Feeds

Anatomy of a failed virus attack

It happened to me

Securing Web Applications Made Simple and Scalable

Analysis Here follows a short story of a failed virus attack on me and my company, and why e-mail from strangers, hostile or otherwise is not a problem for us. I would like to draw your attention to two major points about security and e-mail, but which are also applicable to any other Internet protocol in this brief essay.

1. You need effective technology to protect you from the many unscrupulous people out there on the Internet who want to damage your systems, scam you or generally subvert your computing resources for their own ends.

2. Security via technology alone is not sufficient to combat the cyber-criminals who are out to get you, your business, and your computers. You need to be aware of what is going on around you and take control of the situation before you are compromised. Just as Ignorance of the law is no excuse, ignorance of your computing environment can also land you in deep trouble.

Back to the main plot. This morning I received the following e-mail which allegedly came from the address: register@osml.co.uk

*Dear user jim.kissel, *

You have successfully updated the password of your Osml account.

If you did not authorize this change or if you need assistance with

your account, please contact Osml customer service at: register@osml.co.uk

Thank you for using Osml! The Osml Support Team</p>

+++ Attachment: No Virus (Clean) +++ Osml Antivirus www.osml.co.uk

The address “register@osml.co.uk” was a syntactically correct “mailto:” link, and the “www.osml.co.uk” was a valid link to our web site. The time stamp on the e-mail was 06:55. For the record, “osml.co.uk” is "owned" by Open Source Migrations Ltd, and myself and Jack Knight are co-directors of this company.

Now I'm suspicious, even before I open this e-mail. I am not the administrator of our core machines, but Jack, who is, keeps me well informed of developments and we certainly hadn't discussed the need for a "register" user id. Even if Jack had needed to reset any passwords, he would have warned me, so I am already fairly certain that this is some form of malicious e-mail.

We have multiple lines of defence on our systems, one of which is in itself the Thunderbird e-mail client. This is further hardened by running on a Linux operating system. (I'll come to the other lines of defence later). There are a number of things you need to configure for safer e-mail in Thunderbird and indeed any other e-mail client software you may be using, namely:

  • Turn off JavaScript in mail messages
  • Block loading of remote images in mail messages
  • Use secure connections (SSL) when retrieving and sending email
  • Set View Message Body as Plain Text

These are minimum settings you should ensure you have set in your email client, and will block the most obvious attack vectors. Unfortunately not all of these are set as default when you install Thunderbird, but given these settings, I am fairly certain that I can safely open a email without suffering any damage. However, I can also see there is an attachment, and opening the message shows that it is a zip file. This is even more suspicious given that the source of the message is in doubt. Thinking about it logically, even if the message was legitimate, why would I be sent a zipped attachment with a change of password notification?

So my guard is up - what next? Let’s walk through the content of the message. The next give away is the greeting. "Dear user jim.kissel," - it looks like a robot or programmed reply. Most humans would realize that I'm Jim Kissel or Mr. Kissel, or Jim, not "jim.kissel,". So now I know we’re dealing with a spammer/scammer. The next step is to look at the email headers. Easy with Thunderbird, just hit control-U.

Analysing email headers can be a serious technical task, but is this case, there is a single line:

Received: from murder ([unix socket])

In any normal Internet message we would expect to see something like this line, and at least one other line with “Received:” at the start, as legitimate email MTA’s (Message Transfer Agents) add this information as a matter of course, and failure to record the path the message took from source to destination is a violation of the SMTP protocols.

The lone "unix socket" line suggests that there is a program and not a human on the other end of the line. Now, as said, this can under certain circumstances be perfectly normal, but the fact that this “Received:” line is flying solo, and there are no other instances of machines which have relayed this message is a very strong, if not irrefutable alert that this isn't a legitimate message. Even if a message is sent point to point over a corporate intranet, we would expect more than one “Received:” record line, and we would expect to see real machine names, or at least IP addresses in there.

Another line reveals:

Received: from osml.co.uk ([220.225.198.78])

Another giveaway. The IP address here is NOT ours, so someone is masquerading as us.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.