Pages

Thursday, 26 November 2015

Trojan spreadsheet

From: Lucie Newlove <lucie@xxxxxfoods.co.uk>

Please see attached Invoice Document SI528880 from xxxxx FOOD IMPORTS LTD.

ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.

xxxxx Food Imports Ltd

REGISTERED HEAD OFFICE
Wiltshire Road,
Hull
East Yorkshire
HU4 6PA
Actually, it came from 191.250.48.88.dynamic.adsl.gvt.net.br, which means a broadband line in Brasil. The spoofed from-address is fake, and the people sending the email have nothing to do with the food importing company (whose name I've redacted).

And, of course, it's malware.

SHA1:ce7ec62fbc443b580c1c397af95d7a22c16dde98
SHA256: 1ecc514d0bf2b4f340d3c45b832e72d0be1cc5a86182e193221740041bb15052

Using VirusTotal, only AVware and VIPRE (out of 54 products) flagged it. Using Jotti, only Arcabit and Kaspersky (out of 21 products) flagged it. Metascan says that only Kaspersky and ThreatTrack (out of 43 products) found it.

Poor, very poor. You MUST NOT rely on your antivirus product to block malicious software in emails. The macro in the xls file does a lot of obviously bad stuff - it contacts a server, downloads something, installs something on your system.

Full report here.

And here's the problem. It's a spreadsheet. It could equally have been a doc file. It can come with a very plausible email; for example, I had one recently that said that my Fedex parcel couldn't be delivered, and I should read the doc file for details of how to proceed. As it happens, I was expecting a parcel - that must be pretty common. And I have no idea which courier the vendor would use, Fedex is plausible. So there's a good incentive to read the doc file. But if you load it into Word, your computer is no longer yours.

My advice. Change your Word and Excel settings so that they don't run macros, and resist any temptation to change them back. Also, don't click on any attachments unless you're certain that they came from a good source. And remember that your good friend Bob might not have been so careful and if his computer has been taken over, you could be getting malware that's apparently from Bob.

No comments:

Post a comment