Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
What sort of exploit is using .msg (outlook) attachment format?
267 views
Skip to first unread message
Virus Guy
Mar 27, 2014, 8:40:51 AM3/27/14
to
I got an email about 2 hours ago from:
----------
Return-Path: hubble3 @ rowland88.com
Received: from 173.23.199.77.rev.sfr.net (77.199.23.173)
From: "NatWest" secure.message @ natwest.com
Subject: You have a new Secure Message
-----------
So I will be adding 77.199.0.0/16 to my SMTP server's blocking list.
This was the message body:
------------
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client (
Microsoft Outlook, Mozilla Thunderbird, Lotus )
If you have concerns about the validity of this message, please contact
the sender directly. For questions please contact the NatWest Bank
Secure Email Help Desk at 0131 556 2264.
-------------
At attachment, showing up in the lower pane as an Outlook icon, had the
name "SecureMessage.msg" with a size of 28 kb.
I run Outlook 2000 SR1 premium on this Win-98 system, and in 14 years of
using Outlook I can't recall ever receiving an msg attachment before. I
looked at the file in notepad and it wasn't an exe file - or any other
file that I would recognize from the first hundred or so characters in
the file.
I submitted the file to VT, and VT says it had scanned this exact file
just 9 minutes prior to my submission. Here is the link:
https://www.virustotal.com/en/file/a7cfbf7daf41f43c35c504b88173dbaa5e778260c0d3d2cbd0efecdf6326f06e/analysis/
The detection rate was 7 / 51:
Ad-Aware Gen:Variant.Kazy.357716
BitDefender Gen:Variant.Kazy.357716
Commtouch W32/Trojan.GQKA-2651
F-Prot W32/Trojan3.HWT
K7AntiVirus Trojan ( 7000000c1 )
MicroWorld-eScan Gen:Variant.Kazy.357716
Sophos Mal/DrodZp-A
Is anyone here familiar enough with the outlook .msg attachment
container format to know if this file is trying to exploit some known
code-execution vulnerability in that attachment type?
----------
Return-Path: hubble3 @ rowland88.com
Received: from 173.23.199.77.rev.sfr.net (77.199.23.173)
From: "NatWest" secure.message @ natwest.com
Subject: You have a new Secure Message
-----------
So I will be adding 77.199.0.0/16 to my SMTP server's blocking list.
This was the message body:
------------
You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client (
Microsoft Outlook, Mozilla Thunderbird, Lotus )
If you have concerns about the validity of this message, please contact
the sender directly. For questions please contact the NatWest Bank
Secure Email Help Desk at 0131 556 2264.
-------------
At attachment, showing up in the lower pane as an Outlook icon, had the
name "SecureMessage.msg" with a size of 28 kb.
I run Outlook 2000 SR1 premium on this Win-98 system, and in 14 years of
using Outlook I can't recall ever receiving an msg attachment before. I
looked at the file in notepad and it wasn't an exe file - or any other
file that I would recognize from the first hundred or so characters in
the file.
I submitted the file to VT, and VT says it had scanned this exact file
just 9 minutes prior to my submission. Here is the link:
https://www.virustotal.com/en/file/a7cfbf7daf41f43c35c504b88173dbaa5e778260c0d3d2cbd0efecdf6326f06e/analysis/
The detection rate was 7 / 51:
Ad-Aware Gen:Variant.Kazy.357716
BitDefender Gen:Variant.Kazy.357716
Commtouch W32/Trojan.GQKA-2651
F-Prot W32/Trojan3.HWT
K7AntiVirus Trojan ( 7000000c1 )
MicroWorld-eScan Gen:Variant.Kazy.357716
Sophos Mal/DrodZp-A
Is anyone here familiar enough with the outlook .msg attachment
container format to know if this file is trying to exploit some known
code-execution vulnerability in that attachment type?
David H. Lipman
Mar 27, 2014, 8:45:17 AM3/27/14
to
From: "Virus Guy" <"Virus"@Guy. com>
Please upload the .MSG file to UploadMalware.Com
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
FromTheRafters
Mar 27, 2014, 10:17:53 AM3/27/14
to
It happens that Virus Guy formulated :
> Is anyone here familiar enough with the outlook .msg attachment
> container format to know if this file is trying to exploit some known
> code-execution vulnerability in that attachment type?
It exploits the user.
> Is anyone here familiar enough with the outlook .msg attachment
> container format to know if this file is trying to exploit some known
> code-execution vulnerability in that attachment type?
Wolf K
Mar 27, 2014, 10:19:12 AM3/27/14
to
On 2014-03-27 8:40 AM, Virus Guy wrote:
[...]
[Quoting from an email:]
[...]
Oh yeah? NatWest sends this kind of message? Really?
Obvious scam at least, and evilware at worst. From: is usually the
"display address", not an email address. Besides, the supposed email
address in the From: line is incorrectly formatted.
And the header confirms it:
[snip more...]
> Is anyone here familiar enough with the outlook .msg attachment
> container format to know if this file is trying to exploit some known
> code-execution vulnerability in that attachment type?
