PDA

View Full Version : How do scammers activate a payload in a *.doc file?



Billy T
07-08-2014, 11:52 AM
Hi Team

Mr Mike Kumalo has sent me an email with the rather blunt instruction to "Open this File" and the attachment has a .doc suffix.

Mike has a Venezualan email address, but his message originated in South Africa, which might explain the lack of pleasantries such as 'please open' etc. His email didn't get past Mailwasher, but my concern is that a less transparent scam could be taken as legit, and many people would see any risk in opening a WP document file.

There was no .doc.zip jiggery-pokery or any other executable suffix anywhere in the entire email, including all the headers and routing data etc, so how does a .doc file containing no readable text, just the usual stuff found in zip files, manage to execute code? Surely it would only attempt to open in Word or in another Word- compatible WP program?

We all know that the best protection is not to open files from people you don't know, but, for example, Mrs T is a Competition Queen (she gets agitated if more than three weeks go by without a win) so she gets a lot of responses and although that message has been drummed into her and tattooed across her forehead in reversed lettering so that she gets several reminders a day, she can get pretty excited at times and could just succumb to such an approach.

Cheers

Billy 8-{) :help:

Webdevguy
07-08-2014, 12:38 PM
Normally I would imagine that it would have some sort of associated script file that would trigger some action if it was designed to deliver some form of malicious cargo, but it could also just be an innocent letter telling you that you have won an amazing lottery and please go to some scammers website and enter your bank details to receive your winnings.

Either way I'd just trash the email and move on. That way no one looses any cash.

kahawai chaser
07-08-2014, 03:09 PM
Word can run macros, i.e. trigger malicious code, (http://goo.gl/njro4) (article on different methods) I think even on opening a document.

Speedy Gonzales
07-08-2014, 03:14 PM
I suppose it can also happen if whatever email client you're using isn't patched against whatever

Billy T
09-08-2014, 06:59 PM
Normally I would imagine that it would have some sort of associated script file that would trigger some action if it was designed to deliver some form of malicious cargo, but it could also just be an innocent letter telling you that you have won an amazing lottery and please go to some scammers website and enter your bank details to receive your winnings. Either way I'd just trash the email and move on. That way no one looses any cash.

I didn't download it, so there was no chance that I'd open it. I viewed the full headers and content while it was stil on my ISPs server.

The .doc content was quite clearly code, but my question related to what means might be used to persuade MS Word to run executable code.

If I'd been silly enough to download it, and then to try and open it, I have no doubt that something bad would have happened, but what can you include in a Word document that would run a malicious payload?

Cheers

Billy 8-{)

Agent_24
09-08-2014, 09:50 PM
what can you include in a Word document that would run a malicious payload?

Macros usually, as far as I know.

There may also be vulnerabilities in Word itself that could be exploited with a fake document that contains code that would trigger something when Word tried to open it.

Billy T
10-08-2014, 04:45 PM
Thanks Agent

I'm unfamiliarwith macros, but I understand the principle. I will be wary of any future 'invitations' using *.doc carriers.

Cheers

Billy 8-{) :thumbs:

Agent_24
10-08-2014, 05:23 PM
I would be wary of more than just .doc files. I have trashed many .zip, .doc, .pdf and .exe files that came through email and were clearly viruses from unknown senders attached to classic spam-looking emails. There are likely a few other file formats commonly used, depending on what program has a currently unpatched vulnerability at the time.

http://en.wikipedia.org/wiki/Macro_virus_%28computing%29 might be interesting if you haven't seen it already.

As a rule I treat all emails with attachments as viruses unless it's from someone I know and the file is something I have already asked for or know they were going to send me. If it doubt, ask them if they actually sent it.

Billy T
10-08-2014, 08:10 PM
All incoming ads & spam etc are identified by Mailwasher, and known sources (which is just about all of them) are automatically marked for deletion.

I only look at new or novel approaches to see where they are from and what sort of file they are using. Most are exe or zip, and I've not encountered a straight pdf, but I've seen plenty of XXX.pdf.zip and XXX.doc.zip

Cheers

Billy 8-{)