Wednesday, June 23, 2010

Mozilla Releases Firefox 3.6.4

It seems to be a little faster than 3.6.3 ... and it includes some better crash protection. Go get it!

Mozilla Releases Firefox 3.6.4
The Mozilla Foundation has released Firefox 3.6.4 and Firefox 3.5.10 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or conduct cross-site scripting attacks. Some of these vulnerabilities also affect Thunderbird and SeaMonkey.

US-CERT encourages users and administrators to review the Security Advisories for Firefox 3.6 and Firefox 3.5 and apply any necessary updates to help mitigate the risks.
Update Thu 24 Jun 2010 09:46: Mozilla patches 9 Firefox bugs, adds plug-in crash protection | Security Central - InfoWorld
Mozilla on Tuesday patched nine vulnerabilities, six of them critical, in Firefox 3.6 and Firefox 3.5.

But rather than highlighting the security fixes in Firefox 3.6.4, the company instead emphasized the addition of crash protection, a move meant to keep the browser alive when popular plug-ins drop dead.

Even legitimate support sites can go bad ....

Just one more reason to browse the Internet using Firefox with NoScript and as a non-administrator.  Use a limited account or use DropMyRights when you browse from machines where you must run as administrator.

Lenovo Support Website Loads Malicious IFrame, Infects Visitors With Trojan |
The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers.

According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo’s download website since Saturday.

The IFrame points to an exploit kit hosted on a domain called After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player.

“These exploit codes attempt to load file hxxp:// which is a virus, onto victim’s computer. The virus is a new variant of Bredolab Botnet […]. After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain,” Le Minh Hung, senior security researcher at Bkis, writes.

At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire subdomain has been blacklisted by Google’s Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it.

“Of the 46 pages we tested on the site over the past 90 days, 39 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-06-20, and the last time suspicious content was found on this site was on 2010-06-20. Malicious software includes 1 trojan(s). Malicious software is hosted on 1 domain(s), including,” a detailed explanation of the Google warnings reads.

Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place.

Thursday, June 17, 2010

Apple iTunes 9.2 released

WebKit security flaws haunt Apple's iTunes | ZDNet
Apple has shipped a critical security patch for its iTunes media player to fix several gaping security holes that expose Windows users to hacker attacks.

The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site. The update applies to Windows 7, Windows Vista and Windows XP machines.

In all, the new iTunes 9.2 fixes 40 documented vulnerabilities, most affecting the WebKit rendering engine. The WebKit vulnerabilities are the same that affected Apple’s Safari browser.
US-CERT Current Activity: Apple Releases iTunes 9.2
       added June 17, 2010 at 08:19 am
Apple has released iTunes 9.2 for Windows systems to address multiple vulnerabilities affecting the ColorSync, ImageIO, and WebKit packages. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple article HT4220 and apply any necessary updates to help mitigate the risks.

Wednesday, June 16, 2010

Apple Security Update 2010-004 / Mac OS X v10.6.4 Shipping with Outdated Version of Adobe Flash Player

Apple Security Update 2010-004 / Mac OS X v10.6.4 Shipping with Outdated Version of Adobe Flash Player - Adobe Product Security Incident Response Team (PSIRT)
Earlier today, Apple released security update 2010-004 / Mac OS X v10.6.4. This update includes an earlier version of Adobe Flash Player (version than available from While the Mac OS X v10.6.4 update does not appear to downgrade users who have already upgraded to Adobe Flash Player 10.1, Adobe recommends users verify they are using the latest, most secure version of Flash Player ( available for download from

To verify the Adobe Flash Player version number installed on your system (after applying the Mac OS X security update), access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

OS X Patch Tuesday: 28 fixes

Apple releases advisory for Mac OS X - Multiple vulnerabilities discovered
Apple released today an advisory for multiple vulnerabilities discovered in Mac OS X. Impacted programs includes CUPS, Desktop Services, Folder Manager, Help Viewer, iChat, ImageIO, Kerberos, libcurl, Network Autorization, Open Directory, Printer Setup, Printing, Ruby, SMB File Server, Squirrelmail, and Wiki Server. Mac users: please download the Mac OS X Server v10.6.4 Update Mac mini (Mid 2010) at Better to patch quickly before an exploit goes outside the wild.

More information for the advisory at
Apple plugs 28 Mac OS X security holes | ZDNet
Apple has shipped another mega Mac OS X patch bundle to fix a total of 28 documented security vulnerabilities affecting the Mac ecosystem.

