not a day passes by that spammers/crackers/evil money addicted people try to infect your system with an word.doc attached to some mail from „police“ „government“ „paypal“ „facebook“ „google“ „apple“ or whatever.

here is the latest scam that:


a password encrypted word.doc to bypass virus scanners.

as soon as you open the document with MS Office and enter the password i bet (did not test) you will get ransomware infection (all your files will be encrypted and you will have to pay bitcoins to cracker’s address to get the key and possible some of your files back (maybe not all))

… another reason to use linux and open office… (although this is also no 100% protection).

for researches:

the attached files:

uscourtgov.com_scan_admin.doc.tar.gz

sha512sum: 59e0bc3309831ae9f4a15ad01e45217c2c8cb5d5458dfd10acf6d3582fbd42e5a6c09205d6cbb330d863ebc6c83279663b97a61c8bb2318625e6769f0042becc uscourtgov.com_scan_admin.doc

mail header:

Return-path: <Dominick.Jones@uscourtsgov.com>
Envelope-to: mymail@mydomain.com
Delivery-date: Wed, 09 May 2018 13:27:17 +0200
Received: from mail19.uscourtsgov.com ([46.161.42.57])
	by dwaves.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <Dominick.Jones@uscourtsgov.com>)
	id 1fGNFd-0007Bm-DT
	for mymail@mydomain.com; Wed, 09 May 2018 13:27:17 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=uscourtsgov.com;
 h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To;
 i=Dominick.Jones@uscourtsgov.com;
 bh=t9DquuuXMx9swZjILrqjiEIdulI=;
 b=J9oMnAifNXacR8NLIuGDJGFzlZup+dsw3K/xGythY4gqev+DreKsHeMmeAPtXk/GeJrqDdAoNEnC
   Wf3NMxFBnKXbVGocHaoD255NzsphwsXZ2kwn1w/CBZWfYQMTBzX1XSuEH+289by6iCjsFxauEK9K
   mU9NNHo/FPgjllLjqt0=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=uscourtsgov.com;
 b=DMgL1q5bb7jGWBCGMnCr7g8z40+WBtAM2fmKliQKMsJlG6SNfaUA0LOb/nmWVhB8qJGu2MNqLzbg
   pRdu+VMbzO4+NiYZb6iRJwy6uhfsTMRhDSKt65vrSjK7WpcrL5jQn4XBa7ZS5AvJlZ5YE4G5MhDC
   /ZInsqy+FRCHlUmOfx0=;
Content-Type: multipart/mixed;
 boundary="Apple-Mail=_7A94787E87-891E-D23B-FE9B-E0AF862ED6E"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Subject: Case 137-28-ZGC
From: "Dominick Jones" <Dominick.Jones@uscourtsgov.com>
Date: Tue, 8 May 2018 13:29:03 -0700
Message-Id: <086B03B8-1ABA-4893-B5F9-5CEE4A4E6E52@uscourtsgov.com>
To: mymail@mydomain.com
X-redirected: yes

This is a multi-part message in MIME format

--Apple-Mail=_7A94787E87-891E-D23B-FE9B-E0AF862ED6E
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

DS WUU (Rev YZ/ZA)
Civil Action No. 3KC-UI-BXM

You're commanded to show up at the time, particular date, and place to actually admit at a deposition to be taken in this specific civil procedure.

Pass word to access the doc is 615145

Best regards,
Jerry Mcfadden
United States District Court

--Apple-Mail=_7A94787E87-891E-D23B-FE9B-E0AF862ED6E
Content-Type: application/msword;
        name="scan_admin.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="scan_admin.doc"
0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAIQADAP7/CQAGAAAAAAAAAAAAAAABAAAAMAAAAAAAAAAA
...

--Apple-Mail=_7A94787E87-891E-D23B-FE9B-E0AF862ED6E--


resume: how to get more security?

to rely on virus scanners or other firewall scanning appliances can be as sophisticated as they want – they all rely on known virus patterns.

it is possible since 10 years to pack / create „individual“ virusses that will bypass any virus detection system.

yes the world just got more complex – more work for admins = good or bad?

countermeassure1: easy

update your system / browser and UNINSTALL MICROSOFT OFFICE AND INSTALL LibreOffice / OpenOffice NOW!

countermeassure2: advanced

all computers that NEED access to mail and the dangerous javascript virus ridden www, need to run outside your corporate LAN and should only be accessible from corporate LAN in ways that do not allow file-access e.g. remotedesktop.

countermeassure3: extreme

after all meltdown and spectre meltdowns – what could lead to a more resilient it landscape is (just as in nature by the way): bio Diversity.

in computer terms: different kinds of prozessors / different kind of Operating Systems doing the important task. (e.g. intel and AMD CPUs of the last 20 years are known to be susceptible to meltdown and spectre but RISC-CPUs are not, like Freescale PowerPC RISC CPUs)

so if you want resilience in your it landscape: i guess you will have to run at least two servers doing the same task with completely different hard and software – and the task ought to be completed with two completely different programs with different concepts written in different languages.

sounds like a headache?

it surely is.

this is probably the most extreme kind of „error correction mechanism“ you can imagine.

but i bet it works.

admin