Out of Office Notifications Are...

An accident waiting to happen!

In fact a number of these accidents have already happened. But I'm getting ahead of myself. So, why do I think that they are inherently bad?

Personally, I hate out of office notifications, not because it means that I can't get a reply from the person I sent an e-mail too in the first place, but because they can be misused by not just the person who is 'Out of the Office' but also by the 'Bad Guys and Girls'. Let me explain in more detail, what I mean...

1. Too Much Information
Often when people enable 'Out of Office' they offer too much information; such as when they are going and coming back, and where they are going to. They also often include a second person's details to contact in their absence; including their full e-mail address. This is then often enabled for all incoming e-mail to their e-mail address, which means that not only internal [company/organisation] colleagues are informed, but also, in many cases anyone on the internet that sends them e-mail. The next two points explain in more details why this is a 'bad' thing.

2. Confirmation that your e-mail address exists
As mentioned above, if you enable your 'Out of Office' notification to send an automatic response to all e-mail that is received, you are assisting spammers, scammers and malware authors by confirming that the e-mail address is in use [that makes it worth more]. If you also include another persons details to contact while you are away, then the 'Bad Guys and Girls' can also harvest that to either sell on for profit to others, misuse it themselves, or often both. The end result is more spam, scams and malware arriving in yours and anyone else's inbox that you kindly supplied in your 'Out of Office' notification, I'm sure that they will be quick to thank you for all the extra 'crud' they are now receiving ;-)

3. Physical and Cyber attacks while you are 'away'.
If you are unwise enough to indicate you are on holiday or just out of the country where you normally reside, then the 'Bad Guys and Girls' can do a number of things whilst you are not at home. If they have enough data on you, then you could come back to find your house burgled, full of squatters, vandalised or even worse.

If they don't have access to that level of information then can hack into your personal webspace, social networking and other web sites you may use. They could also perform a 'Joe Job' or a 'DDoS' to discredit you or damage your business or reputation. While you are away they may use your stolen identity to take out loans, credit cards and even mortgages in your name. If they already have some of your financial data, such as bank account or credit card data, you could suddenly find your bank account empty or unathorised charges [and ATM withdrawals] on your debit or credit cards.

In all these cases listed above, this is only likely to happen if you have come to their attention; such as being a thorn in their side, or making life difficult for them, or someone else is willing to pay for the information and/or attacks to take place.

If you don't believe that these things happen, then I can assure you that many of the cyber attacks happen to many of us who work in computer security, especially those that are widely published or who work for anti-malware companies or in law-enforcement.

Figure 1: Too Much Information is an Invitation for Trouble!

4. Bounced Spam
This is the latest way that 'Out of Office' notifications can be mis-used and it affects all of us who are already on spammers/scammers and malware authors lists (or soon will be).

Here is the scenario:
The Bad Guys or Girls sign up for a free webmail account, at say, Google, Yahoo, Live, etc. and then enable the 'Out of Office' feature. They then place the spam message they want to distribute in the 'Out of Office' e-mail body.

Next, the spammer sends this new webmail account with the enabled 'Out of Office' feature, lots of e-mails using spoofed 'From:' addresses so that the 'Out of Office' reply will be sent to the intended victim [the spoofed From: address].

Why do this? Well, e-mail sent from this booby-trapped spamming webmail account will contain anti-spam header information, such as DKIM, DomainKey, Sender ID or any of the other similar systems, which means that the mail server that deals with the intended victims email will be more likely to let the spam through as it has come from a trusted source.

This is now easier for the spammers to do, as the CAPTCHA systems used by Yahoo and Googlemail have been cracked; so that they can now automate the creation of these 'trusted' 'Out of Office' spam relays.

Figure 2: Out of Office Spam Setup

So, next time you go to enable your 'Out of Office' feature, think carefully about what information you provide, and if you can do not enable the respond to internet address option, as you may live to regret it!

A Right Royal Grant?

Wow, according to the e-mail I received today I have been awarded a grant of half-a-million pounds [£500,000.00], not just from any old society or company, but from one calling itself 'Queen Elizabeth's Foundation'!

I'm honoured, that I have personally come to the attention of our countries ruling monarch, and what's more she feels that I deserve half-a-million in cash with her head on it all...

Here's a screenshot of the e-mail, so that you can see it for yourself, and bask in my glory:



OK, yes I'm not really being serious, or getting too big for my boots, or thinking that I'm now above you all ;-) I know it is a scam and I'm just playing along.

So, let me start by checking out if the domain that the email claims to be sent from actually has a website:



Nope, no website, most odd! OK, so let me know check to see who the domain is registered with and to whom:



If I didn't already know that this was a 419 scam, then I would by now, so let me dig deeper. Next, let me check out the phone numbers, they look real and they are, but they are not registered to any charity or person, they are so-called 'personal' numbers being offered for FREE by the following company:



So, what do we know so far? There is no such society or organisation, the telephone numbers given are real but suspect, they have no website and the domain isn't even registered [so how could they send e-mail from it?], and finally they want me to reply to a different e-mail address, and they can't make their mind up as to who I should be replying to, is it:

Rooney James or Williams Anderson?

