I am seeing these attachments every day in my Google Mail; so far, all have been flagged as spam and often have a 'malicious content' warning.
Years ago, when folks found you could include malware in Word macros, the guidance was: 1. Do not open untrustworthy attachments. 2. There are no trustworthy attachments. Do you understand the mechanism within the DOCX files that's deliverying the payload? I wonder if opening the DOCX files in a different reader, like OpenOffice might disarm the payload. Be careful: you're playing with fire, here. Supposedly, you can completely disable macros with: https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12 NB: For a long time now, there's been no practical difference between documents and executables. Documents (docx, xls, pdf) can contain code and that code can run without user actions. Acrobat and Office are just runtimes, running without a sandbox. Mail filters that block EXEs but let through docs are just performing security theater, and giving users a false sense of security. On Wed, Feb 10, 2016 at 6:40 AM, Peter Cushing <[email protected]> wrote: > Hi, > > We got hit with a crytolocker/bitlocker attack last week. Fortunately we > have good backups so were able to restore, although 3gb of data took some > time to do. > What I want to do is go over what happened and see what approaches other > people have for these threats. > > First thing we noticed was on Friday morning when somebody pointed out that > their files had been mashed. Here's a few examples of what the files got > changed to: > /data/admin/misc files/FACTORY INFORMATION/fnwih0ocf.hoo7 > /data/admin/misc files/FACTORY INFORMATION/g99q1kfz5.p9k0 > /data/admin/misc files/FACTORY INFORMATION/og0u9pb.0gd > /data/admin/misc files/FACTORY INFORMATION/tb4qz.775x0 > /data/admin/misc files/FACTORY INFORMATION/znxis7hgu.k7h > /data/admin/misc files/fi19fgq2r.69t > /data/admin/misc files/fjs6r76n.8gup > /data/admin/misc files/h2c0ew6pr.1gpd > /data/admin/misc files/h8jgb.c4v9 > /data/admin/misc files/Halls Fashion/535p0e.ugc5a > /data/admin/misc files/Halls Fashion/halorr3vet.s9 > /data/admin/misc files/Halls Fashion/nbhqgk5.a8ihp > /data/admin/misc files/hs93hlb9.9p > /data/admin/misc files/hxplu62l.mc9 > /data/admin/misc files/i4jden.y7kx7 > /data/admin/misc files/jaiytu55s.w2 > /data/admin/misc files/kmp49j76.4b > > Looking at the logs we soon found which machine it was although that person > had gone home on the Thursday and was not due back until the Tuesday. > Restored data and when the user got back we booted the machine up (not > connected to network!) and have since done scan using AVG, Superantispyware, > Avira, spybot search and destroy, kaspersky and malware bytes and still > found nothing. We don't know if the virus was just memory resident or how > it worked but obviously want to find out. Scanned all his emails and > nothing (his files stored in IMAP folders). Nothing obvious in internet > logs. Checked all processes running, startup programs, network setup etc > etc. We'll probably just wipe the machine and start again but would be nice > to know what happened. > > Lately we have been getting more and more phishing emails from random users > (pretending to be say DHL or some other company) with say an attachment > invoicexxx.doc or perhaps .docx .xls etc (where xxx is a random number) > which will turn out to be infected but not at the time the email was > received. I.e the virus is too new to be detected. We have run lots of > these through our own virus scanner (AVG) and say > https://www.virustotal.com/ > and they have come up with nothing until hours later (which could be too > late). Some show infected a couple of hours later and some maybe next day. > This latest development is very difficult to defend against if you cannot > scan the file and confirm it is infected. Our mail server as AV software > which scans files but didn't pick these up and even if users are really > conscientious and scan before opening it does not show up as infected. > We have now started implementing a white list of people who can send in > invoicexxx.doc files. Anyone not on the list then the attachment is removed > and put a message in to inform the user. > > We are now reviewing procedures to defend against a machine with admin > rights being infected. > > What is important is to be able to detect ASAP when files are starting to > get renamed. I have just developed a standalone APP that will scan network > drives and look at file names. I got a list of known extensions off the > internet and put them in a table. The app compares the file extension with > the list and emails you anything different. If these files are safe you can > load them into an exclusion table. If you run this regularly it should pick > up these names very quickly. > > What other security approaches are you using? > > TIA > > -- > Peter Cushing > IT Department > WHISPERING SMITH > > > > > > Brave Soul at Pure London > 14th-16th Feb > Stand F44 > Mens and Womens > SS16 Stock and AW16 Preview > > > This communication is intended for the person or organisation to whom it is > addressed. The contents are confidential and may be protected in law. > Unauthorised use, copying or disclosure of any of it may be unlawful. If you > have received this message in error, please notify us immediately by > telephone or email. > www.whisperingsmith.com > > Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. > Tel:0161 831 3700 Fax:0161 831 3715 > London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960 > > [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/cacw6n4vbpeqky-jm7xhcpxg0asq5bcamck7o7fsf7utyve5...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
