About that antivirus program on your computer

Here in the last week, both at work and at home, I have seen the following type of email:


This email has every indication of being malicious, with a password protected word document, unsolicited, and with very little details to go on.  Let's download this puppy into our virtual machine and check it against just generic Windows Defender built into the machine.

Screen Shot 2017-03-14 at 8.44.59 PM.png

Nothing seems all that unusual.   But if you open the file, it really wants you to enable macros and click on them.


Screen Shot 2017-03-14 at 9.21.18 PM.png

Look what happens when you enable the macros and click on the files.  A bunch of VB scripts.  Are those scripts dangerous?  Absolutely.


This virustotal scan was taken nearly one week after the files was emailed to us.  Are we brave enough to run the scripts in a controlled environment?

Anatomy of a scam? Or just a password notification?

While eating my breakfast this morning and checking up on email, I run across 2 of the following emails:

3am email about a password reset from Facebook to an email address that is not used by the family as logins?  The Spidey Senses are tingling.  Time to look at the raw email data and see what is going on....

Delivered-To: beckerfamily@floridabeckers.us
Received: by with SMTP id h9csp502473qca;
Sat, 20 Sep 2014 00:04:35 -0700 (PDT)
X-Received: by with SMTP id ne16mr1532381wic.71.1411196675222;
Sat, 20 Sep 2014 00:04:35 -0700 (PDT)
Received: from mx-out.facebook.com (outmail016.ash2.facebook.com. [])
by mx.google.com with ESMTPS id v14si4512206wie.3.2014.
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 20 Sep 2014 00:04:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of password+h_i3dki_@facebookmail.com designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of password+h_i3dki_@facebookmail.com designates as permitted sender) smtp.mail=password+h_i3dki_@facebookmail.com;
dkim=pass header.i=@facebookmail.com;
dmarc=pass (p=REJECT dis=NONE) header.from=facebookmail.com
Received: from facebook.com (CB2uJzaEr7FAP9Z3NNj8E9uO4ydVsDyZ8ttuyabo2wEjYbPxtGSfri+xd3E5hhYV
by facebook.com with Thrift id 6079b0ec409411e494110002c9550d78-2a1eb3f0;
Sat, 20 Sep 2014 00:04:34 -0700
X-Facebook: from 2401:db00:3010:3018:face:0:4f:0 ([MTI3LjAuMC4x])
by m.facebook.com with HTTP (ZuckMail);
Date: Sat, 20 Sep 2014 00:04:34 -0700
Return-Path: password+h_i3dki_@facebookmail.com
To: Nicole Beasley-Becker
From: “Facebook”
Reply-to: noreply
Subject: Somebody requested a new password for your Facebook account
Message-ID: <7833a8c7c38f65544e5ddf3b132fa1f0@m.facebook.com>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
Errors-To: password+h_i3dki_@facebookmail.com
X-Facebook-Notify: password_reset; mailid=a872430G30a5e9d3G0G178G29129f32
X-Auto-Response-Suppress: All
Require-Recipient-Valid-Since: beckerfamily@floridabeckers.us; Wednesday, 4 Aug 2010 15:07:54 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com;
s=s1024-2013-q3; t=1411196674;

Content-Type: text/plain; charset=”UTF-8”
Content-Transfer-Encoding: quoted-printable

Hi Nicole,

Somebody recently asked to reset your Facebook password.

Click here to change your password.[https://www.facebook.com/recover/code?=

Alternatively, you can enter the following password reset code:


Didn’t request this change?

If you didn’t request a new password, let us know immediately.

Change Password

The Facebook Team

This message was sent to nicole@floridabeckers.us at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA =

Content-Type: text/html; charset=”UTF-8”
Content-Transfer-Encoding: quoted-printable