To get to the bottom of the mystery of where the e-mail was sent from, I took a quick peek at the raw headers, and what did I find? I found that the e-mail was actually sent via the webmail service of the company shown in the final screenshot, below:



Yes, they sent the e-mail using a webmail service based in Hawaii, for the United Kingdom monarch who's name is used for an organisation that doesn't exist, doesn't have a website or own a domain at all, and they want me to reply to an email account hosted on Microsoft Live, just so that they can send me half-a-million quid!

So, do you smell a rat now, or would you send them the data they ask for?

Just to be crystal clear about this: There is no money, as usual, this is a scam which has been around in one format or another for many years, all that happens if you get caught up with these scammers is that you will lose money, not gain any.

Just because they use the name of the Queen of the United Kingdom, and names of well known real organisations such as UNICEF, doesn't mean that this is real [even if the money actually existed, which it doesn't]. This is just another twist in 'The Game' that is collectively known as 419 or Advance-Fee-Fraud.

Sorry, Your Majesty, but I'm going to have to turn down your kind offer...

FREE Greetings FOR YOU !!!

Looks like a busy day for me today, just what I need, not!

Here's a screenshot of another tempting* email that I've received this afternoon:



If you are foolish enough to click on the link in the email, you'll end up being offered a file called 'greeting.exe', this file appears to be hosted on the free web-hosting service called ZeroCatch. Here's a screenshot of the default page for the sub-domain hosting the file. As you can see the malware author couldn't even be bothered to put a basic page together:



So, I hear you all ask, do you get FREE Greetings, as promised? Nope, all you'll get is an infected PC for your trouble, although it will be FREE! ;-)

At the time of posting this blog entry the detection of the offered 'greeting.exe' file was very poor, with only 6 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered appears to be a static binary, as in my testing so far all samples downloaded are the same size and produce the same MD5.

[*] Only really tempting if I had a lobotomy or suffered other severe head or brain trauma which seriously affected my common-sense.

Another Stormy Valentine's Day...

...Coming To A PC Near You, Soon!

I hope that you are all ready for a safe and pleasant, if not wonderful, Valentines Day on Thursday?

It seems that the so-called 'Storm Worm Gang' are back playing cupid again and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a valentine e-card, again. The latest wave of these started early this morning:

The subjects of the e-mails I've seen so far include:

Blind Love
Heart pump
Love Rose
Phone Love
With All My Love
Valentine Friends
Happy Valentine's day!
The love Train
You're Super Sweet
Me & You

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Love You
My Heart
Rockin' Valentine
Smiley Kiss
You Stay In My Heart
Valentine Friends

Here's a screenshot of one of the email that I've received this morning:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like one of these [these are not all the known permutations], the graphic shown on the website is randomly chosen from a pool of at least 6:







And here is the source of the web page currently in use:



However you spend the day, whatever you do for the 'love-of-your-life', don't become part of the collateral damage of the annual 'Valentine's Day [Malware] Massacre'.

If I see anymore 'bogus' Valentine's Day e-mails, I'll try and post details here when I can. Also, if you see any that I haven't yet posted about, then please let me know.

Hopefully, between us we can try and keep the annual massacre down to a mere scuffle! ;-)

At the time of posting this blog entry the detection of the offered 'valentine.exe' file was very poor, with only 4 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different in size, I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

UPDATE: The URLs [Web links] included in the e-mail may also now be domain names containing the word 'moon' which I will omit from the web links I have seen so far, see below:

• [the-m-word]starfood.com
• destroythe[the-m-word].com

I suspect that others will appear shortly, please do not go to those domains as they contain live malware, you have been warned!

Presenting at The University of Loughborough...

Once more I have been asked to present at a conference, this time it is one being held at the University of Loughborough in Leicestershire.

So, this is another one for me to add to my collection of Universities I've presented/lectured at. These include: The Open University and Warwick University.

This presentation is on Rootkits, and is an updated version of the one I gave at the Virus Bulletin 2006 conference in Montreal, Canada. If you are interested in finding out more about rootkits, then the paper can be found here: http://momusings.com/papers

As usual you will not only find the Rootkit paper there, but also all my published papers and magazine articles too.

I'm hoping that the weather doesn't cause any issues with the trains, and that the rails have been repaired after this mornings crash on the same line!

For those of you that are interested, here is a link to the UCISA website covering the details and agenda for the event.

The travel time from where I live is about 3.5 hours each way, so I will probably leave home about 6AM and won't get back until around 9PM, still I might get a chance to write some of my EICAR 2008 paper, or at least some abstracts for the Virus Bulletin 2008 conference.