What sort of exploit is using .msg (outlook) attachment format?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I got an email about 2 hours ago from:

----------
Return-Path: hubble3 @ rowland88.com
Received: from 173.23.199.77.rev.sfr.net (77.199.23.173)
From: "NatWest" secure.message @ natwest.com
Subject: You have a new Secure Message
-----------

So I will be adding 77.199.0.0/16 to my SMTP server's blocking list.

This was the message body:

------------
You have received a encrypted message from NatWest Customer Support

In order to view the attachment please open it using your email client (
Microsoft Outlook, Mozilla Thunderbird, Lotus )

If you have concerns about the validity of this message, please contact
the sender directly. For questions please contact the NatWest Bank
Secure Email Help Desk at 0131 556 2264.
-------------

At attachment, showing up in the lower pane as an Outlook icon, had the
name "SecureMessage.msg" with a size of 28 kb.

I run Outlook 2000 SR1 premium on this Win-98 system, and in 14 years of
using Outlook I can't recall ever receiving an msg attachment before.  I
looked at the file in notepad and it wasn't an exe file - or any other
file that I would recognize from the first hundred or so characters in
the file.

I submitted the file to VT, and VT says it had scanned this exact file
just 9 minutes prior to my submission.  Here is the link:

https://www.virustotal.com/en/file/a7cfbf7daf41f43c35c504b88173dbaa5e778260c0d3d2cbd0efecdf6326f06e/analysis/

The detection rate was  7 / 51:

Ad-Aware          Gen:Variant.Kazy.357716
BitDefender       Gen:Variant.Kazy.357716
Commtouch         W32/Trojan.GQKA-2651
F-Prot            W32/Trojan3.HWT
K7AntiVirus       Trojan ( 7000000c1 )
MicroWorld-eScan  Gen:Variant.Kazy.357716
Sophos            Mal/DrodZp-A


Is anyone here familiar enough with the outlook .msg attachment
container format to know if this file is trying to exploit some known
code-execution vulnerability in that attachment type?

Re: What sort of exploit is using .msg (outlook) attachment format?


Quoted text here. Click to load it

Please upload the .MSG file to UploadMalware.Com

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: What sort of exploit is using .msg (outlook) attachment format?

It happens that Virus Guy formulated :

Quoted text here. Click to load it

It exploits the user.



Re: What sort of exploit is using .msg (outlook) attachment format?


Quoted text here. Click to load it

Pretty much that's it.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Re: What sort of exploit is using .msg (outlook) attachment format?

On 2014-03-27 8:40 AM, Virus Guy wrote:
[...]
[Quoting from an email:]
Quoted text here. Click to load it
[...]

Oh yeah? NatWest sends this kind of message? Really?

Obvious scam at least, and evilware at worst. From: is usually the  
"display address", not an email address. Besides, the supposed email  
address in the From: line is incorrectly formatted.

And the header confirms it:

Quoted text here. Click to load it
[snip more...]

Quoted text here. Click to load it

I don't think one needs expertise in *.msg attachments to conclude that  
this attachment is bad stuff. ;-) The bits I quoted are evidence enough.  
I'd filter out all email from NatWest if I were you.

FWIW, I've filtered out all e-mail that's addressed "From: [my ISP]". I  
know perfectly well that my ISP sends me advertising-flyer mail from  
time to time, but I don't care. 75% or so of supposed ISP mail is  
phishing or worse.

The percentage of bad mail from banks is even worse. If my bank wants to  
reach me, they can use snail-mail. It's more than fast enough. If  
NatWest sends you legit e-mail, I'd phone the local branch and tell them  
politely that it was be Junked unopened. Disclosure: I have an account  
with NatWest too, useful for trips to the UK.

HTH

--  
Best,
Wolf K
kirkwood0.blogspot.ca

Re: What sort of exploit is using .msg (outlook) attachment format?

Wolf K wrote:
  
Quoted text here. Click to load it

Your comments are not helpful to this thread.  And neither is Rafters.

Are there any known exploits to the outlook container format .msg that
would trigger or execute upon opening or rendering the attachment within
outlook?

Or is the worst that can happen is that a link to a garbage pharmacy
site will be presented?

In other words, is this just another way to convey a text message
containing a URL that is evading conventional message-body heuristic
analysis?

Quoted text here. Click to load it

My smtp server will be refusing connections from the ip netblock
77.199.0.0/16 in response to receiving this spam.  Your suggesting to
block envelope-from "@natwest.com" would be completely useless.

It seems like a moot point anyways- double-clicking the attachment and
outlook responds with "Unable to read the item".

