Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

malicious email campaign ?

Off-Topic discussions about science, technology, and non Debian specific topics.
Post Reply
Message
Author
User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

malicious email campaign ?

#1 Post by GarryRicketson »

It is hard to believe anybody would fall for the e-mails and actually
open the attachment.

https://www.bleepingcomputer.com/news/s ... ie-trojan/

Disclaimer: I have no idea how accurate the article is, but just thought
it might be of interest, since we do have quite a few members here that
do use github and windows.
Last edited by GarryRicketson on 2017-04-04 18:06, edited 1 time in total.

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: malicious email campaign ?

#2 Post by dasein »

Even if it's entirely accurate, it's describing a self-extracting zip file that executes PowerShell commands via MS Word macros. (Specific to Windows, inert in Linux.)

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: malicious email campaign ?

#3 Post by millpond »

What I find even more amazing is that there are github developers who do not disable macros in Word, if they use Win at all.

Even more incredible is anyone opening an SFX...
(On purpose!!!!)

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: malicious email campaign ?

#4 Post by GarryRicketson »

In any event, since we do have a lot of members that still use windows, and also use github, it is something they should be aware of.
To be carefull.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: malicious email campaign ?

#5 Post by debiman »

why is this even newsworthy?
fake recruitement emails with malware aren't exactly a new idea.
so some scammer thought, hmm, let's try github users, promise them a coding job, sure they will open the attachment (harharhar)! :facepalm:

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: malicious email campaign ?

#6 Post by GarryRicketson »

Your right it isn't really "news" in that sense, as for "news worthy",..I don't know,..
I suppose that depnds entirely what interests one has,..I mean to some people
the only "news worthy" news is the latest sport results, others , well other events,..
I am glad you find it humorous, and get a laugh, out of it,..it is kind of funny,
I don't use windows, so it really is a non issue to me, but felt like sharing it
with others,..
Here : https://hackademix.net/2017/01/27/targe ... evelopers/
I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)
Update

As soon as I published this post I checked my inbox and there was another one...
Update 2

It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.
So any way, thanks for the responses, and good to see some one is getting
a laugh out of it.

pendrachken
Posts: 1394
Joined: 2007-03-04 21:10
Location: U.S.A. - WI.

Re: malicious email campaign ?

#7 Post by pendrachken »

millpond wrote:What I find even more amazing is that there are github developers who do not disable macros in Word, if they use Win at all.

Even more incredible is anyone opening an SFX...
(On purpose!!!!)

I haven't used anything with macros in word in... forever, but I think you also have to exclusively enable them through a dialog that warns you that it is probably a really, very, totally bad idea. Oh, and that is after Word has to be exclusively taken out of read only mode for downloaded files ( don't know 100% if this is needed for files that were zipped ).
fortune -o
Your love life will be... interesting.
:twisted: How did it know?

The U.S. uses the metric system too, we have tenths, hundredths and thousandths of inches :-P

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: malicious email campaign ?

#8 Post by millpond »

The real threat these days is the PDF format. It too has macros, and some hacker sites have been selling scripts that claim to pwn(backdoor) systems that open them. Foxit automatically disables the macros, but it makes it inconvenient for texts where references are clickable links that expedite learning material.

The Mozilla based email clients blow chunks. There is a whole bunch of addons, and nothing that i could find to disable scripting. Adblockers galore, but nothing resembling No-Script. Plus I have site explicitly labelled as DELETE that icedove insists on displaying. There really needs to be utilities that parse the email chache and blacklist the sender of any boogers, or warn if alreadty in contact list. And then delete the offending messages. Havoc can still be wrought with only user level accounts, and python,perl, and java are platform agnostic.

Probably the only safe email these days is to run Forte Agent with html and attachments turned *off*. Or else run thunderbird in a VM.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: malicious email campaign ?

#9 Post by debiman »

millpond wrote:The real threat these days is the PDF format. It too has macros
i heard about these, but i thought that was a particularly gruesome detail of a past that even windows users have put behind them?
do linux pdf viewers even support macro execution? or how else could this even do any harm on a linux system?

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: malicious email campaign ?

#10 Post by millpond »

Here is how it is done with Win:
https://blog.didierstevens.com/2010/03/ ... -from-pdf/

It functions by calling cmd.

While bash scripts i believe must be set to executable 'x' to run, this is not necessarily true for script languages.

In my user account i can have 'perl ./foo.pl' execute foo.pl without execute permissions.

now what if foo.pl contained :
system (rm -rf ~) ????

In reality it can contain a wget command, and run another perl script. (or Python, as its the most used hacker language).

The only real advantage of a user level file access is that the damage is contained to the user account by a malicious script.

However the problem is that so many utilities and programs these days are confined to the user accounts. Which is a major problem, IMHO.

Personally I do not keep valuable data in my user account. Its expendable by design.

Post Reply