a security standpoint. Rendering HTML is a great way to open yourself up as more vulnerable to phish.  So I don't want HTML rendering except maybe on a toggle on temporarily basis.  There are times that I am sick or distracted and everybody makes mistakes.  So if the Thunderbird team changes this aspect of rendering HTML, at least make it configurable via some easily found method to turn it on or off via about:config.  I can understand a turn on temporarily for a particular message but in general it is nice to see white space.  Somehow for the vast majority of my all email messages all white means there is nothing for me to click on and invariably it is something bad.

I can already hear somebody saying to me, "Thunderbird has about:config?  Where do you type it?  Well you don't.  For me on Linux you go to Edit (Preferences may be some place else on Windows or Macintosh), then select Preferences.  Set that window's tab to General.  Then click on the Config Editor button.  Here is picture of what that will look like:





I just got a tip from my colleague in France that I know by the nom-de-plume of Airelle that this is good thing to use for taming the Locky or Ransomware I get so much of in my email box.  Locky and Ransomware is a zipped Javascript attachment in email right now and for the foreseeable future.  They normally use zip but some times they use rar and I even have one where they used gzip to zip the file.  Anyway, once you have clicked on Config Editor you will have to click affirmatively on the "I'll be careful, I promise" query.  It is always there for me because I don't go in there all that much and want to be warned I am inside where I can maybe harm myself.  Okay, so far we are okay.  Now start typing "javascript" in the Search box.  Find this item:

javascript.enabled

position the pointer over the Value which is probably set to true and right click on it and select Toggle.  That should change it to false.  Does it help?  I hope so, but I still some times see a scripting message when saving Locky zip files.  So it may not help but it doesn't hurt.  If somebody wants to tell us how to do this with other email client programs I would be grateful. This is especially true if you give it for Outlook.  It is probably the number one email client program used for POP and IMAP email.

I have also used about:config to also change these two settings for Thundebird because I am always typing "attach", "attached" and other words derived from "attach" with no intentions of using an attachment:

mail.compose.attach_reminder
mail.compose.attach_reminder_agressive

I changed both of them via Toggle from true to false.  Now, if somebody could tell me that there is some way I could use about:config to make it show me the full From address I would appreciate it.  That is about the only thing I would change on Thunderbird.  I would change it to show the full email address.  I did see that they had this one:

mail.phishing.detection.ipaddresses

I don't know what it does, but all of my Locky malware is sent from special pupose send-only SMTP servers dropped onto hacked Windows machines.  I can tell because of the X-Originating-IP line in the header that qmail thoughtfully provides.  The IP address given there never matches the A record for the MX hosts for the purported sending domain.  But what I am trying to prevent there is somebody or some bot sending you email that says just "YourBuddy" where your buddy is at "YourBuddy@TheRealDeal.org" and the message you have is supposedly from "YourBuddy@FlyByNight.org" but actually comes from a hacked machine place else.

I guess it could be worse.  At least one Microsoft Exchange SMTP server ignored the originating IP address and instead looked up the MX record for the purported sending domain (mine doesn't use my domain name in the MX record that handles it email) which was mine, and then looked up the IP address and substituted it.  How do I know?  There is no such user as dfad452xz  at my domain and thus no way of sending email from them.  But email is configured to accept email to any valid sounding user name so I have a dandy mini honey-net whether I want it or not due to how my IMSP / IWSP configured it.  After taking almost two years to educate email admins not to bounce Locky type messages to the purported from domain.  I wonder what Microsoft Exchange will do on those domains I encountered that didn't even have MX records because they were parked?

So, Mozilla. please keep Thunderbird going.  I shudder to even think of using any other email client program for email.

Thank You!



Thursday, May 5, 2016

We need your help

Locky Malware in Email:
While processing the latest batch of what is called Locky or Nemucod malware in my mini honey-net I came across some pretty surprising stuff.  For those that don't know what Locky is, it is zipped Javascript attachments.  They can be zipped with either RAR or ZIP, which means that you need either unrar or unzip which is kindly provided in all browsers (webmail) and all POP/IMAP email clients.

Okay, the first surprise was in how I analyze (triage, not full analysis) them.  I am on a Unix-like system so I unzip them or unrar them manually which gives me one or more files with at least one of the files being a Javascript which means a file with a ".js" extension. All of the email clients will obligingly unzip the zipped files for you when you click on the attachment. So if this is far as you can read, just don't click on those attachments or links in email! So far, so good.  But next I edit the main Javascript file (some times they have multiple copies of it as well) with an editor called Vim.  Well, this time the start of the file had such a huge comment that vim could not see the whole comment or past it.  So I loaded the JavaScript files in a binary editor called hexedit.  Now I could see the obfuscated Javascript at the very end of the file.  Can your browser or POP/IMAP email reader scan past that huge long comment when the Vim editor fails?  Right off hand I don't know.  I kept giving the AV companies a heads up to stop looking at zipped JavaScript too carefully in the comments section.  But the reason for the comments was to tell them to just mark these as bad ASAP with some sort of heuristic.  How many of them are really bad?  I estimate less than 20% of them.  But even if they are bad, the detection at VirusTotal is deplorable.  usually only 4 out of 56 AV packages show it as bad in 24-48 hours.  Even after a month, I rarely get more than 32 out of 56 marking them as bad and have never got higher than 36 out of 56 of the AV at VirusTotal detecting them as bad.  So you cannot depend on your AV to protect you.  You have to depend on your own, hopefully not flawed judgement to protect yourself.