//EN”>Facebookcontent=3D”text/html; charset=3Dutf-8” =
/>style=3D”margin:0;padding:0;” dir=3D”ltr”>cellpadding=3D”0” id=3D”email_table” =
style=3D”border-collapse:collapse;width:98%;” border=3D”0”>
id=3D”email_content” style=3D”font-family:'lucida =
ckground:#e0e1e5;”>width=3D”100%” border=3D”0” =
style=3D”padding:0;width:100%;”>!important;font-size:1px;”>Somebody recently asked to reset your Facebook =
password. Click here to change your password. Alternatively, you can enter =
the following password reset code: 654156 Didn't request this change? =
If you didn't request a new password, let us know immediately . =
=C2=A0 =C2=A0 Change=C2=A0Password =C2=A0 =C2=A0
style=3D”padding:0;width:100%;”>width=3D”100%” bgcolor=3D”#435E9C” style=3D”border-collapse:collapse;width=
:100%;background:#435E9C;background-image:-webkit-linear-gradient(top, =
#5c77b5, #435e9c);border-color:#0A1F4F;border-style:solid;border-width:0px =
0px 1px 0px;box-shadow:0 1px 1px rgba(0, 0, 0, 0.25);height:47px;” =
cellpadding=3D”0” width=3D”610” height=3D”44” =
id=3D”header_title” style=3D”width:100%;line-height:47px;”>cellspacing=3D”0” cellpadding=3D”0” =
” style=3D”color:#FFFFFF;text-decoration:none;font-weight:bold;font-family=
:lucida grande,tahoma,verdana,arial,sans-serif;vertical-align:baseline;fon=
t-size:20px;letter-spacing:-0.03em;text-align:left;text-shadow:0 1px 0 =
rgba(0, 0, 0, 0.24);”> facebook
style=3D”width:10px;”>size=3D”3”>style=3D”color:#ffffff;text-decoration:none;font-family:Helvetica =
Neue,Helvetica,Lucida Grande,tahoma,verdana,arial,sans-serif;font-size:16p=
x;font-weight:bold;text-shadow:0 -1px rgba(34, 59, 115, =
0.85);vertical-align:middle;” href=3D”https://www.facebook.com/recover/cod=
style=3D”padding:0;width:100%;”>width=3D”100%” bgcolor=3D”#e0e1e5” id=3D”table_color” =
cellspacing=3D”0” cellpadding=3D”0” width=3D”100%” id=3D”email_filler” =
cellpadding=3D”0” width=3D”610” =
id=3D”body_container” style=3D”background-color:#ffffff;border-color:#c1c2=
bkit-border-radius:5px;-moz-border-radius:5px;box-shadow:0 1px 1px rgba(0, =
0, 0, 0.10);overflow:hidden;”>width=3D”100%” style=3D”border-collapse:collapse;”>
Somebody recently asked to reset your =
Facebook password.
=3D816179667&n=3D654156” =
style=3D”color:#3b5998;text-decoration:none;”>Click here to change your =
>Alternatively, you can enter the following password reset =
-color:#f2f2f2;border-left:1px solid #ccc;border-right:1px solid =
#ccc;border-top:1px solid #ccc;border-bottom:1px solid =
style=3D”color:#333333;font-weight:bold;”>Didn't request this =
If you didn't request a new password, href=3D”https://www.facebook.com/login/recover/disavow_reset_email.php?n=
=3D654156&id=3D816179667” =
style=3D”color:#3b5998;text-decoration:none;”>let us know =
” style=3D”color:#3b5998;text-decoration:none;”>cellpadding=3D”0” width=3D”100%” bgcolor=3D”#4c649b” style=3D”border-colla=
ont-size:14px;background:-webkit-gradient(linear, left top, left =
bottom,color-stop(0%, rgba(99,123,178,1)),color-stop(64%, =
rgba(76,100,155,1)));border-color:#485a83;box-shadow:inset 0 1px 0 =
rgba(255, 255, 255, 0.2),0 1px 2px rgba(0, 0, 0, 0.08);text-align:center;” =
style=3D”display:block;width:16px;”> style=3D”text-align:center;”>ode?u=3D816179667&n=3D654156” =
or:#ffffff;text-shadow:0 1px 0 =
#415686;”>Change Password
width=3D”16” style=3D”display:block;width:16px;”> 
height=3D”7” colspan=3D”3” style=3D”line-height:7px;”> 
cellspacing=3D”0” cellpadding=3D”0” width=3D”100%” =
style=3D”border-collapse:collapse;” id=3D”footer_table”>
width=3D”610” style=3D”border-collapse:collapse;”>
style=3D””>border=3D”0” id=3D”footer” style=3D”border-collapse:collapse;”>
style=3D”font-size:12px;font-family:Helvetica Neue,Helvetica,Lucida =
Grande,tahoma,verdana,arial,sans-serif;padding:18px 0;border-left:none;bor=
t:300;line-height:16px;text-align:center;border:none;”>This message was =
sent to style=3D”color:#6a7180;text-decoration:none;font-family:Helvetica =
Neue,Helvetica,Lucida Grande,tahoma,verdana,arial,sans-serif;font-weight:b=
at your request. Facebook, =
Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA =
9d3G0G178G29129f32” style=3D”border:0;width:1px;height:1px;” =

— Raw eMail.

Hmm...it looks to be legitimate.  No links are connecting to or directing to any place other than Facebook,  Bringing up the virtual machine and opening the link shows nothing but a legitimate Facebook page....

So what is really going on?  I check on my wife's email to see if she received the same email since it listed her name on the email.  Sure enough, identical email there too.  It looks like that someone did try to log reset her password and Facebook was trying to protect.  Sometimes link laden email is legitimate.  Time to tune those Spidey Senses again.....

