Poodle + Domino SSL = Mail Problems

Tags: :
If  you use Domino today, you effectively cannot use SSL for email (SMTP) until the promised IBM fix is available. Here is why: The fix vendors applied that patched the POODLE vulnerability broke communications with Domino servers that use SSL. These patched servers will start a secure (SSL) SMTP session but will not fall back to plain text. This means messages queued up in mail.box for sending outbound, or mail queued up at the sender that will not be received by you.

The best non-technical explanation that I can give is that the STARTTLS command that the two SMTP servers use to negotiate a secure connections cannot agree on a protocol and the negotiation fails, so the message transfer fails.

Vendors like ProofPoint (pphosted.com) would not fall back to plain text no matter what my Domino settings were. And I tried 10 different combinations. Once a session started with SSL, Domino offers (before the promised fix) no acceptable fallback path, so the session ends without a successful mail transfer.

The only option that works before the IBM fix is released is to disable SSL for Inbound and Outbound messages.

In summary, messages transfers that start out as plain text will be transferred. Messages that start out as secure will not be transferred.

This is suboptimal (like having a leg cut off is suboptimal) but messages will flow.

Tip:  We like to use this service called http://www.kloth.net/services/dig.php to check MX records for problems with message transfer:

A picture named M2


IBM and Apple focus on the Enterprise

Tags: :
Apple is working with IBM to push into the enterprise space. Apple really has mainly focused on the consumer market, but products like IBM Traveler have made BYOD a reality.

Now, with IBM, Apple is going to focus on large enterprises.

Tim Cook gets a corporate partner with a great enterprise player to promote Apple as enterprise ready.

Ginny Rometti mentioned security, which is an overwhelming concern with BYOD. If Apple and IBM make new offerings that satisy IT departments, this should make Android very nervous, and of course make Blackberry start looking at its exit options.

All in all, a very interesting partnership.


CryptorBit Virus

Tags: :
There is a new and improved version of CryptoLocker. Version 1.0 made the makers of this ransomware a lot of money, and this version 2.0 is, I predict, just one of many new "feature enhanced" releases. Judging by the Bitcoin activity, there are a lot of "willing" victims out there paying to get their files back.  

BleepingComputer is doing a great job documenting this, so I will point you there for good advice and a possible free fix made by Nathan Scott called the DecrypterFixer that unscrambles the 512 byte headers of these files. If you like his work, or it saves your files, he has a PayPal link for donations. If he saved my bacon, $20 would be an amount I would "tip" him.


Required reminder: Backup your files, use a good anti-virus software, don't open attachments that contain exe files, or launch exe files from zip archives.


Time-lapse of Product Showcase Taken from my GoPro Camera

Tags: :
I wanted to have a little fun at #IBMConnect so I put a GoPro camera over our booth on the Product Showcase and snapped pictures of all of our visitors over 4 days.

The Product Showcase was certainly "energized", so I choose suitable music in the "William Tell Overture".


Refrigerators Now Send Spam as Well as Keeping it Cold

Tags: :  
Refrigerators now do more than keep spam, that tasty treat,  cold, they also send spam, the electronic email version.

That is the story of a compromised refrigerator that sends cold "spam" to unsuspecting users via it's internet connection.

Viruses makers will try to add anything to their botnets, and the latest attack on "refrigerators" does not surprise me at all. The target of this attack was a refrigerator model running a flavor of Linux that had not been hardened or protected against malware, and was allegedly sending out lots of spam.

A picture named M2

There was no proof from Proofpoint of the actual source refrigerator in the article, making some at Ars Technica question the veracity of the story. Either way it is only a question of time before these Internet connected devices start doing more than laundry. With ipv6, which has 3.4 x 1038 addresses (that is 3,400 trillion  trillion  trillion addresses), which means any item can have an ip address. If there are soon 10 billion people in the world, we could tag more than 100 trillion trillion items each with an ipv6 address, so these won't run out unless we want to start tagging stars in the sky.