Dumb Hackers:
I unzip them with an ad-hoc shell script I key in manually. The command line on Unix is far more powerful than even PowerShell on Windows.  For one of them I got an error.  It turned out that despite the fact the file had a ".zip" extension, it was zipped not with ZIP, but GZIP.  Even doing this manually, either gunzip or "gzip -d" does not like that ".zip" extension and refuses to do anything with the file.  So I renamed the badboy.zip (not the real name) to be badboy.gz.  Now I could gunzip it.  I expected a file named InnerJavascript.js. The names vary all over the place and I used InnerJavascript as just a way to say that the Javascript base file name is NOT the same as ZIP base file name.  What came out of my badboy.gz file?  If you are thinking it would be a file named InnerJavascript.js you are wrong.  If you are thinking it would even be a file named badboy.js you would still be wrong.  What was its name?  Just badboy with no extension.  Does that pose a threat  to anybody (all of these pose no threat to me on my Unix-like systems)?  No?  Maybe, but I doubt it.  I have had these posing a threat to both Android and Windows.  But this should not pose a threat to anybody.  Do the hackers (and I have had Russian in some of the files and in URLs) know it doesn't work?  I don't know, but I can assure you a properly gzipped Locky Javascript file can be gunzipped on Windows or Android and does pose a threat to those systems.  The problem was that this one wasn't gzipped properly.  The hackers don't care because frequently they design only about 5% to 15% of their attachments to be malicious.  What they are counting on is that fools you into believing that since the last one did nothing bad, all of them are that way.  Well, you can count on at least 5% of them doing something bad, especially when they are new.  So I say again, just don't click on those attachments or links in email!

What are the hackers counting on? You being distracted by screaming children, burning breakfast, or a myriad of other things that take your attention off of being careful and one little woops and there it goes.  The reason it is called Locky or Ransomware is because they encipher your files and promise you can get the files back if you send them money.  Can you trust them?  If they will lock the files in the first place, can you really trust them?  Maybe not.  I don't trust them to do just unlock them.  Use of a one-time card is all you should use if you think that is all they will do is unlock the files.

We need help from Email Reader Creators:
Okay, so you got an email message from your good pal Joey.  You can trust his links (but maybe not attachments), right?  Wrong!  I received two email messages supposedly from a friend just like this.  Was it really from them?  I read my POP email from that Unix-like system in Thunderbird.  Thunderbird won't render any all HTML messages.  Unlike the phish URLs I see stripped of everything so us reviewers at Phishtank can see if they still pose a threat, there are various ways hackers can hide the true URL inside email readers from you and substitute a fake URL that you see.  That doesn't work on me because all I will see is white space.  But these email messages were insistent that they came from my friend.  Why?  Because they showed only the visible first name rather than the the entire email address.  All email readers do this!  They should not do it!  But even Thunderbird shows only the name and omits showing the purported sending email address.  So I saved the email messages to files and looked at them in the vim  editor. I could see that the email messages MAYBE came from another email address.  Even that is dubious since you can fake the sending email address and have email sent from special purpose send-only SMTP email servers on both Android and Windows.  You should be able to count on a SMTP receiving server to at least faithfully record the sending IP address.  So what does a receiving Microsoft Exchange SMTP server do?  It strips that IP address off (that IP address is given to you by the routers and just cannot be substituted out by the sending SMTP server), does a look up of the DNS MX (Mail eXchange) records for the purported sending email address domain, does a lookup of the DNS A records of the MX host(s), and then puts those into the headers.  It is enough to drive you nuts.  Why doesn't Microsoft Exchange just faithfully give you the REAL sending IP address?  I can assure you that there really is only ONE user at my domains.  With the qmail SMTP server I KNOW that what I am getting is the REAL sending IP address.  qmail is what powers my mini honey-net. I got the mini honey-net whether I wanted it or not, no thanks to the IMSP.  How good were these hackers with these emails faked to look like they came from my friend?  So good that they had fake domains and MX records that looked like the real thing.  I could even send replies to the phishy looking email messages addresses.  But after a few days, everything fell out of DNS and my reply email messages would then boomerang.  I did look at the URLs in the message (remember, even downloaded Linux binaries won't run on a Linux system because the file permissions don't set the execute bit on download).  Spam.  All that effort for spam?  I expected at least a phish!

So emai reader developers, either make your email readers capable of showing the entire email address or just display the whole email address in the email reader.  With this real (er, purported) email address people can at least see whether the email  address is from YourFriend@gmail.com instead of a pretender at YourFriend@bogus.org.  Hackers can count on this behavior mostly for phish.  Just because you have a Macintosh you are not immune.  My friend uses a Macintosh.  They clicked on a link in an email.  The hackers were able to read the contents of their email address book in a webmail account!  Get the idea?  All platforms are vulnerable to phish.  Only email readers like Thunderbird give you a leg-up for phish that are all HTML messages.  For those, Thunderbird just gives you a nice white blank message and there is nothing to click on.

If all else fails and your email message really does look like it came from your friend, call your friend on the phone and ask them if they sent you an email message with a URL in it.  Ask them what was in the email message.  Usually you can use your common sense to say "they would never send me something like THAT."  So this advice is only for those email messages you believe REALLY came from them.  That means this particular email  message looks valid.  If it is a targeted attack and the hackers have the time to see what your friend is really like then they can make an email message really look like it came from your friend, right down to even faking the sending email address.  Thus my warning about using your phone.  Don't assume anything, including that you are so unimportant that you won't have a hacker pretending to be somebody you know.  Well, I guess I am that unimportant.  But I use Linux which shrugs off almost everything but phish.  Ubuntu-Mate and Xubuntu are recommended.  They are even more secure than Micintosh as long as you don't offer services. I don't provide services and hide behind two hardware firewalls as well.  Am I paranoid?  Yes!  Am I paranoid enough?  Maybe.