So, about that order I "placed"...

Since we run multiple filters at work that do a good job that block spam and malware infested email, I am always interested in what makes it through the defenses as opportunites for improvement.

Take, for instance, an email I received tonight about a supposed order I made.

What did I order?

What did I order?

Hmmmm...I ordered something today with my VISA with email containing my email from a .ru email address (for those not familiar, .ru is Russia).  They are so kind to send me an invoice of my order in an attachment, which happens to be a .html file (web page code, again if you are not familiar).  

Looks legit to me. &nbsp;:)

Looks legit to me.  :)

Okay.  I know, suspicious file....must send it over to virustotal.com and see if it detects anything in the file.

No viruses detected???

No viruses detected???

Suspicious email, suspicious attachment, but comes up clean...what gives?

Let's open up the html code in a text editor and see what is going on....

Cyrillic plus mysterious javascript...

Cyrillic plus mysterious javascript...

Fortunately, we have other tools to try to get a better handle of what is going on.  Submitting the file to malwr.com (run by the ShadowServer folks), we see there is really more than meets the eye.

Creates server and adds to startup....

Creates server and adds to startup....

There is definitely something malicious about this email.  Time to throw it into a virtual machine and try to analyze safely.  In my linux machine, opening the .html file opens this up....

Rut Roh.....

Rut Roh.....

Double extensions....PDF to make the end user believe he is downloading a copy of the invoice to read in Adobe, but is it?  .scr extensions are often used for Screen Savers in the Windows world, or as an extension for a script.

Let's pop the URL that we downloaded the file from and see if protection is up to date?

Only one URL scanner showing this as malicious

Only one URL scanner showing this as malicious

Moral of the story is if it waddles like a duck and quacks like a duck, it is probably a duck, and this duck will make your system sick.  Never click on unexpected attachments or links in email without verifying from source.

If you have questions about a file, don't hesitate to use tools like VirusTotal and Malwr for them to analyze and help security companies improve their tools with malware samples.

Anonymous Attacks via #OpUSA

Looks like #OpUSA is turning into #FlopUSA.  On April 21, the "Anonymous" hacking group put out a list of around 10 government sites and 130+ financial institutions as targets in phase 1 of #OpUSA to target on May 7.  Instead, it looks like the attacks have been mostly against smaller mom-and-pop shops, many international sites, and a couple of dumps, including a credit card dump that had about 10k expired (for 5+years) cards.  I think that the groups lost all bite when  “Izz al-Din al-Qassam Cyber Fighters” decided to not participate and back their own campaigns.  The day is still young, but this looks to be more bark than bite currently.

Windows Technical Department

My wife got a call this evening on our phone from someone claiming to be from "Windows Technical Department" saying that my Windows computer had a virus.  Knowing that this was some sort of scam, Nicole says let me give you to my husband so he can work with you.  ;)  Oh, goodie.  I get to have fun with the guy.  We exchange pleasantries over the phone and trying to be as pleasant and chipper as I could be.  The poor sap does not know about what is going to hit him...

Me - "I will be happy to work with you to solve our virus problem."

Him - "Go ahead and turn on your computer."  Okay....my first problem.  He wants me to turn on my computer...I have 3 of them on in a 5 ft reach...all of them on.  :)

"Okay - Turned on."  I wonder if the 5 seconds it took me to "turn on my computer" was enough time.  "My Ubuntu Linux box is turned on."

"Look at your keyboard.  Do you see the 'C-T-R-L' key on the lower left of your keyboard?"

"I see the control key.'

"Do you see the key that looks like the Windows logo?"

"No, I see the Option key on my Apple keyboard."

"Uh...are you in front of your Windows computer?"

At that point I had enough.  I told him to stop trying to scam me ("this is not a scam", "Let me get one of my Microsoft certified people."...give me their numbers and I will check them out).  I told them if they Google their own company, there are many links that say they are a scam.  Protest after protest until I was done with the call.  The number of the caller ID shows up as 987654321 (spoofed caller ID).  

I really have to get up a VM quicker next time so I can try to see what they want me to do and better understand the scam.  They will call back (obviously) because they called here 2 weeks ago from 0256592258.


Microsoft has even put up their own site to avoid these kind of phone scams.  The US site on this can be found here.

Something may be amiss....Money mule scam

Just for giggles this evening, I decided to go into the spam mailbox and see what the latest scam people are trying to pull are.  Tonight, there was over 20 in this one (unpublished) box with this theme....



Hmmm...all within the last day.  I wonder if I am looking for a job?  :)

As I open one up, you get what looks like the opportunity to be a money mule....oh joy!



Obviously, the only job opportunity is for an opportunity to either work for organized crime, or get your information stolen....probably both. At least Google warns you of this.

Friends don't let friends get pwned.