The update, which includes fixes for the Adobe Flash Player plugin and several open-source components, is rated highly-critical because it exposes Mac OS X users to remote code execution attacks.

In some cases, a hacker could take complete control of an affected machine if a user is lured to a malicious Web site or views a rigged movie file.

Here’s the skinny on the most serious issues fixes in this Security Update 2010-004 / Mac OS X v10.6.4 bundle:

Windows XP Help vulnerability now "in the wild"

There are multiple reports of drive-by downloads appearing. Drive-by downloads are dangerous because you can be infected without taking any action other than browsing to a webpage which carries the infection. If you are running Windows XP as an administrator, you should probably immediately apply one of the workarounds described on the Microsoft page linked below.

Microsoft confirms exploits targeting Ormandy 0-day - SC Magazine US
Five days after a Google researcher published details of a zero-day vulnerability affecting the Windows Help and Support Center, in-the-wild exploits have emerged, Microsoft said Tuesday.

The software giant said it was aware of "limited exploits" affecting XP users, according to a tweet posted by the Microsoft Security Response Center. Server 2003 also is vulnerable to the bug, but Microsoft said it has not received any attack samples targeting those customers.

As affected users await a permanent fix, they are encouraged to apply a "Fix It" workaround, as outlined in a security advisory released Thursday by Microsoft.
Windows XP zero-day under attack; Use Microsoft's "fix-it" workaround | ZDNet
Just five days after Google researcher Tavis Ormandy released details of a critical vulnerability affecting Windows XP and Windows Server 2003, malware authors have struck, exploiting the flaw to plant malware on Windows machines.

The attacks, described by Microsoft as “limited,” are being distributed on rigged Web sites (drive-by downloads).

Official Microsoft bulletin here:
Microsoft Security Advisory (2219475): Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution

Home users should immediately run the Microsoft "Fixit" from this page: Vulnerability in Help Center could allow remote code execution. They should also download the "Disable" version of the "FixIt" for use later, as Microsoft often makes the FixIt page disappear when the problem is fixed permanently, removing access to the "UnFixit" for those who haven't planned ahead.

Thursday, June 10, 2010

Adobe patches Flash, but Adobe Reader 9 remains unpatched

A nasty hole in Adobe Flash (all platforms: Windows, Mac, Linux) has been patched on the Windows version. A related hole in Adobe Reader 9 is still unpatched. I have patched my Adobe Flash players and am in the process of patching Flash on business client computers. For home users, links to the Flash patches can be found here: Adobe - Security Bulletins: APSB10-14 Security update available for Adobe Flash Player -- but network admins and those not wishing to use Adobe's magical "Download Mangler" should read to the end of this blog entry to find links to Flash patches they can distribute more easily.

To protect yourself if you run Adobe Reader 9, note that the vulnerability relates to Flash objects embedded inside PDF documents. Adobe Reader 8 (and earlier versions) can't play embedded flash objects and so is not vulnerable. To protect AR9, just rename authplay.dll, which according to Adobe: "(t)he authplay.dll that ships with Adobe Reader 9.x and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat." See Security Advisory for Flash Player, Adobe Reader and Acrobat (APSA10-01) for more information.

Consumer-friendly write-ups and notifications can be found on the following pages:

Adobe Flash Update Plugs 32 Security Holes — Krebs on Security
As promised, Adobe has released a new version of its Flash Player software to fix a critical security flaw that hackers have been exploiting to break into vulnerable systems. The update also corrects at least 31 other security vulnerabilities in the widely used media player software.

The latest version, v. 10.1, fixes a number of critical flaws in Adobe Flash Player version and earlier. Don’t know what version of Flash you’ve got installed? Visit this page to find out. The new Flash version is available for Windows, Mac and Linux operating systems, and can be downloaded from this link.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use.
Adobe plugs 32 security holes in 'critical' Flash Player patch | ZDNet
Adobe has shipped a “critical” Flash Player update to fix a total of 32 documented vulnerabilities in the ubiquitous software product.

The Adobe Flash Player update comes on the heels of last week’s in-the-wild attacks against a zero-day hole in Adobe’s Reader and Flash Player product. This patch fixes that vulnerability along with 31 other serious security problems.
US-CERT Current Activity: Adobe Releases Flash 10.1
added June 10, 2010 at 08:00 pm

Adobe has released a Security Bulletin to address vulnerabilities in Adobe Flash Player and earlier versions and in Adobe AIR and earlier versions. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB10-14 and to update to Adobe Flash Player 10.1 to help mitigate the risks.
Here are links to download the Flash patches directly, without going through Adobe's pages:Once you download these Flash patches, they can be installed without any further clicking by running them with the "/install" command-line switch.