Make no mistake about it: The virus makers are targeting any Target (pun intended) that they can, in an attempt to:
  • Steal money
  • Steal your identity
  • Steal your wallet (bitcoin users know this problem very well)
  • Steal your data (credit card numbers, for example)
  • Hold you for Ransom

If these don't work, they will infect your device and use it to send more spam or malware.

The moral of the story is that in an always-connected world every device is contantly being probed for weaknesses to find an entry point to launch an attack.


Increase in Virus Activity

Tags: :
The increase in recent Virus activity has been noticeable, and the sophisticated techniques the virus makers use to evade detection make the job of stopping them that much more challenging. Many times, a new message appears and I ask "Is this some new attempt to get me to infect my machine"? Many of my customers ask me the same question, so I put a live stream of recently caught viruses subjects and attachment names on our website. (Obviously, I did not put the viruses, just their names).  Clicking on the wordle that I created out of the names will bring you to a list of recent viruses blocked.

A picture named M2

Here is a sampling of the viruses recently caught by SpamSentinel Anti-Virus.


Virus Names translated from Chinese

Tags: :
I was interested in what the .XLS attachments were in the SpamSentinel quarantine, so I made a view, extracted the contents (minus the XLS extension) and let Google translate show my what these attachments REALLY say.  Like some spam subjects, many of these sound like zen inspired quotes. Here are a few of my favorites:

To manage or to leadership
Become Devil coach
Management does not manage tired

Here is the results of my search for virus attachment wisdom:


To read the list, you must go to my blogspot blog, The Chinese characters were causing problems with my blog template.


Notice to Appear in Court

Tags: :
Yes, the title of the blog appears scary and that is what the senders of the email want, to scare you into opening the message and reading the body, then launching the phony "notice".

Here is a sample of a phony notice that appears to come from JonesDay.

A picture named M2

Here are the Law firms that were spoofed in these virus outbreaks, and a sampling of the from addresses that were used. To be perfectly clear, these messages are spoofing the law firms, trying to get the recipient to open them, and have no relationship to the actual law firms. The virus senders rotate through a list of reputable law firms in the hope of getting past the virus filters and tempting their target into opening the message.

Spoofed Law firm name: Baker Botts
"Notice to Appear" <manager@bakerbotts.com>
"Notice to Appear" <appear_support.5@bakerbotts.com>
"Notice to Appear" <service.753@bakerbotts.com>
"Notice to Appear" <ticket469@bakerbotts.com>
"Notice to Appear" <no_reply@bakerbotts.com>
"Notice to Appear" <appear_support.7@bakerbotts.com>
"Notice to Appear" <information@bakerbotts.com>
"Notice to Appear" <appear_528@bakerbotts.com>
"Notice to Appear" <manager@bakerbotts.com>

Spoofed Law firm name:
Covington and Burling
"Court Notice WA" <support405@cov.com>
"Court Notice WA" <your_notice@cov.com>
"Court Notice WA" <notice_support.7@cov.com>
"Court Notice WA" <support382@cov.com>
"Court Notice WA" <aa.support369@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <service.734@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <manager@cov.com>
"Court Notice WA" <your_notice@cov.com>

Spoofed Law firm name:
Jones Day
"Notice to Appear" <ticket_support.7@jonesday.com>

"Notice to Appear" <personal.information@jonesday.com>
"Notice to Appear" <service.615@jonesday.com>
"Notice to Appear" <service.723@jonesday.com>
"Notice to Appear" <ticket_248@jonesday.com>
"Notice to Appear" <help420@jonesday.com>
"Notice to Appear" <ticket_service@jonesday.com>
"Notice to Appear" <your_ticket@jonesday.com>
"Notice to Appear" <service.301@jonesday.com>
"Notice to Appear" <ticket_609@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <support.8@jonesday.com>
"Notice to Appear" <ticket020@jonesday.com>
"Notice to Appear" <order.723@jonesday.com>
"Notice to Appear" <ticket_162@jonesday.com>

