Corporate users hit with fake Microsoft email delivering sneaky malware

Discussion in 'malware problems & news' started by ronjor, Feb 10, 2015.

  1. ronjor

    ronjor Global Moderator

    Jul 21, 2003
  2. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    Very interesting report, Ron, including the link in it to the Cisco Blog:

    Fake Volume License Trojan Targets Corporate Users and Evades Sandboxes

    A few quotes:
    And a comment in the Cisco Blog:
    Actually, not. The infamous exploit from 2006, nine years ago, used a similar trick. A description of the scam:
    As with the current exploit, in the attack, the real site appeared on the user's monitor, while the malware was downloading in the background.

    So, nothing new here, except that while the former was a drive-by download that installed the malware executable, the current exploit requires another operation by the user -- extract the executable from a ZIP file:
    All of this highlights basic failings in corporate security:
    • The user is still the weakest and most vulnerable link
    • Employees are permitted to install executable files
    For the first, evidently there was no attempt to question the source of the email; the opening line is:
    Wouldn't the employee question that she/he had not applied for such license, or had not been told that such license was coming? Evidently there is no company-wide security policy in place, where offers by email to install anything are reported to Administrative Security. Evidently the user did not question why the license registration required running a screen saver file from a ZIP folder.

    For the second failing, as long as employees can install anything they want, these tricks will continue to succeed. If, however, the company's computers are locked down after configured by Administrative Support for the programs that employees need for the job, then nothing else can be installed except by Support. In such situations, updates to employee workstations are handled from an administrative console. An employee request for an additional program necessary for the job is checked out by Support, who then does the installation.

    This type of lock down is not popular, as was explained to me years ago in a discussion with Handlers at you would have a very unhappy workforce. Translation: employees like to use their work computer as their home computer and install anything they want.

    However, locking down computers works, as I have observed in a college where I worked years ago.