Multiple reports of 0-day exploit in Windows XP Help

Windows Vista, Windows 7, Windows Server 2008/2008 R2 all appear immune. XP and Server 2003 are vulnerable. If you run as "Administrator" and use IE, your are particularly at risk. Those of us who run as non-admin users and use Firefox or Chrome are pretty safe, as far as I can tell at this early time.

Microsoft Security Advisory 2219475
Microsoft has issued a Security Advisory for the vulnerability in the Windows Help and Support
Centre function that is delivered with supported editions of Windows XP and Windows Server 2003.

[snip] Full information for the advisory can be found at:

US-CERT Current Activity: Microsoft Windows Help and Support Center Vulnerability
added June 10, 2010 at 11:01 am

US-CERT is aware of a vulnerability affecting the Mircosoft Windows Help and Support Center. This vulnerability is due to improper sanitization of hcp:// URIs. Exploitation of this vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands.

US-CERT encourages users and administrators to review Vulnerability Note VU#578319 and implement the workarounds to help mitigate the risks and reduce attack vectors.

US-CERT will provide additional information as it becomes available.
Microsoft confirms Help Center vulnerability - SC Magazine US
Microsoft on Thursday confirmed the presence of a zero-day vulnerability affecting Windows XP and Server 2003.
Googler releases Windows zero-day exploit, Microsoft unimpressed | ZDNet
Google security researcher Tavis Ormandy has set the cat among the “responsible disclosure” pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.

The vulnerability, which is due to improper sanitization of hcp:// URIs may allow a remote, unauthenticated attacker to execute arbitrary commands. Ormandy, who recently used the full-disclosure hammer to force Oracle to address a dangerous Sun Java vulnerability, posted exploit code for the Windows issue just five days after reporting it to Microsoft.
Microsoft Help Centre Handling of Escape Sequences May Lead to Exploit
It appears that a problem has been discovered with Microsoft Help Centre that may lead to problems for
for those who are using it.

According to the information provided by Microsoft on this issue:

"We are aware of a publicly disclosed vulnerability affecting Windows XP and Windows Server 2003.
We are not aware of any current exploitation of this issue and customers running Windows Vista,
Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this
issue, or at risk of attack."

Microsoft warns that the analysis from the original disclosure of the event is incomplete and the
workaround provided by Google is incomplete. They have made recommendations for and have
given the steps to unregister the hcp protocol to protect from exploitation. See the information for
mitigation at:

Wall Street Journal website infected, served malware

People surfing with ad blockers and script blockers would have been less likely to have been caught by this, which is one more reason I use the Firefox Browser with the Adblock Plus and NoScript add-ons. Even ChromePlus doesn't block scripts, although you can get an ad-blocker that uses the same lists as the Firefox ad-blocker and also a Flash blocker.

Thousands Of High-Ranked Webpages Infected With Malware, Including,, |
More than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirected visitors to a website that attempted to install malware on their machines.

The mass compromise appears to have affected sites running a banner-ads module on top of Microsoft’s Internet Information Services using, said David Dede, head of malware research at Sucuri, a website monitoring firm., The Wall Street Journal’s, The Jerusalem Post, and the police department website for UK county of Strathclyde have been hacked.

Google searches on Tuesday indicated more than 100,000 pages were infected, Dede said, but that number had shrunk to about 7,750 at time of writing.

Mass Web attack hits Wall Street Journal, Jerusalem Post
Internet users have been hit by a widespread Web attack that has compromised thousands of Web sites, including Web pages belonging to the Wall Street Journal and the Jerusalem Post.

Estimates of the total number of compromised Web sites vary between 7,000 and 114,000, according to security experts. Other compromised sites include and

Tuesday, June 8, 2010

Microsoft Patch Tuesday: 10 bulletins, many critical, reboot required

Well, this month's set of Microsoft patches have been released, and it's a big set. Microsoft is urging that system admins roll out several of these ASAP as exploit code is either "in the wild" or easy to develop.

Microsoft finally fixes Pwn2Own browser flaw | ZDNet
The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities.

Three of the bulletins are rated “critical” because of the risk of remote code execution attacks. Affected products include the Windows operating system, Microsoft Office, the Internet Explorer browser and Internet Information Services (IIS).

This month’s patch batch also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer.

Microsoft is urging its users to pay special attention to MS10-033 (Windows), MS10-034 (ActiveX killbits) and MS10-035 (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.

