This morning we had a malware campaign in the form of zipped vbs files (Visual Basic Script). The were rather small files but there was an attempt at obfuscation with them. Instead of having a nicely laid out script to see, they use some math to create the script using decimal encoding.

So you get to see something like this.

Screenshot from 2015-04-01 08:31:20

Using decimal and base64 encoding to try and obfuscate things is a normal tactic used in many of the scripting languages like javascript and used in html to try and mask the true purpose. In this case fortunately it was easy to get the full script of what they were doing. I can just pull out the string data and leave the math behind. A few additions later and running it through a decimal conversion, you get a plain text script.

 

Screenshot from 2015-04-01 08:34:07

So this vbs file creates a small script to download a file that looks like a gif, and run it as an exe. Fortunately it looks like the file it tries to download it currently offline. A connection is opened but there is no response from the server. So running the file at the moment doesn’t end up doing anything. But from comments online I was able to find, it was working properly earlier. There were two main variants of this vbs file this morning, and at the time of writing this neither has any AV hits on virustotal. Between the two files, we had a little over 85,000 come in (and held) in the email campaign.

Screenshot from 2015-04-01 08:27:29

 

 

 

 

Screenshot from 2015-04-01 08:26:18

 

 

 

 

 

 

 

 

 

 

 

 

Google continues to phase out Postini services in favor of the Google Apps platform.  Consequently, we continue to receive requests to migrate Postini filtering accounts to SecureTide by AppRiver.  In this post, we will discuss the process through which your Postini mailboxes and settings can be easily migrated to SecureTide.

To export all mailbox senders lists (approved and blocked), as well as the associated settings, you will need to follow some simple steps both to retrieve the data and to prepare it for our Phenomenal Care Support team, who will assist you during the migration to SecureTide.  After the data is in place, we’ll help you change your MX records to redirect your mail through our data centers.  Once the process is complete, your domains, mailboxes, approved senders and blacklists will be available through the Customer Portal and your spam and malware will be captured in our quarantine areas.

To export Postini mailboxes and settings, follow these simple steps:

1.  Export Mailboxes and Aliases

Exporting the complete set of data is a two-step process that produces two separate source files.  The first file to be exported contains mailboxes along with their aliases:

  • In the Postini interface, go to Orgs and Users > Orgs.
  • Click on the domain you wish to export. (For this example, we will use domain.com as shown in Figure 1.
Figure 1.  Select Domain

Figure 1. Select Domain

  • In Organization Management, note the Organization ID number located in the Settings section (see Figure 2).
Figure 2.  Note the Organization ID Number

Figure 2. Note the Organization ID Number

 

  • Select the Batch link at the top of the page, enter the following command into the Manual Input field (see Figure 3), using the Organization ID number noted previously as the value for targetOrg and complete the on-screen instructions:

listusers ALL, targetOrg=1000012345, childorgs=1, fields=PRIMARY_ADD|ADDRESS, aliases=1, sort=primary_add:nd

Figure 3.  Export Aliases from Postini using the Batch Command

Figure 3. Export Aliases from Postini using the Batch Command

  • Select the batch results, copy and paste the data and save as a text file called domain.com_alias.txt.

2.  Export Approved/Blocked Senders Lists

Continue as follows to export all associated Approved/Blocked Senders Lists:

  • Go to Orgs and Users > Users.
  • Choose the top Account-level org from the Choose Org list.
  • Click the Download Users/Settings link as shown in Figure 4.
Figure 4.  Export Approved/Blocked Senders List

Figure 4. Export Approved/Blocked Senders List

  • Select the Batch results, copy and paste the data from the popup window and save the data as a text file called domain.com_Users_Settings.txt.
  • The exported data will contain such information as the # address, user_id, junkmail_filter to set email filtering active, category filtering levels, virus scanning settings, approved_senders, approved_recipients, blocked_senders, as well as other available inbox settings (see Figure 5).
Postini Exported Settings Shown

Figure 5. Sample file with Exported Settings Shown

3.  Provide data to AppRiver for Migration

Now that you have all data exported into two separate files, send both files to support@appriver.com.  Our Sales Engineering team will import your data to our platform and provide a walkthrough on AppRiver’s SecureTide service.

For further information on your Postini migration licensing options, please contact us at sales@appriver.com.

Over the past hour we’ve begun seeing a malware campaign hitting our filters that utilizes a common, and apparent favorite theme of the malware authors. These emails appear to resemble notifications from the eFax service that tons of people rely on to simplify their faxing needs. As is the case with a lot of these, actual logos and templates from real eFax notifications are used to trick the recipient into believing that these are just another ordinary eFax email and not a malicious facsimile (see what I did there?). However there are a couple of red flags that people should have noticed. One of the biggest is the fact that one of the banner graphics in the email is broken. The table is pointing towards an actual eFax file location, but it doesn’t appear to be there, possibly removed in order to be replaced by a newer advertisement. Another clue would be the supposed phone number presented in these emails. These are all randomly generated to look like real phone numbers as well as making every email just a little bit different in order to make blocking them a little more difficult as well. However, because they are randomly generated, some of them don’t exactly resemble phone numbers, such as the example below where the area code as well as the telephone prefix begin with the number zero, which you will not see in the United States.