Spoofed Law firm name: Latham and Watkins
"Notice to Appear" <ticket_support.3@lw.com>

"Notice to Appear" <support838@lw.com>
"Notice to Appear" <service.252@lw.com>
"Notice to Appear" <ticket340@lw.com>
"Notice to Appear" <help432@lw.com>
"Notice to Appear" <ticket_support.4@lw.com>
"Notice to Appear" <ticket_support.7@lw.com>
"Notice to Appear" <service@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <support.5@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <information@lw.com>
"Notice to Appear" <no_reply@lw.com>
"Notice to Appear" <support.9@lw.com>
"Notice to Appear" <ticket_support.5@lw.com>

Spoofed Law firm name: McDermott Will & Emery
"Notice to Appear" <manager@mwe.com>

"Notice to Appear" <ticket_support.5@mwe.com>
"Notice to Appear" <ticket_service@mwe.com>
"Notice to Appear" <ticket_support.6@mwe.com>
"Notice to Appear" <support.6@mwe.com>
"Notice to Appear" <service@mwe.com>
"Notice to Appear" <support.2@mwe.com>
"Notice to Appear" <ticket_support.2@mwe.com>
"Notice to Appear" <support.6@mwe.com>

Spoofed Law firm name: Orrick
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <service_notice@orrick.com>
"Court Notice Orrick" <service.959@orrick.com>
"Court Notice Orrick" <support.6@orrick.com>
"Court Notice Orrick" <support.7@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <notice_service@orrick.com>
"Court Notice Orrick" <order.510@orrick.com>
"Court Notice Orrick" <notice_support.5@orrick.com>
"Court Notice Orrick" <information@orrick.com>
"Court Notice Orrick" <notice706@orrick.com>
"Court Notice Orrick" <support.8@orrick.com>

Opening the messages. Don't try this at home (or the office)!

I took one message and loaded my Virus Testing Workstation, which is a virtual machine that I can infect then delete the machine.

A picture named M3

Here is one of the viruses that was caught as a ZIP file.

A picture named M4

Here is the attachment, which is disguised as a Word document, but is actually an executable file:

A picture named M5

As there was no response when I clicked the attachment, I clicked it again, so I infected the machine twice. Notice in the task manager, they use the file name to avoid suspicion and preventing some people from closing it.

A picture named M6

When I did close it, I got this error.

A picture named M7

I didn't try to dig into the mechanism of infection, or wait 24-48 hours and see what damage they did to my virtual machine, but that will be a subject for another post.

Download File


Blocking EXE attachments is working great!

Tags: :
We have advised customers of SpamSentinel for the last month to block EXE attachments, even (especially!) inside zip files.

I have been monitoring the results on one of our servers, and they are spectacular in catching new virus outbreaks before their "signatures" are recorded. These are "zero hour" zero hour viruses, fresh off the computers of the virus makers.

Here is a screenshot showing the recent patterns, piggybacking on popular email types, like airline ticket confirmations, order confirmations, purchase orders and private photos.

