Full of I.T.

Kevin Remde's IT Pro WebLog

A clever attempt to infect…

A newer version of Microsoft Office...

Would this fool you?  Would it fool your one of your parents? 

As IT Professionals we’re supporting our businesses in many areas, not the least of which being the area of cyber-security.  So we always have our eyes and ears open to things that look a little suspicious.

And also, because we’re the supposed “experts” where our families and friends are concerned, we’re looking out for them with regard to personal computing and the potential for their devices and information to be compromised.

C’mon.. I know I’m not the only one who has had to attempt to clean malware off of an old PC for a friend, neighbor, or mother-in-law.  And like many of you, I’ve heard of (and even once recieved**) the phone call from “Microsoft Support” instructing the poor unsuspecting computer user that their computer was infected, and “please go here to install this tool so that we can fix your computer”.  

In that light I thought I would share with you a fresh, personal experience.  This happened today in the form of an e-mail, which contained a document, which had that above sample text at the top of it. 

Clever.

The email itself was vague; just vague enough to tempt one to drill in further.  A Mr. Larry Gordon (if that was his real hame) was informing me that there was an “Invoice Past Due Notice”…

Invoice Past Due Notice email

Now, I suspected that there was something “phishy” (or “malicious-y”) about this.  But I also have a couple of older children who are in that financially awkward adult-yet-need-a-co-signer stage of life, and I have had to – how do I nicedly say “cover their butts” –  on more than one occassion. 

But oh look!  The e-mail has an attachment! 

An attachment!

Must be the invoice details!

In the interest of letting Windows Defender have a go at it, I decided to save it to my desktop.  It saved fine, so I open the document, and this is what I see in Microsoft Word…

Security warning!

Yeah, I expected that.  But what was scary was that the e-mail actually had text instructing the lesser-knowing victim on how they should enable macros…

Document contents

Wow. 

Like most of you, I happen to know what version of Microsoft Word I have installed.  And it’s the very newest.  But does your mother-in-law know what version she has?  How about your college age son or daughter?  And even if they did, would they suspect that “enabling” something called “macros” might be a bad thing?  And interestingly, that text was not actually text, but was just one big image in the document.

“So… you just deleted the e-mail, right?”

Well… yes. Eventually.  But I was curious to see how Windows 10 would react to me actually following the instructions.  Would I be safe?  What errors or other warnings, if any, would be displayed?  And if not, what does this thing actually try to do?

“No! You did that on your main work computer?!”

No.. that would be silly.  I was going to let virtualization do some work for me.  I have a spare Windows 10 virtual machine running on a server here, so I installed Office 2016.  In the meantime…

Uh oh!

BOOM!  Right after I close the suspicious document, I get a pop-up on my computer about detected malware.  I open up Defender, and the above screenshot is what I see.  Thank you again, Microsoft and Windows 10, for protecting me from my own curiousity.

But I still want to see what this thing does if I actually let the code in the document do its stuff.  Back to the VM, I’ve got Office installed, opened the e-mail (this time in OWA), and attempt to download the attachment…

More uh oh!

BOOM AGAIN!  Because it’s a download when in OWA, the mighty Defender once again protects me. 

Hmm… It turns out that it’s even harder these days to intentionally infect a computer than I thought!  But not diswayed, I try once again; this time copying the attachment from Outlook attempting to paste it to the desktop of the VM.

NOPE!  The local computer flags that as dangerous, too.  The VM didn’t get the file because the local computer stopped it here.

Still charging ahead, I decide to configure Outlook on the Virtual Machine itself.  I do so, connect to my mailbox, and attempt to save the document to my desktop.

NO NO NO!  Defender this time blocked it outright.  That’s cool.  (I wonder why it didn’t do that on my local computer?)

Okay… I need to still see what happens if Windows 10 and Defender are not able to stop the bad stuff.  I disable Defender (in the interest of not encouraging this in the least, I won’t tell you how to do that), and then again attempt to save the document to the desktop.

FINALLY.. that works.  I open the document, enable editing, and… nothing.  At least nothing that I can see.  I have to confess ignorance on what I should see with regard to macros.. but I’m not even asked to enable them this time.  When I look at the macros in teh document, I do see a suspiciously named (looks like some kind of Cyrillic script) macro, but I don’t know how to get at any code. 

Nevertheless, I’m already sure that it’s bad news for that VM.  Just for fun I restart it (updates needed to be installed) to see if anything malicious pops-up in the meantime.  (Good thing I’m using a dummy login that I never use anywhere else.)  I restart it once more..

Then I remember that Defender is still disabled!  I wonder what I’ll see if I enable it and do a full scan of this computer?  Well.. when I launch Defender, I see that I had only shut it off that once.. but it wasn’t disabled so much that it wouldn’t re-start itself later.  So that’s good.

Then I do the full scan.  Shoot.  No virus detected.

“You’re unhappy about that?”

Yeah, I know it seems odd.  I was hoping to see some malicious activity.. but between the security in Windows 10 and Office 2016, the bad-guys were stopped.  And even when I disabled Defender, somehow it was able to keep me safe.. in spite of myself.

So.. what should you take away from this:

  • Be suspicious of these kinds of e-mails, and tell your less-compute-saavy friends and relatives about this kind of thing.  (Feel free to send them a link to this article if you like.)
  • While no anti-malware/spyware/virus software is perfect, Windows 10 straight out-of-the-box, does an amazing job of keeping you safer.

I’ll keep watching that VM for something suspicious, and report back if needed.  And I sure hope my local PC wasn’t infected, because that would aafafekja;feoiASPAEFAE;LKJVA SSS ALL YOUR BASE ARE BELONG TO US! a;sera;lk;..s………s……….



(just kidding)

**That was fun.  I had this guy on the phone for 45 minutes as I played the part of a confused computer user.  But when I suddenly informed him that Microsoft would never call someone out-of-the-blue like this, he paused.. then exclaimed, “You sunuvabitch!”, and quickly hung up.  Smile Smile Smile