malicious efax email

Another huge clue is that the attachment arrives as a zip file which you likely won’t see coming from eFax, also inside that Zip is an executable (which you really won’t see) named IMG.exe, they did try to disguise it by giving it a Pdf icon, although the icon itself is oddly pixelated, which I’ve seen more than once in different malware campaigns. I can’t be exactly sure what the point is in this or if it just occurred due to automation errors, that remains to be seen. It does serve as a sort of calling card though that more than likely links the origin of the campaigns that share this trait.

bad icon

If someone was unlucky enough to receive one of these and ran the executable, they wouldn’t notice very much going on on the surface, but behind the scenes the malware begins by making copies of itself and deleting the original executable in order to hide itself in the newly infected system. The sample then makes various checks for network connectivity before proceeding to receive instructions from command and control. We have seen nearly 300,000 pieces from this run so far, and at the time of capture, only 4 out of 57 AV’s recognized this piece of malware according to Virustotal, but AppRiver clients were safe as we proactively had protection in place to protect your inboxes.

With the release of iOS 8.2, Apple fixed the “GMT bug” that caused dual time zones to display in Calendar events. It is possible to edit and fix your individual calendar events that were displaying dual time zones in your iPhone or iPad’s Calendar after receiving the iOS 8.2 software update. This is a huge improvement over the previous iOS update, but you may have hundreds of events added to your calendar before the update that are still displaying the second time zone.

There is a method to remove the existing second time zones in bulk described by user JG in SB in Apple Support Communities forum that we were able to replicate, and tested with success even after the update to iOS 8.2.

Removing the second time zone from all events created prior to the update can be accomplished by performing these steps as follows:

1. From the Home screen tap Settings.

image1
 

2. In the Settings app tap Mail, Contacts, Calendars.

image2
 

3. Tap the Exchange email account.

image3
 

4. Toggle Calendars synchronization Off by sliding the dialer from right to left (green to white)

image4
 

5. Tap Delete from My iPhone to delete all existing Exchange calendar appointments. These events are backed up with Exchange.

image5
 

6. Check the Calendar app to confirm all of the old events are deleted from the device then turn Calendars sync back on in the Settings.

image6
 

This should reload all of the Exchange calendar events from the server back to the iPhone without the second time zone displayed in the previous version.

Click here to view the original post detailing the “GMT Bug” displaying dual time zones in Calendar events.
 

About the Author: Aaron Cohoon is a Mobile Solutions Administrator for AppRiver, a leading hosted Exchange e-mail security provider. Aaron has a significant Technical Support background in the telecommunications industry, accompanied with an immeasurable drive and dedication.

Apple launched iOS 8.2 Monday, March 9th, after extensive beta testing. The most recent beta version of Apple’s mobile operating system was confirmed to have corrected the time zone issue frustrating many hosted Exchange and other subscribed calendar users for months. A bug fix listed in the official iOS 8.2 release notes includes that the update “Fixes a timezone issue where Calendar events appear in GMT”.

image1

The “GMT Bug” has been prevalent when opening events within the Calendar app on iPhones, iPads, and other Apple devices running iOS 8 through iOS 8.1.3. Not all users experienced this, however, as it only occurred when those events had been created or edited using a different mobile device or calendar client application, and synchronized with a server hosted outside of the iPhone or iPad’s local time zone.

In testing a new calendar event was created on an iPhone 5 still running iOS 8.1.3 then opened the same synchronized event in the Calendar app on an iPhone 6, running the newly updated iOS 8.2. The event displayed correctly with no second time zone below the device’s local time zone.

 

image2

 

A second test event was created on the same iPhone 6, and opened it on the iPhone 5 still running iOS 8.1.3. When opened within the Calendar app on the iPhone 5, the event that was created in iOS 8.2 displayed a second time zone below the device’s local time for the event. This is consistent with previous testing with the same iPhones running iOS 8 through 8.1.3.

image3

The iPhone 5 software was then updated from iOS 8.1.3 to iOS 8.2, and new test events were created on the iPhone 5 and iPhone 6. Once the events synchronized and displayed on one iPhone after being created in the Calendar app on the other device, they consistently displayed correctly, excluding the second time zone that showed up in events created prior to the software update. Testing confirmed the update fixes all new events.

Events Created Before the Update

Events that were created using a different mobile device or calendar application prior to the update to iOS 8.2 on the iPhone 6 still retained the second time zone. While this continues one inconvenience of the issue into the update, there has been a significant improvement in how iOS 8.2 handles synchronizations of edits to Calendar events.

Removing the second time zone from events created prior to the update can be accomplished by taking the proceeding steps:

1. Open a Calendar event that is displaying the second time zone. In the Event details screen tap Edit.

image4

 

2. Tap on Starts to edit the start time of the event.

image5

 

3. The edit Date, Time, and Time Zone fields will appear. Make sure the date and time are correct, choose your local Time Zone and tap Done.

image6

 

The calendar event will now synchronize without including the “origination” server time, and display correctly when opened from another iPhone or iPad that is running iOS 8.2.

 
While these steps correct individual posts, there are additional steps to fix all past events. If you are experiencing this on your iPhone or iPad click here for more details to repair events affected by the GMT bug.

Click here to view the original post detailing the “GMT Bug” displaying dual time zones in Calendar events.

About the Author: Aaron Cohoon is a Mobile Solutions Administrator for AppRiver, a leading hosted Exchange e-mail security provider. Aaron has a significant Technical Support background in the telecommunications industry, accompanied with an immeasurable drive and dedication.