By

Previewing Outlook messages can lead to infected computer

Microsoft has announced a vulnerability in Word 2010. For those of you who aren’t intimately familiar with Microsoft Office products, Microsoft Word is the default reader for Outlook 2007, Outlook 2010 and Outlook 2013.

https://technet.microsoft.com/en-us/security/advisory/2953095

If you’re using Microsoft Outlook as your email program, this could affect you.

Why would a company dedicated to website security make you aware of this?

This particular vulnerability exposes your local computer to remote code execution exploitation. This means that if a hacker sends you a carefully crafted email message in RTF format, just previewing the message in Outlook, with Word 2010 as your default reader, would allow remote code to be executed on your computer – which means your computer could be infected.

We want to bring this to your attention so that you update all your software. If your local computer gets infected the hackers could steal your login credentials to your hosting account, your CMS (WordPress, Joomla, etc.), login to your account and infect your website.

We are concerned with your website security, but along with this comes being concerned about your local computer security as well.

We’ve stated this before, but it becomes clear in Microsoft’s announcement that the attacker, if successful, will have the same rights as the currently logged in user. If you login to your local computer as administrator, guess what? The hacker will have the same rights – administrator.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

It’s advised that you create a separate “user” account on your computer. This user does not have the ability to install programs. If you want to install a new program on your computer, you logout as this user, login as administrator, install the software, then logout as administrator, login as the user and proceed with your normal activity.

Yes, this is not the most convenient way, however, neither is having your computer compromised.

Always keep your local computer software updated. This helps us keep your website security at the highest level.

Please post a comment if you find this helpful. Tweet this to your friends and family.

By

SPAM for law firms

Since we started offering our VPS and dedicated server software, we’ve been handling many SPAM issues for clients. Not only outgoing, but incoming as well.

One recent rash of SPAM seems to focus on law firms. I’m sure others are receiving these as well, but our experience has mostly seen these emails sent to law firms.

The scenario begins with an email with a subject line like:

New Fax: 2 pages

The body of the message will be something like:

Scanned from MFP61725171 by (domain of recipient).com
Date: Tue, 1 Apr 2014 20:17:54 +0800
Pages: 2
Resolution: 200×200 DPI

It appears to be an internal fax. It will usually show the sender (From:) as fax@(domain of recipient).com and the number of pages will vary.

The email contains an attachment, typically a .zip file – obviously infectious.

When we look at the headers here’s what we see:

Return-path:

Envelope-to: willie.james@(domain of recipient).com
Delivery-date: Mon, 31 Mar 2014 10:15:53 +0000
Received: from [106.79.10.18] (port=49927)
by server.(server for client).com with esmtp (Exim 4.82)
(envelope-from )
id 1WUZFv-0005zC-8e; Mon, 31 Mar 2014 10:15:53 +0000
Received: from 289-SN2MPN2-345.582d.mgd.msft.net ([106.79.10.18]) by
115-SN2MMR2-207.895d.mgd.msft.net ([106.79.10.18]) with mapi id
14.03.0563.358; Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:
<6BY1VKL42LR58X56ARUF4VNG59U3YS6B@316-SN2MPN2-342.397d.mgd.msft.net>
From: "FAX"
To: john.assistant@(domain of recipient).com

Subject: New Fax : 5 pages
Thread-Topic: New Fax : 5 pages
Thread-Index: 9P7N7EWX4M3T3HCICOQW==
Date: Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:

Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/mixed;
boundary="----=_Part_49160_3775187661.5707552433783"
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:

MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: 092-SN2MMR2-965.296d.mgd.msft.net
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 09
X-Originating-IP: [106.79.10.18]
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Spam-Status: No, score=3.0
X-Spam-Score: 30
X-Spam-Bar: +++
X-Ham-Report: Spam detection software, running on the system
"server.(server for client).com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

Content preview: You have received a new fax (fax-954672.zip). Date/Time:
Mon,
31 Mar 2014 15:45:51 +0530. Number of pages:5 [...]

This is a case where the spammers are spoofing the from email address so it appears to be an internal fax communication.

This line tells us it did not originate internally:
Received: from [106.79.10.18] (port=49927)

According to whois.domaintools.com (an awesome service, you should subscribe!) that IP address is in India. Our client was here in the United States. Therefore we know it was fake.

If you use Outlook for email, you can see how to view the full headers by Googling “outlook view full headers”. If you use Outlook 2007, Outlook 2010, etc. you can further refine your search by adding that version. For instance you can use this in Google for Outlook 2007:

outlook 2007 view full headers

If you start getting these, just mark them as SPAM and move on with life. Your server is not infected. Your local computer is not infected either.

By

Our automated malware removal software for VPS and dedicated servers

As some of you know, we’ve been busy adding more features to our VPS and dedicated server software.

I thought it was time to let you know what we’ve been working on.

Currently our software works amazingly well at detecting the instant any files are changed or added to a VPS or dedicated server. If infected, it quarantines the original file and cleans it. If the infected file is a backdoor, it automatically removes it.

However, that is where our software stops – until now.

Our latest upgrade now reads the log files as well. So when a file in the themes folder is infected for a WordPress site, our software reads the log files and knows that it was the result of a stolen passwords. We know get a notification like this:

2013/12/23:06:03PM Samplewebsite.com had /public_html/wp-content/theme/xyz/index.php, header.php, footer.php files infected with the following code:
(malicious code would be displayed here)
According to the log files, a successful login was recorded from: 123.456.789.000 (show country of origin). This indicates that a stolen password was used.

So, not only will our software be able to clean the site, but it can also determine how it happened so we know, as your website security department, what to do to protect it.

Currently,  for VPS and dedicated servers that are using cPanel, we can also determine if the infection came in through a form on the infected website, if it was FTP and many other methods.

As part of our next development, we are working on tying into cPanel so we can change passwords on the fly as well. Imagine that your site was infected due to stolen FTP passwords. Wouldn’t it be nice to have our software, change the password for you, record it and save it? That would be like self-healing.

This would prevent a reoccurrence of that infection. We get notified, you get notified. It’s a beautiful thing.

We’re also working on auto-reporting to hosting providers. In our above scenario, we see that the IP address of: 123.456.789.000 is for a certain hosting provider. Our system will send an email with sanitized log file entries to abuse@… notifying that hosting provider that they have an infected site/server that is being used to launch attacks on other websites. We do this manually now and it’s been working quite well.

The hosting providers have been very quick to take care of the situation which just removes one more infected system from the Internet.

Another development in this latest update is that all file changes are sent to us. That way we can further analyze them to determine if a new type of infection has been released. With over 500 installations of our software installed on clients VPS’s and dedicated servers, we’re growing our database of infectious code, which helps us – help you.

If you have any other needs or wants, please send them to me and I’ll research the idea and it could be included in one of our upcoming releases.

Questions? Let me know…

If you’re a hosting provider and would like to offer this to your VPS and dedicated server customers, feel free to contact me.

You can always contact me at: traef@wewatchyourwebsite.com

Thank you.