Looking more closely at the attachment using notepad, I extract the
following:

=========
R e a d   y o u r   s e c u r e   m e s s a g e   b y   d o w n l o a d
i n g   t h e   a t t a c h m e n t  
  
 ( S e c u r e M e s s a g e . z i p ) .   Y o u   w i l l   b e   p r o
m p t e d   t o   o p e n   ( v i e w )   t h e   f i l e   o r  
  
 s a v e   ( d o w n l o a d )   i t   t o   y o u r   c o m p u t e r
.   F o r   b e s t   r e s u l t s ,   p l e a s e   s a v e   t h e  
  
 a t t a c h m e n t   o n   y o u r   c o m p u t e r ,   e x t r a c
t   a l l   a n d   o p e n   S e c u r e M e s s a g e .  
  
  
  
    
  
  
  
 I f   y o u   h a v e   c o n c e r n s   a b o u t   t h e   v a l i d
i t y   o f   t h i s   m e s s a g e ,   p l e a s e   c o n t a c t  
  
 t h e   s e n d e r   d i r e c t l y .   F o r   q u e s t i o n s   p
l e a s e   c o n t a c t   t h e   N a t W e s t   B a n k  
  
 S e c u r e   E m a i l   H e l p   D e s k   a t   0 1 3 1   5 5 6   1
2 2 1  
  
  
  
    
  
  
  
 F i r s t   t i m e   u s e r s   -   w i l l   n e e d   t o   r e g i
s t e r   a f t e r   o p e n i n g   t h e   a t t a c h m e n t .
=========

The file SecureMessage.zip seems to be embedded in this attachment, and
I'd probably have to use a hex editor to extract it.  I can see the "PK"
file identifier, so I know roughly where it starts, and I can see
"SecureMessage.scr" a few dozen bytes beyond "PK".

This .msg attachment must not be compatible with outlook 2000.  What's
still not clear is how or if other versions of outlook would render or
decode/execute this package or the .scr file (which could be a real .scr
or more probably is an executable).

Re: What sort of exploit is using .msg (outlook) attachment format?

Virus Guy explained :
Quoted text here. Click to load it
You asked what exploit it used. I answered you.

[...]



Re: What sort of exploit is using .msg (outlook) attachment format?

Virus Guy pretended :

Quoted text here. Click to load it

The .scr file *is* an executable *and* a real .scr file.



Re: What sort of exploit is using .msg (outlook) attachment format?

On 2014-03-27 11:01 AM, Virus Guy wrote:
Quoted text here. Click to load it


Well, that's one way to shut down the conversation. But I'm in a good  
mood, so I'll comment anyway. I hope you will find these comments more  
helpful.

Quoted text here. Click to load it

Personally, I don't know. I've never used Outlook. Why not? Because of  
its vulnerabilities. I'll repeat that: Because of its vulnerabilities.

[snip]
Quoted text here. Click to load it

Why? You just won't see any email from them is all. As I said, if  
NatWest wants to get in touch with you, they can use the Royal Mail.  
Much safer. The worst case is that you waste a few seconds opening the  
envelope and then dumping it in the wastebasket.

[snip the extracted message]

The message content looks like phishing to me. Really. I certainly  
wouldn't extract the zip file. If you think this is really a message  
from NatWest, and you in fact bank with them, call your local branch.  
They will know of any really important stuff NatWest wants you to know.

Quoted text here. Click to load it

*.scr are screen-savers, which are known conveyors of evilware.

Quoted text here. Click to load it

A *.scr _is_ an executable. That's why it's very dangerous to open one  
if you have even a smidgen of doubt about its origin.

HTH

--  
Best,
Wolf K
kirkwood40.blogspot.ca

Re: What sort of exploit is using .msg (outlook) attachment format?

On Thu, 27 Mar 2014 11:49:49 -0400, Wolf K wrote:
Quoted text here. Click to load it

Wolf, you're being generous in your response. VG has a history of being  
(let's say) uncooperative. Don't take it personally. Filtering works  
really well. To quote others, "He's all whine, with no cheese or  
crackers."

Thane

Re: What sort of exploit is using .msg (outlook) attachment format?


Quoted text here. Click to load it

It is nothing but an email message with a ZIP attachment.  I see no  
Exploitation code.

Body:
----------
"Read your secure message by downloading the attachment (SecureMessage.zip).  
You will be prompted to open (view) the file or save (download) it to your  
computer. For best results, please save the attachment on your computer,  
extract all and open SecureMessage.

If you have concerns about the validity of this message, please contact the  
sender directly. For questions please contact the NatWest Bank Secure Email  
Help Desk at 0131 556 1221

First time users - will need to register after opening the attachment.

About Email Encryption -  
supportcentre.natwest.com/app/answers/detail/a_id/1671/kw/secure%20message "

EoM

Attachment: SecureMessage.zip ==> SecureMessage.scr
https://www.virustotal.com/en/file/e7117359aca8db292b813092a2f4f6cf1a14a2967c8bcc5a5523cbe3ec0312a4/analysis/

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Site Timeline