I don't think one needs expertise in *.msg attachments to conclude that
this attachment is bad stuff. ;-) The bits I quoted are evidence enough.
I'd filter out all email from NatWest if I were you.
FWIW, I've filtered out all e-mail that's addressed "From: [my ISP]". I
know perfectly well that my ISP sends me advertising-flyer mail from
time to time, but I don't care. 75% or so of supposed ISP mail is
phishing or worse.
The percentage of bad mail from banks is even worse. If my bank wants to
reach me, they can use snail-mail. It's more than fast enough. If
NatWest sends you legit e-mail, I'd phone the local branch and tell them
politely that it was be Junked unopened. Disclosure: I have an account
with NatWest too, useful for trips to the UK.
HTH
--
Best,
Wolf K
kirkwood0.blogspot.ca
[...]
[Quoting from an email:]
[...]
Oh yeah? NatWest sends this kind of message? Really?
Obvious scam at least, and evilware at worst. From: is usually the
"display address", not an email address. Besides, the supposed email
address in the From: line is incorrectly formatted.
And the header confirms it:
[snip more...]
> Is anyone here familiar enough with the outlook .msg attachment
> container format to know if this file is trying to exploit some known
> code-execution vulnerability in that attachment type?
this attachment is bad stuff. ;-) The bits I quoted are evidence enough.
I'd filter out all email from NatWest if I were you.
FWIW, I've filtered out all e-mail that's addressed "From: [my ISP]". I
know perfectly well that my ISP sends me advertising-flyer mail from
time to time, but I don't care. 75% or so of supposed ISP mail is
phishing or worse.
The percentage of bad mail from banks is even worse. If my bank wants to
reach me, they can use snail-mail. It's more than fast enough. If
NatWest sends you legit e-mail, I'd phone the local branch and tell them
politely that it was be Junked unopened. Disclosure: I have an account
with NatWest too, useful for trips to the UK.
HTH
--
Best,
Wolf K
kirkwood0.blogspot.ca
Virus Guy
Mar 27, 2014, 11:01:34 AM3/27/14
to
Wolf K wrote:
> > Is anyone here familiar enough with the outlook .msg attachment
> > container format to know if this file is trying to exploit some
> > known code-execution vulnerability in that attachment type?
>
> I don't think one needs expertise in *.msg attachments to conclude
> that this attachment is bad stuff. ;-)
Your comments are not helpful to this thread. And neither is Rafters.
> > Is anyone here familiar enough with the outlook .msg attachment
> > container format to know if this file is trying to exploit some
> > known code-execution vulnerability in that attachment type?
>
> I don't think one needs expertise in *.msg attachments to conclude
> that this attachment is bad stuff. ;-)
Are there any known exploits to the outlook container format .msg that
would trigger or execute upon opening or rendering the attachment within
outlook?
Or is the worst that can happen is that a link to a garbage pharmacy
site will be presented?
In other words, is this just another way to convey a text message
containing a URL that is evading conventional message-body heuristic
analysis?
> I'd filter out all email from NatWest if I were you.
77.199.0.0/16 in response to receiving this spam. Your suggesting to
block envelope-from "@natwest.com" would be completely useless.
It seems like a moot point anyways- double-clicking the attachment and
outlook responds with "Unable to read the item".
Looking more closely at the attachment using notepad, I extract the
following:
=========
R e a d y o u r s e c u r e m e s s a g e b y d o w n l o a d
i n g t h e a t t a c h m e n t
( S e c u r e M e s s a g e . z i p ) . Y o u w i l l b e p r o
m p t e d t o o p e n ( v i e w ) t h e f i l e o r
s a v e ( d o w n l o a d ) i t t o y o u r c o m p u t e r
. F o r b e s t r e s u l t s , p l e a s e s a v e t h e
a t t a c h m e n t o n y o u r c o m p u t e r , e x t r a c
t a l l a n d o p e n S e c u r e M e s s a g e .
I f y o u h a v e c o n c e r n s a b o u t t h e v a l i d
i t y o f t h i s m e s s a g e , p l e a s e c o n t a c t
t h e s e n d e r d i r e c t l y . F o r q u e s t i o n s p
l e a s e c o n t a c t t h e N a t W e s t B a n k
S e c u r e E m a i l H e l p D e s k a t 0 1 3 1 5 5 6 1
2 2 1
F i r s t t i m e u s e r s - w i l l n e e d t o r e g i
s t e r a f t e r o p e n i n g t h e a t t a c h m e n t .
=========
The file SecureMessage.zip seems to be embedded in this attachment, and
I'd probably have to use a hex editor to extract it. I can see the "PK"
file identifier, so I know roughly where it starts, and I can see
"SecureMessage.scr" a few dozen bytes beyond "PK".
This .msg attachment must not be compatible with outlook 2000. What's
still not clear is how or if other versions of outlook would render or
decode/execute this package or the .scr file (which could be a real .scr
or more probably is an executable).
FromTheRafters
Mar 27, 2014, 11:15:56 AM3/27/14
to
Virus Guy explained :
[...]
