NOD32 Misses 'Critical Update for Microsoft Outlook and Outlook Express'

Discussion in 'ESET NOD32 Antivirus' started by rnfolsom, Jun 26, 2009.

Thread Status:
Not open for further replies.
  1. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    The following probably should go somewhere on the Eset website, but I can't find where it should go. I didn't find a place on the ThreatSense page, and on the Support page I didn't find a way to send attachments (although it may be there and I simply missed it).

    I don't know if a NOD32 4.0.437 POP3 email scan should be expected to catch a pair of phishing emails such as an alleged "Critical Update for Microsoft Outlook and Outlook Express," but in case it should, I have attached a graphic of the emails' main content, and the extended headers of each email that NOD32 did not catch.

    My reasons for thinking these messages are some sort of phishing malware (if I'm using the word "phishing" correctly) are:
    1) After receiving these messages, I ran Windows Update (which, since about two months ago, now updates MS Office products as well as Windows 2000 Sp4 itself), and it made no mention of this update.
    2) I haven't seen mention of this alleged update in the Windows Secrets newsletter.
    3) I've never before received a Microsoft email about an update.
    4) Although both emails have the same primary content, their apparently true "from" addresses are different (although I'm not skilled in reading extended headers), and they have almost the same time stamps.
    4) The messages cite MS kb910721, but a Google search for kb910721 dates its first hit as 18 Dec 2005. That's confirmed in the Microsoft document itself (although buried way down in small print), at http://support.microsoft.com/kb/910721
    That document includes the following description of the situation to which the real kb910721 applies: "Consider the following scenario. You use the Pine program as an Internet Message Access Protocol 4 (IMAP4) e-mail client to download e-mail messages. These e-mail messages are located on a server that is running Microsoft Exchange Server 2003." None of those have ever been on my computers.

    Before NOD32 had a chance to scan these two messages, they got to me through my ISP's Spam Assassin and TMDA (Tagged Message Delivery Agent) anti-spam utilities (and of course I have notified my ISP about that).

    My two attachments are:

    a) "Primary Message Content, Common to Both Messages.jpg" done as a graphic because Wilders does not accept html files. I am hoping that this attachment shows the messages' high quality.

    b) "Both Message Headers.txt." I am hoping that these headers will give Eset a "handle" for catching such messages.

    Roger Folsom
     

    Attached Files:

  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Are you positive the link doesn't point to malware that would be detected and blocked upon download? If it's just a scam email, it should be handled by the spam filter present in ESS. Since you've posted to the ESET Antivirus forum, I assume you're not using ESS and the ESET antispam.
     
  3. ASpace

    ASpace Guest

    ESET NOD32 detects this malware as a variant of Win32/Kryptik.TL . You can check by clicking on the link in the scam email but I don't advise you do so.

    By the way ESET was one of the few first detecting it on a VirusTotal scan when I submitted it .
     
  4. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    I haven't, and don't intend to, experiment to see whether the link points to malware. I'm sure that it does.

    You are right that I am using NOD32 AV and not ESS.

    Thanks for clarifying what NOD32 does and does not do, compared to ESS. I've been a bit fuzzy about the boundaries.

    Roger Folsom
     
  5. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    ASpace:

    I agree 100% with that advice. It never occurred to me to click on the link.

    Thanks for that very interesting information.

    I don't recall seeing "VirusTotal" scan in the NOD32 4.0.437.0 setup. Can you tell me what it is, and where it is located? I don't see it anywhere in the Advanced Setup Tree, or in the various buttons that the Setup Tree makes available.

    I've been using In Depth Scan profile, and I think I have it set up to check every single file on the computer (I don't use the computer for other tasks when I am scanning, and no software other than NOD32 is running), but I'm not absolutely sure.

    In On-demand computer scan, ThreatSense engine parameter setup, everything is checked except for Other's Log all objects, Enable Smart Optimization (I don't need a speedy scan), Preserve last access timestamp, and Display notification about scan completion in a separate window.

    In Scan Targets, both partitions C: and D: are checked (and also the empty CD drive), and that seems to check folder and file in each of those partitions.

    Roger Folsom
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
  7. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    ASpace:

    Marcos gave me the link to VirusTotal, so I see it is independent and not part of any Eset software.

    I wandered around the VirusTotal site a bit, and as nearly as I could tell, if I had submitted the "Critical Upsate for Microsoft Outlook" email VirusTotal wouldn't have seen anything wrong with the email, because the email itself apparently was clean (given that NOD32 didn't mark it as containing malware when it was downloaded). Its problem was that the email contained a link that would have downloaded, as you discovered, "a variant of Win32/Kryptik.TL."