All of these zip files contain EXE files inside that want to infect your machine in your haste to open them.
Subject Dangerous Attachment
Re: Interested to purchase order details.zip
Re: Interested to purchase order details.zip
Private photo IMG6299082757-JPG.zip
Your order is ready US_Airways_E-Ticket_NO36049.zip
Fedex Team Track code 4734-02741-6535 Track_1764-78103-4529.zip
Ticket #7727  is ready AA_Airlines_E-Ticket_ID08655.zip
Your ticket AA_Airlines_E-Ticket_ID58270.zip
Ticket #8469  is ready AA_Airlines_E-Ticket_ID07194.zip
Order #3198 is processed AA_Airlines_E-Ticket_ID26928.zip
Your ticket AA_Airlines_E-Ticket_ID07268.zip
Your order #NR0106 is processed AA_Airlines_E-Ticket_ID81660.zip
Fedex Team Track code 3001-14706-5033 Track_1764-78103-4529.zip
Your order #3170 is processed AA_Airlines_E-Ticket_ID79506.zip
Thank you for your order AA_Airlines_E-Ticket_ID81254.zip
The order is ready AA_Airlines_E-Ticket_ID36241.zip
Your order # NR15-2662 has been completed US_Airways_E-Ticket_NO37925.zip
Seen this picture? IMG5810314307-JPG.zip
Kindly send us the Proforma Invoice Asap. Food items.pdf.zip
Order #NR7704 US_Airways_E-Ticket_NO26131.zip
Your order # NR15-5845 has been completed US_Airways_E-Ticket_NO08933.zip
Payment advice Payslip.zip
Our PO attached PO.zip
Enquiry REW233.zip
Fedex Team Track code 4740-07014-6833 Track_1764-78103-4529.zip
FedEx Shipment Department Track code 4436-58788-5840 Track_1764-78103-4529.zip
Thank you for your order US_Airways_E-Ticket_NO78203.zip
FedEx Shipment Department Track code 3107-43181-8785 Track_1764-78103-4529.zip
FedEx Express Track code 5624-34586-7353 Track_1764-78103-4529.zip
Download your ticket #1797 US_Airways_E-Ticket_NO36208.zip
FEDEX  EXPRESS SHIPMENTS Track code 1238-50488-7111 Track_1764-78103-4529.zip
Order #NR4312 is processed Ticket_Delta_AirLines_Print_doc_1657.zip
Download your ticket #NR9798 Ticket_Delta_AirLines_Print_doc_4026.zip
P.O. 634563 Order Order Sample 1-.zip
FedEx Shipment Department Track code 5041-68031-6666 Track_1764-78103-4529.zip


I have a view of all of these in my Quarantine.nsf. Many show "undisclosed-recipients" which means this was a BCC attack, as below:

A picture named M2

This one contained more than 9 recipients from different organizations:

A picture named M3

I opened a few of the messages (not the attachments!) and found typical patters.

This one is "not personalized" which is often a clue.

A picture named M4

This one is allegedly a FedEx Track Code, they even made up a fake number, but it is sent to 20 people. Did we all receive that same package?

A picture named M5

This one breaks all the rules:
1. No SendTo
2. Contains a Zip with an EXE inside
3. Not personalized
4. Signature incomplete.

A picture named M6

Take a look at this one. Can you now identify why this is a very suspicious email?

A picture named M7



Tags: :
CryptoLocker is such an evil virus that I wanted to create this resource of useful information and links.

Cryptolocker is an extremely dangerous and virulent ransomware trojan. The virus encrypts local and network share drives and then demands either $100 or $300 ransom and gives the user 72 hours to pay.

If you see this on your screen, it is already too late. Your files are encrypted and unrecoverable. Your only hope is a good backup.

A picture named M2

If you read the text, they are correct that "nobody and never will be able to restore files...". The decryption key is stored on their server and you can only get it if you pay the ransom. The clock starts ticking after the files are encrypted. The decryption key will be provided if you pay the ransom and it mostly works, but there are snags that can cause problems, like deleting the list of encrypted files that it uses to decrypt, or deleting their "decrypted file" list in a panic thinking that will help. It only makes it impossible to decrypt them. I think this file is very useful to see the extent of the damage and to find older versions on your backup drive.

Here is the "wonderful" screen that lets you put in Bitcoins or MoneyPak, both unusual payment methods in the U.S. but preferred by the ransomware crowd for anonymity.

A picture named M3

Everyone says "don't pay the ransom" and they are right. (Backup your system now!). But, if you are desperate, and the 72 hour time period has not passed, it does seem that the ransom sort of works. Interestingly, the virus "developers" seem to be monitoring bulletin boards and fixing ransom "restore" bugs.  I had to ask myself why, and the only answer is that if everyone agrees the restore does not work then no one would pay the ransom, and the software would just be more like "deleteware", and produce no money for the people who wrote and disseminate this.

