Nettitude Blog

It's Christmas! Don’t let malware get in your way

Posted by Jules Pagna Disso and Tom Wilson on Dec 22, 2014 2:06:16 PM

Panic Saturday is now over and the Boxing Day sales are just around the corner. It's now the time to watch out for malware. The festive season is generally one where most people are less vigilant because of the festive ambiance.  It is also the time where most people fail to identify malware coming their way. I am going to explain what happens when we get a malicious email; discuss the content of such emails and provide easy steps to follow to keep your shopping basket and wallet safe this festive season.

Inevitably, every single one of us would have bought or will buy something this festive season. It is not uncommon to receive an email about a receipt, a bill, a reminder about a parcel. Unfortunately, the malicious guys take advantage of the fact that we are likely to receive an email related to recent purchases. Some of the common email titles are:

  • Acceptance of order
  • Order confirmation
  • Invoice as requested
  • Track your parcel
  • BACS payment Ref:9408YC
  • Card receipt

As you can see, the titles make reference to some sort of purchase or payment. There are many more titles but those are some of the more common ones I have seen lately.

In some cases, anti-virus will detect that the emails are suspicious when they land in our inboxes, as shown in Figure 1. In this particular case, the malware was directly attached to the email. In such cases, a good anti-virus kept up-to-date will generally get rid of the malware and keep you safe.

Looking at the picture in Figure 1, the subject might be legitimate, but looking at the sender it is clear that it's not coming from a legitimate source.  In this particular email, the title seems to have been poorly formatted hence the extra backward flashes "".  The file attached is "20140918_122519.doc” and its MD5 is "ff0694cba3b1ba6b39c997528385e649".

Once the malware is downloaded and installed, banking information of anyone using the infected PC can be seriously at risk. Likewise, any username and password used after the malware infection is at risk. If file sharing is enabled in your environment (home or office), the malware can spread to other computer systems in your network. In brief, a victim PC is owned by the attackers and can be used for whatever purpose pleases the attacker.

Malware disguise as Word Document Figure 1: Malware disguise as Word Document

In many other cases, malware is not always so easy to detect. It is often the case that the email sent will only contain a link. There are a few things that can happen when someone clicks on a malicious link received by email:

  • Download a compressed file – typically a zip file – containing a malicious file
  • Download a Word or Excel document containing macros that will then download and execute malicious code
  • Redirect to another website from which a malicious file will be downloaded
  • Open a page with a video that apparently requires an extra plug-in (which is in fact just an opportunity to download malware)
  • Download a file that contains hidden malware
  • Download a web page containing malware embedded in its content
  • Open a page that contains malicious JavaScript

How not to get infected

  • The golden rule: do not click on any links in emails that have come from sources that you do not trust. If malware code is embedded in the webpage that the link takes you to, it can only take that single click to download and execute malware (i.e. as you are opening the webpage)
  • If an email seems legitimate, but you have even the slightest doubt or are not expecting it, pick up your phone and ring the person or company that it appears to come from to ask if they have sent you a document or an email
  • If you are not expecting an invoice by email or any important document by email, it's likely not to be yours. Do not open it
  • Do not take unnecessarily chances. Some people will download files and scan them with anti-virus software. While this is may appear to be good practice, it is very common that when a virus/malware is brand new, it may not be detected by most anti-virus
  • Download, install and keep your anti-virus software up to date.  Many organisations such as banks and Internet Service Providers (ISP) provide anti-virus to customers free of charge. If your bank does not have that scheme, there are many free anti-virus programs that are publically available. Download, install and keep anti-virus up to date
  • Install a firewall, as they have a very different role from anti-virus and anti-malware
  • Keep your computer up to date. Installing browser’ plug-ins is a great way to improve the Internet experience, but people often forget that browser plug-ins need to be kept updated
  • Do not ignore alerts sent by email scanners or by web browser security
  • Even if you are confident that an email containing an invoice or receipt is legitimate, do not open it if the attachment is a zip file (or any other compressed format). Call the company who sent you the email to verify that it is legitimate
  • Do not be complacent even if you have professional anti-virus software installed. It is not a 100% guarantee against virus or malware infection – you should always follow best practice IT security procedures such as those listed above

Here is an example of malware code hiding behind a Microsoft Word File.  As shown in Figure 2, the document is hiding a link pointing to an executable <bin.exe> which was saved on the victim’s computer as ADGYMSEKRJE.exe

Mwlware hiding in Microsoft Word Document Figure 2: Mwlware hiding in Microsoft Word Document

How to identify rogue Ms Word files

There are a few tricks that are important to know when identifying malicious word documents.

As shown in Figure 3, in a typical Windows Operating system it is important to match the file’s icon with the file type. In Figure 3, the first and the fifth icon look like Microsoft Word Documents, and this is confirmed by their file type, i.e. Microsoft Word Document or Microsoft Word 97 - 2000 Document. The second and third files have Microsoft document icons, but are in fact Applications... The fourth file does not have an icon that looks like a like Word document but has the extension ".doc".  However, looking at the file type, it is a JavaScript file. The last file also has a Microsoft Word Office icon but its file type reveals that it is a screen saver. The last file is not a regular Microsoft Word Document. On occasion, these non-Microsoft Word Documents will still open Microsoft Word but at the same time execute malware in the background.

It is very common to see icons misused to deceived Internet users.  Any icon can be attached to any file, so you should not rely on icons to accurately represent a file. The file type is generally the best indication of what the file really is.

Identifying malicious Microsoft Word Document Figure 3: Identifying malicious Microsoft Word Document

In conclusion:

Cyber-attacks are real, but they should not deter us from enjoying our cyber experience. We need to be vigilant.  As much as we are enjoying the festive season, let’s be reminded that the bad guys are waiting for that split second when we lower our guard to take full advantage.  If you need to raise assurance in the security provided by your own organisation or partner organisations, please contact us and we will be able to help.

To contact Nettitude's editor, please email media@nettitude.com.

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts