User Guide to Spotting Email Viruses

QuickImage Tags: :

The never-ending-attack on computers by viruses continues. The viruses have many ways to infect your computer, but the most popular social interaction is via email, and that is where they are concentrating their efforts.

A successful organizational anti-virus effort involves a multi-layered approach, starting at the firewall, through to the end user desktop, and combines protection and user education.


Our latest innovation involves our MacroKiller, which stops 100% of CryptoLocker viruses in Word and Excel Macros. (Yes, you read that right, 100%, as in ALL of them.)


Here is the Spotting Email Viruses guide. Feel free to share it with your coworkers (PDF below).

Download File Spotting Email Viruses.002.pdf


Who wants to try a Domino server addin that stops Lockey viruses?

Tags: :   
Lots of electrons have been wasted on non-solutions or partial solutions to this problem. I won't waste more electrons, but user training is almost worthless and is not the answer. Why, you ask? Because users will open anything even if it says "please don't ever open me!" Add to the user problem the fact that these viruses are mutating frequently to avoid detection and you better get your wallet out, a Bitcoin wallet I mean, so you can pay to unlock these.

The Ransomware makers and their distributors who send these via email to your users are significantly cranking up the volume. We have seen waves of viruses sent via email 100 times normal daily volumes.

So what is our approach and why is it better? Instead of good or adequate, we prefer to think "best" as in a "Best Practices", We convert 100% of Word docs to harmless Word.docx formats which cannot contain a macro virus.

So your users who receive Invoice.doc get the same file name, now just Invoice.docx. It opens fine in Word. If it is legitimate, they process it as usual. If a virus was originally present, it is removed. In that case, all that they get is some nonsense virus message like "please enable macroses" (sic). They might ask the help desk about it but THEY CANNOT INFECT THEMSELVES with Word Macro Viruses, because we remove the macros from the Word document. It is really that simple.

What if the Word doc has a macro and it is needed? The original document is zipped with a password. They can forward the document to the help desk who will return it unzipped. Most likely, it will still be a virus and the help desk will roll their eyes and scold them, but they will have avoided a Ransomware virus infection. Or you can just add the sender to the whitelist and their documents will be passed through unprocessed.

So try to solve this with user training (the hard way), or call us and we will add an Exchange Mail Flow Connector or a Domino Server Addin and stop all Word doc Ransomware using our MacroKiller.

Email me directly at frank@maysoft.com and I will setup a 10 day trial of the software and send you an Eicar test file, "WordEicarMacro". This  document is a  safe demonstration file to show how to turn Macro enabled Word  documents into harmless Word documents by converting the document into a harmless .DOCX for Word.


WordDOC Macro Killer

Tags: :    
As everyone who is in IT knows, there is a ongoing malware issue which involves malicious Microsoft Word documents that contain virus macros. When these documents are opened via Word,  the user's system is silently infected with a virus (normally a variant of CryptoLocker) that encrypts documents, spreadsheets, images etc. and then demands payment for recovery of these images. At that point your only hope is a good backup or owning some Bitcoin (to pay the ransom).

Anti-virus software catches a lot of these, but the viruses in the macros are obfuscated and avoid a significant percentage of detection.

Current "Best Practices" recommend the following:

1. Don't open attachments from unknown senders
2. Disable auto-loading of Macros in Word (and Office in general)
3. Keep anti-virus software up to date

My problem in recommending this to users is that I KNOW for sure that they will still get infected using these "Best Practices" which are not very good at all, and certainly not "Best" which should equal "No infections" but they do not, as any IT person can tell you.

The ability to make these macros avoid detection even by multi-layered virus strategies at the email server and client desktop made us look at new and better ways to prevent them. In the end, after a lot of false starts, we decided to remove the macros from Word documents except for whitelisted senders. Hence the name "Word Macro Killer". We have found this approach to be 100% effective against this email threat.

Here is how we handle macros in Word documents if no virus is found but the document contains a macro:

  • Create and attach a  harmless PDF or DOCX file that the user can view, to ascertain whether the original file is genuine/harmless. In most cases, they can do their work with the DOCX format and never need to open the original DOC.

  • Protect the original document with a password, so that the user cannot easily open it. The password is included in the SpamSentinel Report.txt document that is attached to the document.

  • Whitelists can be applied to senders and domains that regularly send documents containing macros.

These Word macro virus documents are currently very effective at evading filters and human detection alike, and, if you check the Bitcoin blockchain, a LOT of money is being paid for ransom to recover encrypted files. We are recommending that everyone with email start stripping the macros from the Word documents to prevent further infections from email messages containing Word macro viruses.

Short lesson in the anatomy of a Word Macro Virus

Here is a "typical" email with a Word Macro Virus. These are almost always "generic" as in "Greetings".

1. This is our converted Word document into the harmless DOCX (=cannot contain a macro of any sort).

2. This ZIP file contains the original .DOC with the macro.

3. This file contains the password if you are brave enough (or foolish enough) to open the file.

A picture named M2

Opening the safe DOCX file shows the embedded image that is common in these macros. I have looked at hundreds of these, and they all use the exact same image with the misspelling Macroses. I guess sharing is encouraged in the virus-making community?

A picture named M3

Here is the password protected ZIP file, requiring you to enter a password before opening the original file.

A picture named M4

Here is a sample of the macro code. Notice how it is obfuscated making it unreadable to humans and helping it to avoid detection by anti-virus programs.

A picture named M5


Have you been targeted by Fraud emails?

Tags: :
Lately, we have seen an uptick of fraudulent emails. The fraudulent emails are only sent to one or two people in highly targeted attacks. First they locate the names of high level executives, Then "spoofed" message are sent allegedly from these executives to people empowered to disburse money  They hope the recipient will act quickly to please the executive and send money before realizing it is a spoofed message.