Here is a great Sophos video of CryptoLocker in action (about 8 minutes).

Propagation: I have looked in lots of places for the means this is propagated. The best answer (and it may not be correct) is loading of Zbots, or Trojan viruses like voicemail.exe files sent to users. When they are launched, they download the CryptoLocker program in background and launch it. They target common files, like Word or Excel, Access, Powerpoint, PDF, JPG (photos, etc), Attempting to open one will generally cause an error that the file format is not recognized. When their evil work is done, they start the 72 hour clock. The decryption key is not on your machine, and that is what you need to decrypt your own files.

Removal of the virus:
The first thing to do if you suspect a problem is to disconnect the computer from the network to prevent it from encrypting all of your shared files. I personally would pull the plug on the computer, get a malware removal tool, start the machine in safe mode and start cleaning. Reddit has a bunch of threads that cover this in painful details, like this one: Reddit Guide to Bleeping CryptoLocker

It is important to note that removing the virus does NOT get your files back. They are still encrypted. Did I mention to backup your files?


1. Make sure your backups are current, as this is the only way to recover from this virus.

2. Tell users that this is a "code Red" threat and not to open any suspicious attachments.

3. Add Local Security Policy to your PC.
( For domain admins, you can set this at the domain or site level using the Group Policy Object editor)     

4. Make sure your anti-virus signatures are up to date and your all Windows Updates have been applied.

More Links:
As this post is a reference guide, I am posting this table of contents for Bleeping Computer in its entirety as I found it to be an excellent resource.

Bleeping Computer discussion Table of Contents

1.        The purpose of this guide
2.        What is CryptoLocker
3.        What should you do when you discover your computer is infected with CryptoLocker
4.        Is it possible to decrypt files encrypted by CryptoLocker?
5.        Will paying the ransom actually decrypt your files?
6.        Known Bitcoin Payment addresses for CryptoLocker
7.        CryptoLocker and Network Shares
8.        What to do if your anti-virus software deleted the infection files and you want to pay the ransom!
9.        How to increase the time you have to pay the ransom
10.        Is there a way to contact the virus author?
11.        How to restore files encrypted by CryptoLocker using Shadow Volume Copies
12.        How do you become infected with CryptoLocker
13.        How to generate a list of files that have been encrypted
14.        How to determine which computer is infected with CryptoLocker on a network
15.        How to prevent your computer from becoming infected by CryptoLocker
16.        How to allow specific applications to run when using Software Restriction Policies
17.        How to be notified by email when a Software Restriction Policy is triggered


CryptoLocker Wikipedia page

Reddit Guide to Bleeping CryptoLocker

Read on only if you want to understand how to lock down your system, the following explains it in more detail. This was again based on these instructions on preventing the Zbot from loading in the first place

Manually Locking Down your System
Given that we are looking at viruses all the time in our main line of work blocking spam and viruses, I decided to manually lock down my main PC.

Below are my results.

A picture named M4

To test this, I tried to launch Notepad.exe from a Zip file. Here is the error I expected:

A picture named M5

The same test with WinRAR:

A picture named M6

I ran a test by trying to run Notepad from the %appdata% folder and it was blocked:

A picture named M7

Using the CryptoPrevent Tool to Lock Down your System

This free tool from FoolishIT makes the same policy changes as above. CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running.
Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there!

Installed and ran 'Test' first off

A picture named M8

Then clicked 'Block'

A picture named M9

A picture named M10

Restarted server and tested again

A picture named M11

Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there!

This is verified on my set-up: Policies cannot be seen.

A picture named M12

However - the keys are in the registry - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths

A picture named M13



View Frank Paolino's profile on LinkedIn


Frank Paolino