    So did you use the email's download link despite the risks to download the malware file and then send it to VirusTotal, or did you obtain the malware file some other way, or am I wrong that VirusTotal wouldn't have discovered anything wrong with the email itself, so all you had to do was submit the email itself to VirusTotal?

    Roger Folsom
     
  8. GettinSadda

    GettinSadda Registered Member

    Joined:
    May 14, 2007
    Posts:
    9
    I would have hoped that your e-mail program would warn you about this.

    The trick used in this sort of scam e-mail is to include a link to http://badsite.com with display text for the link as http://goodsite.com

    It should be trivial for every e-mail program to parse the displayed text for a link to see if it looks like a URL (i.e. http://blah or www.blah as opposed to "Click Here") and throw up a warning message if you click on a link that looks like a different URL to the actual URL pointed to.

    I would also have hoped that browsers would do the same test, but I don't think they do

    Edit: See, it can't be that hard to tell what "looks like a link" as the forum code did it to my post automatically
     
  9. ASpace

    ASpace Guest

    You are correct.


    Yes . There is nothing wrong with the email itself . The wrong is in the link which leads to server containing the malicious software.


    Submitting the whole email to ESET is not necessary because as you noticed the wrong/malicious stuff is in the link . I myself got the Kryptik malware not by clicking on that email link because I don't remember receiving it . I use GoogleMail and its filter is marvellous so such emails never come to my Inbox.

    Clicking on malicious links is dangerous for people who don't know how to protect them and how to act if they happen to "meet" an infected file. It is not dangerous for IT people who know what and how they are doing (it)
     
  10. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    GettinSadda:

    My email is the email component of Mozilla's SeaMonkey suite (browser and email, descendant of Netscape Communicator and maybe of the original Netscape), and SeaMonkey did flag it as a possible "Scam." I will use your very clearly worded message to ask (in the SeaMonkey forum at MozillaZine) if SeaMonkey flagged that as the result of noticing a difference between a displayed and a real link. If SeaMonkey isn't making that comparison, I'll post it as a desired feature.

    My ISP has two layers of additional spam protection that take effect before anything is downloaded and gets to SeaMonkey: Spam Assassin takes out the most obvious stuff, and then the rest goes to TMDA, or Tagged Message Delivery Agent.

    Both have whitelists that I have gradually created over time, and TMDA has a confirmed "real person" list, to which additions occur when a non-whitelisted person answers a response sent by TMDA. There's no CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart, i.e. no requirement to read squiggly letters and numbers), however.

    Last night I edited the TMDA white- and confirmed lists, and removed some ancient items that no longer need to be listed, and removed also microsoft.com, which was the alleged sender of the spam until one looked at the expanded headers. I don't know how microsoft.com got listed, but its being listed apparently is how the message got through Spam Assassin and TMDA.

    I think I'll blacklist it.

    Roger Folsom
     
    Last edited: Jun 29, 2009
  11. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    ASpace:

    Do I infer correctly that GoogleMail did get the "Critical Update for Microsoft Outlook and Outlook Express" email and you noticed it in your GoogleMail spam folder (or whatever it is called) and got the link from there? Otherwise, if you'd never seen the email, I can't figure out how you knew its link was to Kryptik and not to some entirely different malware, especially given that to my initial email in this thread I could attach only an image of the main part of the email and not its html version. (Incidentally, I do understand that Wilders doesn't want html attachments --- or html posts --- for security reasons.)

    On the other hand, if you don't want to disclose how you figured that out, that's fine too.

    In any case, thanks very much for the information you have provided.

    Roger Folsom
     
  12. ASpace

    ASpace Guest

    @rnfolsom

    I never fully read the emails that come to my GMail SPAM folder . I just have a quick look at their subjects and press a single button to empty the SPAM folder. I don't remember if this has come to my Junk folder.

    Anyway , I know because a person I am in touch provided me with a copy of the file and showed me a screeshot of the email he has received . This email was the same as the one you show in this thread and I am 99.999% sure we are talking about the same virus - Kryptik.

    I am an IT guy , I clean clients' computers infected by malware on regular bases and ~playing with malware is my hobby when time provides :)

    Greetings!
     
  13. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    ASpace:

    Thanks for clearing up the mystery!

    Roger Folsom
     
  14. ASpace

    ASpace Guest

    You are most welcome , Roger ! :thumb:
     
  15. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    GettinSadda:

    FYI, it turns out that Mozilla SeaMonkey (and also Mozilla Thunderbird) do mark messages as a possible Scam (vice spam) if their display link differs from the actual link.

    In thread http://forums.mozillazine.org/viewtopic.php?f=40&t=1324405, see message 8 at
    http://forums.mozillazine.org/viewtopic.php?f=40&t=1324405&p=6865705#p6865705

    Thanks for providing the information that got me going on this issue.

    Roger Folsom
     
Thread Status:
Not open for further replies.