Here’s the skinny on these three bulletins:

ISC SANS has a simple table listing all the patches and how critical they are on workstations and servers:

June 2010 Microsoft Black Tuesday Summary
Overview of the June 2010 Microsoft Patches and their status.

This month's Microsoft Technet blog page on June's patch set is for once readable and enlightening:

Assessing the risk of the June Security Bulletins - Security Research & Defense - Site Home - TechNet Blogs
Today we released ten security bulletins. Three have a maximum severity rating of Critical and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

The official Bulletin is here:
Microsoft Security Bulletin Summary for June 2010

Home users should patch as soon as possible. Business users should wait a day or two but plan to roll out the patches next week at the latest.

Apple updates Safari

Apple has released an update to Safari 4.1 (Mac) and Safari 5.0 (Windows, Mac). As usual, they're not saying exactly what the security fixes are. If you have an Apple Mac running OS X, update your Safari. Windows users who have Safari installed should either uninstall it (my recommendation) or update it.

Apple plugs 48 Safari, WebKit security holes | ZDNet
Apple has shipped new versions of its Safari browser with patches for at least 48 security vulnerabilities.

The Safari 4.1 and 5.0 updates, considered “highly critical,” is available for both Windows and Mac OS X. Exploitation of some of these vulnerabilities could lead to drive-by download (remote code execution) attacks.
The majority of the documented vulnerabilities affected WebKit, the open-source Web browser engine that powers Safari.

Here’s the skinny on some of the more critical issues:

Official Apple security bulletin here: Safari 5.0 and Safari 4.1

Saturday, June 5, 2010

A busy week: Mac spyware, Banking trojans, Adobe Flash+Reader warning, Open Office patched, more.

I've seen multiple reports of spyware in Mac software:

Security firm discovers spyware in Mac software
Intego, makers of security and privacy apps for the Mac, warned on Tuesday that some Mac software include a new piece of invasive spyware. Macworld has obtained a preliminary list of the applications with the spyware.

In a press release, Intego states that a number of apps and screen savers distributed through sites like MacUpdate, VersionTracker, and Softpedia are installing a little more software than users bargain for; Apple's Mac OS X Downloads site also contained entries for some of the apps, though the download links appear to now be inactive. The spyware in question is called OSX/OpinionSpy and it's a variant of Windows spyware that has existed since 2008.

As to the spyware's invasive actions, it allegedly dupes users into handing over their admin passwords with a dialog claiming that it "market research" software will be installed to collect browsing and purchasing history. OSX/OpinionSpy then installs a process called "PremierOpinion" that runs as root. Intego says the spyware then opens an HTTP backdoor on port 8254, scans all accessible local and networked volumes, and injects code into Safari, Firefox, and iChat in memory (meaning it doesn't alter the applications themselves). It also regularly transmits encrypted data to a variety of servers, which contains e-mail addresses, iChat message headers, and URLs--as well as potentially personal data like usernames, passwords, credit card numbers, bookmarks, and browsing history.

OSX/OpinionSpy can also upgrade itself automatically with no user intervention and relaunch itself via Mac OS X's launchd, the system-wide process that manages a number of automated systems, background daemons, and launch processes. Furthermore, upon uninstalling the original program, OSX/OpinionSpy remains installed on your Mac.
Read more at the link about, including some nasty "Terms of Service" or EULA conditions of the spyware. Additional reports are here:

Using Windows for a Day Cost Mac User $100,000 — Krebs on Security
David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.

Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.

A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.


Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.
I don't do online banking for my business. Period.

Sunbelt Blog: Infected rogue spam uses Adobe update lure
Alert reader David McSpadden notified Sunbelt of the following spear-phishing attempt that was sent to users, appearing to come from their system administrator. [The PDF contains a link to the executable for the user to download.]

“If you already received this information before and action has been taken, then please ignore.

“This important information about a security vulnerability requires your immediate attention!

“All systems detected using Adobe products have been sent out this e-mail and are all requested to update their systems urgently.

“Kindly follow the instructions in the e-mail as forwarded below.

“Failure to comply will result in all financial and non financial loss to be a liability of the receiver.

“Please treat this e-mail as a matter of urgency. No further follow up warning will be sent.

“**This e-mail is a computer generated e-mail from and does not require a reply**

“--- On Fri, 5/28/10, Rxxxxxx Bxxxxxx <> wrote: ---
From: Rxxxxxx Bxxxxxx <>
To: Administrator <>
Subject: Adobe Security Update
Date: Friday, May 28, 2010, 11:24 AM

Sophisticated phishing ("social engineering") attacks like this are why you want a professional to take care of updating your company computers instead of relying on your users to do it.

