InfoSec, Sci-fi, and other geekery
Posts related to information security, including news, tutorials, malware analysis, and threat intelligence.
Email headers contain very useful information for tracing a message’s origin and troubleshooting its delivery. Email headers are written with the oldest headers at the bottom, and the newest headers at the top. By reading the headers in the correct order, you can see how the message was passed from one mail server to another, and the actions each mail server took along the way.
Most email clients have a function to display a message’s headers. The exact steps depends on the client.
I have written extensively about the DMARC email security standard, including publishing a comprehensive guide on how to implement it, with or without additional third-party vendors. I also do a little consulting on DMARC deployment best practices. One of those consulting clients uses Proofpoint for their email gateway. They also use Dmarcian, a reasonably priced DMARC report analytics service that also publishes a ton of public content for the good of the community. We were considering moving the client’s DMARC policy from monitor only (p=none) to an enforced state (p=reject) after many hours of steadily improving the SPF and DKIM alignment of their email sources. As I took another look at the aggregate (rua) DMARC data in Dmarcian, I noticed something odd: Dmarcian was getting aggregate reports from all of the expected third-party email recipients, like Google, Yahoo, Comcast, and the client’s industry partners, but I didn’t see any reporting from the client’s own Proofpoint Secure Email Gateway (SEG).
Emotet is a Trojan designed to steal banking information. It is frequently spread by sending phishing emails to governments, banks, healthcare organizations, and schools. The phishing emails will often claim to be an invoice, with a malicious Microsoft Word document attached. The email may often appear to be from a trusted supplier. Once the attachment or link is opened, the target is prompted to click “Enable content”, which would allow the dropper to install Emotet.
I recently encountered two Emotet dropper samples (0b9ccb04553ba5f1ce784630ef9b2c478ed13a96e89c65dcd9c94205c235ea12 and eff6619aee017ee5d04c539ff12c63a199a1e489660f7156b95e562667393d3c) that would not run correctly in my malware sandbox. I soon found the cause of the problem: the file type had been detected as a generic XML file, rather than what it really is: a Microsoft Word document.
If you ever need to inspect the certificate of a remote SMTP server, you can use the openssl CLI tool.
If you need to check STARTTLS:
openssl s_client -connect mail.example.com:25 -starttls smtp
Or, for a standard secure SMTP port:
openssl s_client -connect mail.example.com:465
To save the certificate to a file, just redirect the output:
openssl s_client -connect mail.example.com:25 -starttls smtp > mail.example.com.crt
You can also check SMTP TLS using MX Toolbox or Check TLS.
DMARC can stop spoofed spam and phishing from reaching you and your customers, protecting your information security and your brand. However, complexity and misconceptions deter many organizations from ever deploying it. Part mythbusting , part implementation guide, this post explains the shortcomings of SPF and DKIM, what DMARC is, how to deploy DMARC properly, and how to respond to DMARC reports – all without the need for an additional vendor, thanks to open source software!
SPF and DMARC are standards that describe how the origins of email messages should be verified, to prevent email spoofing. I spent some free time over the past few weeks creating checkdmarc , a Python 3 module and command-line interface that can validate and troubleshoot SPF and DMARC records across multiple domains, with the intent of building it into a web application that will process DMARC reports. The Department of Homeland Security recently launched an initiative to deploy SPF, DMARC, and other best practices on most federal agency domains by issuing BOD 18-01. This created the perfect case study of common challenges and mistakes when deploying SPF and DMARC across very large organizations, and even a few small ones.
2018-01-30 update: I have made many improvements to my script, corrected a few of my own misconceptions about DMARC I had in this post, and switched to updated results from 2018-01-28.
YARA is described as “The pattern matching Swiss knife for malware researchers (and everyone else)”. Think of it as like grep, but instead of matching based on one pattern, YARA matches based on a set of rules, with each rule capable of containing multiple patterns, and complex condition logic for further refining matches. It’s a very useful tool. Let’s go over some practical examples of how to use it.
The WannaCry ransomware worm has spread panic and destruction as it infects hundreds of thousands of systems around the world; a rate not seen since the Blaster and Sasser worms of 2003. WannaCry — also known as WannaCrypt, WannaCryptor, WanaCrypt0r, WCry, or WCrypt — leverages vulnerabilities that Microsoft patched in the March MS17-010 Security Bulletin, after taking the unprecedented step of canceling the February Patch Tuesday.
While collecting samples of WannaCry, I found a sample that predates the worm version. The sample was compiled on February 9th, and uploaded to VirusTotal on February 10th. While compile timestamps can be faked, the closeness to the upload date suggests that the compilation timestamp is legitimate.
The headline feature of the new Google Pixel phones is deep integration between the operating system and the Google Assistant AI. By default, the Google Assistant can be activated even when the phone is locked and the display is off, if the device hears the trusted voice say the hot word, “Ok Google”. This also has the effect of unlocking the device, meaning that anyone with a recording of the trusted voice saying “Ok Google” — or even someone with a similar voice — can easily unlock the device.
When Google Chrome updated to 53.0.2785.101 on my Windows systems, I encountered an onslaught of alerts from EMET, which was killing chrome.exe processes for EAF+ violations as fast as Chrome kept trying to spawn them (each tab in Chrome is a separate process). Luckily, this problem is easily fixable.