> Wolf K wrote:
>
>>> Is anyone here familiar enough with the outlook .msg attachment
>>> container format to know if this file is trying to exploit some
>>> known code-execution vulnerability in that attachment type?
>>
>> I don't think one needs expertise in *.msg attachments to conclude
>> that this attachment is bad stuff. ;-)
>
> Your comments are not helpful to this thread. And neither is Rafters.
>
You asked what exploit it used. I answered you.
>
>>> Is anyone here familiar enough with the outlook .msg attachment
>>> container format to know if this file is trying to exploit some
>>> known code-execution vulnerability in that attachment type?
>>
>> I don't think one needs expertise in *.msg attachments to conclude
>> that this attachment is bad stuff. ;-)
>
> Your comments are not helpful to this thread. And neither is Rafters.
>
[...]
FromTheRafters
Mar 27, 2014, 11:19:49 AM3/27/14
to
Virus Guy pretended :
> What's
> still not clear is how or if other versions of outlook would render or
> decode/execute this package or the .scr file (which could be a real .scr
> or more probably is an executable).
The .scr file *is* an executable *and* a real .scr file.
> What's
> still not clear is how or if other versions of outlook would render or
> decode/execute this package or the .scr file (which could be a real .scr
> or more probably is an executable).
Wolf K
Mar 27, 2014, 11:49:49 AM3/27/14
to
On 2014-03-27 11:01 AM, Virus Guy wrote:
> Wolf K wrote:
>>> Is anyone here familiar enough with the outlook .msg attachment
>>> container format to know if this file is trying to exploit some
>>> known code-execution vulnerability in that attachment type?
>>
>> I don't think one needs expertise in *.msg attachments to conclude
>> that this attachment is bad stuff. ;-)
>
> Your comments are not helpful to this thread. And neither is Rafters.
Well, that's one way to shut down the conversation. But I'm in a good
> Wolf K wrote:
>>> Is anyone here familiar enough with the outlook .msg attachment
>>> container format to know if this file is trying to exploit some
>>> known code-execution vulnerability in that attachment type?
>>
>> I don't think one needs expertise in *.msg attachments to conclude
>> that this attachment is bad stuff. ;-)
>
> Your comments are not helpful to this thread. And neither is Rafters.
mood, so I'll comment anyway. I hope you will find these comments more
helpful.
> Are there any known exploits to the outlook container format .msg that
> would trigger or execute upon opening or rendering the attachment within
> outlook?
its vulnerabilities. I'll repeat that: Because of its vulnerabilities.
[snip]
>> I'd filter out all email from NatWest if I were you.
>
> My smtp server will be refusing connections from the ip netblock
> 77.199.0.0/16 in response to receiving this spam. Your suggesting to
> block envelope-from "@natwest.com" would be completely useless.
Why? You just won't see any email from them is all. As I said, if
>
> My smtp server will be refusing connections from the ip netblock
> 77.199.0.0/16 in response to receiving this spam. Your suggesting to
> block envelope-from "@natwest.com" would be completely useless.
NatWest wants to get in touch with you, they can use the Royal Mail.
Much safer. The worst case is that you waste a few seconds opening the
envelope and then dumping it in the wastebasket.
[snip the extracted message]
The message content looks like phishing to me. Really. I certainly
wouldn't extract the zip file. If you think this is really a message
from NatWest, and you in fact bank with them, call your local branch.
They will know of any really important stuff NatWest wants you to know.
> The file SecureMessage.zip seems to be embedded in this attachment, and
> I'd probably have to use a hex editor to extract it. I can see the "PK"
> file identifier, so I know roughly where it starts, and I can see
> "SecureMessage.scr" a few dozen bytes beyond "PK".
> This .msg attachment must not be compatible with outlook 2000. What's
> still not clear is how or if other versions of outlook would render or
> decode/execute this package or the .scr file (which could be a real .scr
> or more probably is an executable).
if you have even a smidgen of doubt about its origin.
HTH
--
Best,
Wolf K
Thane
Mar 27, 2014, 1:53:20 PM3/27/14
to
(let's say) uncooperative. Don't take it personally. Filtering works
really well. To quote others, "He's all whine, with no cheese or
crackers."
Thane
David H. Lipman
Mar 27, 2014, 2:21:57 PM3/27/14
to
From: "Virus Guy" <"Virus"@Guy. com>
Exploitation code.
Body:
----------
"Read your secure message by downloading the attachment (SecureMessage.zip).
You will be prompted to open (view) the file or save (download) it to your
computer. For best results, please save the attachment on your computer,
extract all and open SecureMessage.
If you have concerns about the validity of this message, please contact the
sender directly. For questions please contact the NatWest Bank Secure Email
First time users - will need to register after opening the attachment.
About Email Encryption -
supportcentre.natwest.com/app/answers/detail/a_id/1671/kw/secure%20message "
EoM
Attachment: SecureMessage.zip ==> SecureMessage.scr
https://www.virustotal.com/en/file/e7117359aca8db292b813092a2f4f6cf1a14a2967c8bcc5a5523cbe3ec0312a4/analysis/
David H. Lipman
Mar 27, 2014, 2:23:34 PM3/27/14
to
0 new messages