Many of the messages "pretend" to be internal, but that are really from external sources but use the display name of a senior executive, or that have ReplyTo to an outside domain.

For example, one attack could have this sender:

"Bill Gates" <bill.gates@micros0ft.com>

In most email systems, the display name is all you see, so a reply might miss the fact that the message is going outside the organization.

Have any of you been attacked like this? Or in other ways?

I would love to see some samples to see the variations on this attack. Post them below, or send to my email address frank_paolino@maysoft.com


Poodle + Domino SSL = Mail Problems

Tags: :
If  you use Domino today, you effectively cannot use SSL for email (SMTP) until the promised IBM fix is available. Here is why: The fix vendors applied that patched the POODLE vulnerability broke communications with Domino servers that use SSL. These patched servers will start a secure (SSL) SMTP session but will not fall back to plain text. This means messages queued up in mail.box for sending outbound, or mail queued up at the sender that will not be received by you.

The best non-technical explanation that I can give is that the STARTTLS command that the two SMTP servers use to negotiate a secure connections cannot agree on a protocol and the negotiation fails, so the message transfer fails.

Vendors like ProofPoint (pphosted.com) would not fall back to plain text no matter what my Domino settings were. And I tried 10 different combinations. Once a session started with SSL, Domino offers (before the promised fix) no acceptable fallback path, so the session ends without a successful mail transfer.

The only option that works before the IBM fix is released is to disable SSL for Inbound and Outbound messages.

In summary, messages transfers that start out as plain text will be transferred. Messages that start out as secure will not be transferred.

This is suboptimal (like having a leg cut off is suboptimal) but messages will flow.

Tip:  We like to use this service called http://www.kloth.net/services/dig.php to check MX records for problems with message transfer:

A picture named M2


IBM and Apple focus on the Enterprise

Tags: :
Apple is working with IBM to push into the enterprise space. Apple really has mainly focused on the consumer market, but products like IBM Traveler have made BYOD a reality.

Now, with IBM, Apple is going to focus on large enterprises.

Tim Cook gets a corporate partner with a great enterprise player to promote Apple as enterprise ready.

Ginny Rometti mentioned security, which is an overwhelming concern with BYOD. If Apple and IBM make new offerings that satisy IT departments, this should make Android very nervous, and of course make Blackberry start looking at its exit options.

All in all, a very interesting partnership.


CryptorBit Virus

Tags: :
There is a new and improved version of CryptoLocker. Version 1.0 made the makers of this ransomware a lot of money, and this version 2.0 is, I predict, just one of many new "feature enhanced" releases. Judging by the Bitcoin activity, there are a lot of "willing" victims out there paying to get their files back.  

BleepingComputer is doing a great job documenting this, so I will point you there for good advice and a possible free fix made by Nathan Scott called the DecrypterFixer that unscrambles the 512 byte headers of these files. If you like his work, or it saves your files, he has a PayPal link for donations. If he saved my bacon, $20 would be an amount I would "tip" him.


Required reminder: Backup your files, use a good anti-virus software, don't open attachments that contain exe files, or launch exe files from zip archives.


Time-lapse of Product Showcase Taken from my GoPro Camera

Tags: :
I wanted to have a little fun at #IBMConnect so I put a GoPro camera over our booth on the Product Showcase and snapped pictures of all of our visitors over 4 days.

The Product Showcase was certainly "energized", so I choose suitable music in the "William Tell Overture".


Refrigerators Now Send Spam as Well as Keeping it Cold

Tags: :  
Refrigerators now do more than keep spam, that tasty treat,  cold, they also send spam, the electronic email version.

That is the story of a compromised refrigerator that sends cold "spam" to unsuspecting users via it's internet connection.

Viruses makers will try to add anything to their botnets, and the latest attack on "refrigerators" does not surprise me at all. The target of this attack was a refrigerator model running a flavor of Linux that had not been hardened or protected against malware, and was allegedly sending out lots of spam.

A picture named M2

There was no proof from Proofpoint of the actual source refrigerator in the article, making some at Ars Technica question the veracity of the story. Either way it is only a question of time before these Internet connected devices start doing more than laundry. With ipv6, which has 3.4 x 1038 addresses (that is 3,400 trillion  trillion  trillion addresses), which means any item can have an ip address. If there are soon 10 billion people in the world, we could tag more than 100 trillion trillion items each with an ipv6 address, so these won't run out unless we want to start tagging stars in the sky.

Make no mistake about it: The virus makers are targeting any Target (pun intended) that they can, in an attempt to:
  • Steal money
  • Steal your identity
  • Steal your wallet (bitcoin users know this problem very well)
  • Steal your data (credit card numbers, for example)
  • Hold you for Ransom

If these don't work, they will infect your device and use it to send more spam or malware.

The moral of the story is that in an always-connected world every device is contantly being probed for weaknesses to find an entry point to launch an attack.


Increase in Virus Activity

Tags: :
The increase in recent Virus activity has been noticeable, and the sophisticated techniques the virus makers use to evade detection make the job of stopping them that much more challenging. Many times, a new message appears and I ask "Is this some new attempt to get me to infect my machine"? Many of my customers ask me the same question, so I put a live stream of recently caught viruses subjects and attachment names on our website. (Obviously, I did not put the viruses, just their names).  Clicking on the wordle that I created out of the names will bring you to a list of recent viruses blocked.

A picture named M2

Here is a sampling of the viruses recently caught by SpamSentinel Anti-Virus.



View Frank Paolino's profile on LinkedIn


Frank Paolino