Notice: Undefined offset: 1 in /usr/local/src/wordpress/wp-content/themes/montezuma/includes/parse_php.php on line 79

eMail Virus

Look at this pernicious little nasty:
virus_email
(click to enlarge – it’s just a screenshot)

Got this email this morning that my ‘Amazon order’ had been processed.   Well first of all I avoid ordering from Amazon, given their reputation.   Second, when I have ordered from them it was never with this (privileged) email address.   Third, the Order# is suspiciously short.   Fourth, placed a month ago and only just now getting notice?   I-hi don’t think so.

We are supposed to wonder for more information:   “I didn’t order this,” or “What is this?”   There is no guidance what to do except visit the help pages, and there is no link.   Oh look, there’s an attachment which must have more detail that we can thoughtlessly click.

We probably all know better, except when we are tired or tipsy or both.   So what is this about then?

Replying to the email shows the destination address is “Amazon.com {delivers@goodemericaonline.com}”   Oh yes, it goes to Amazon at delivers, all good.   Except no, that’s not an Amazon domain.   It’s a domain that the crime gang which is behind this email has cracked and is using to route emails through.

Looking at the full email header (View|Message Source):

From - Mon Jun 30 08:38:22 2015
X-Account-Key: account3
X-UIDL: UID9217-1341933205
X-Mozilla-Status: 0001
X-Mozilla-Status2: 0000000
X-Mozilla-Keys:                                                                     
Return-path: {support@sdgprize.com}
Envelope-to: cacook[@]quantum-sci[.]com
Delivery-date: Mon, 30 Jun 2015 09:41:24 -0400
Received: from mail.southerncottonginners.org ([173.12.252.153]:3632 helo=emericanews-time.com)
	by server14.hostwhitelabel.com with esmtp (Exim 4.82)
	(envelope-from {support@sdgprize.com})
	id 1X1bpi-004GaF-9G
	for cacook[@]quantum-sci[.]com; Mon, 30 Jun 2015 09:41:24 -0400
Date:	Mon, 30 Jun 2015 07:34:10 -0600
From:	"Amazon.com" {delivers@goodemericaonline.com}
To: {cacook[@]quantum-sci[.]com}
Subject: Order Details
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------B51CD0D10B8ACC0"

It came to me from southerncottonginners.org (Memphis, TN), and before that ostensibly from emericanews-time.com.   But I have a special plugin installed in my Thunderbird email client (MailHops) which shows me the hops the email went through, in a pulldown.   This tells me that before southerncottonginners the email came from The Netherlands (77.247.181.165) politkovskaja.torservers.net .   OK, so a TOR exit node;   nobody can trace it back from there, but it likely came from Eastern Europe or Russia.

Fine, but what is that attachment? (I have not included it here for your safety)   It’s named order_id.zip, a reasonable name for an order.   Unzip it, and there’s only one file inside, order_id_7836247823678423678462387511111.exe.   An executable;   well that on the face of it is wrong and bad for an attachment.   An attachment should rarely be a zip, and never be an executable.   In this case the attachment is designed so that as soon as it’s clicked, it is automatically dearchived and executed on your machine!

But -what- is it?   I scanned the .zip and .exe with Clam Antivirus, but it came up with nothing, disturbingly.   So I opened the executable in a hex editor, and the first two bytes are ‘MZ’.   Sure enough a Windows executable.   I’ve always run Linux so am impervious to this, but let’s look further as there’s always text (if the executable is not obfuscated).   (click to enlarge)
hexedit

This is part of that order file which was inside the order_id.zip attachment, open in a hex editor.   You see the contents of the file in their native hexadecimal form (‘machine code’) on the left, and ASCII byte code translation on the right.   This portion is about 3/4 of the way down the file, the place where text strings usually reside.

Without going into more detail than I already have, it’s CRYPTOLOCKER!   Ransomware which silently encrypts all your docs, photos, and other data specific to you, and then pops up to inform you you must pay ($400 or $535 in BitCoins) within a 72 hours to get the key, or else lose everything.   So it’s late in the evening, you’re tired and click on teh attachment, and you’re pwned.

Susceptibility to this is why you must always and regularly back up your data to offline storage, like DVD or BluRay.   Myself, I have a computer in the far side of the attic (in case of fire or theft) which is dedicated to taking backups (and handling security cameras), and when it’s not doing backups the storage array is unmounted.   But few do this, so best would be to store on offline optical media.   I back up weekly (automatically, Sunday morning), but monthly is better than nothing.

Gain this discipline.   Or risk losing it all, including cloud storage if you have it mounted. (looking at you Rickey)

~~   Update – 6 August, 2015   08:04   ~~

Thankfully the Cryptolocker gang has been defeated.   And better, all 500,000 victims can now recover files encrypted by the malware without paying a ransom.   An online portal has now been created by the security researchers who busted the gang, where you can submit any encrypted file and they will determine which key was used and give it to you for free.

When authorities moved to take over the worldwide botnet which was spreading Cryptolocker, the gang moved to hide their database of victims.   But security researchers at FireEye and Fox-IT actually managed to intercept the victim database as it was being transferred, as parts of the botnet had already been seized.

bogachevThe ringleader of the gang is (surprise!) a Russian man, Evgeniy Bogachev, aka “lucky12345” and “slavik”.   The gang also ran Gameover Zeus, an online banking trojan which steals credentials.

Analysis of the victim database shows that only 1.3% of the victims actually paid up;   some had backups of their data which they could restore, but many lost everything.   Even with this low response rate, the gang netted ~$3,000,000.   None of the gang members have been arrested nor the money recovered.

,'after' => '

') )