Attackers exploiting new Flash bug, Adobe warns
A new, critical bug in Adobe's Flash Player is giving some attackers a back door into victims computers, Adobe warned late Friday.

The bug affects Adobe Flash Player version and earlier on all operating systems, including Windows, Macintosh and Linux. It is also found in the latest versions of the widely used Reader and Acrobat software, Adobe said. "There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat," Adobe said in its security advisory.
VMware View on NetApp Storage: Download now

When exploited, the flaw can cause Adobe's software to crash, but it can also give attackers control of the computer, Adobe said.
Official Adobe Bulletin: Adobe - Security Advisories: Security Advisory for Flash Player, Adobe Reader and Acrobat
A critical vulnerability exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix.
Affected software versions

Adobe Flash Player, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX

The Flash Player 10.1 Release Candidate available at does not appear to be vulnerable.
Adobe Reader and Acrobat 8.x are confirmed not vulnerable.

Adobe Flash Player
The Flash Player 10.1 Release Candidate available at does not appear to be vulnerable.

Adobe Reader and Acrobat
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.
Other stories reporting on this: 3.2.1 Fixes Bugs and Vulnerabilities
OpenOffice's latest version is available for Windows, Mac OS, Linux and Solaris systems. This release fixes 5 potential vulnerabilities, adds more stability and speed but no new features. The security bulletin is posted here.

Microsoft issued an advance notice for a mega-Patch Tuesday on June 8

Microsoft Releases Advance Notification for June Security Bulletin
added June 4, 2010 at 08:16 am

Microsoft has issued a Security Bulletin Advance Notification, indicating that its June release will contain ten bulletins. Three of these bulletins will have the severity rating of critical and will be for Microsoft Windows and Internet Explorer. The remaining bulletins will have the severity rating of important and will be for Microsoft Windows, Microsoft Office, and Microsoft Sharepoint Services. Release of these bulletins is scheduled for Tuesday, June 8, 2010.

US-CERT will provide additional information as it becomes available.

Today's links:

Wednesday, June 2, 2010

How I deal with suspicious email attachments

We have all received emails which (a) have attachments and (b) might be legitimate. An engineer at one of my clients recently came to me with just such email-with-attachment that might have been from a possible client, asking me if it was safe to open the attached Word .DOC file.  I told him "no", and explained how I test any email attachments, especially ones which I am not expecting.

First, I *-=NEVER=-* double-click on unexpected attachments or open them from my email program.  I always save them to disk.  The act of saving them to disk gives my local anti-malware program (VIPRE, Norton, McAfee, AVG, whatever) a first chance to scan them, and it prevents Windows from deciding which program to use to open them.

Once I have the attachment(s) saved to disk, I open the folder where I saved them.  I then right-click the suspicious file(s), choose "Send To" then "VirusTotal":
Send to VirusTotal image
If you don't have "VirusTotal" on your "Send To" menu, you can install it from the VirusTotal downloadable installer, which you get here:

For the truly careful, the file's MD5 hash is listed on the VT download page:

After you choose "Send To" -> "VirusTotal", a small window will open:
Send to VirusTotal image
After it has completed sending either the file's MD5 hash (if someone else has submitted a file with the same hash) or the file itself (if this is the first time this MD5 has been submitted), the uploader will launch your Internet browser at the VT page for that hash.  If the file is clean, you will see something like this:
Send to VirusTotal image
If you are unlucky and the file is malicious, you will see something like this:
Send to VirusTotal image
This last screen is from a file that VIPRE found on one of my clients' computers last week, and which I originally thought might be a "False Positive".  I submitted it to Sunbelt Software for further analysis on it, and after a week they told me that it looks like real malware to them.

If the file has ANY malicious detections on VirusTotal, and I still think it might be a legitimate attachment, I'll look at the file with a binary viewer like Lister from the publisher of my favorite file browser, Total Commander.

In addition to using the above technique to test attachments, if I have any suspicions about the actual source of the email, looking at the message's headers tells me a lot about where the message came from.  For example, if the email address of the sender shows "" but the originating computer is " []" instead of server on the .mil network, that's a good clue that something is wrong. 

Also, if you forward a suspicious email to me for diagnosis, I really need the full email headers to be able to study it properly. Since each email program display email headers in a different way, telling you how to find them is too much for this email.  Let me know if you need help with this, and let me know what email program you're using, and I'll let you know how to send me the email with headers.