{"id":232,"date":"2013-09-04T09:57:02","date_gmt":"2013-09-04T16:57:02","guid":{"rendered":"http:\/\/andrew.the-espositos.net\/blog\/?p=232"},"modified":"2013-09-04T09:57:02","modified_gmt":"2013-09-04T16:57:02","slug":"creativity-and-cracking","status":"publish","type":"post","link":"https:\/\/andrew.the-espositos.net\/blog\/2013\/09\/creativity-and-cracking\/","title":{"rendered":"Creativity and Cracking"},"content":{"rendered":"<p>I got an interesting email today. The contents of which are below (links weren&#8217;t suspicious, but were removed):<\/p>\n<blockquote><p><span style=\"color: #0000ff;\">Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.<\/span><\/p>\n<p><span style=\"color: #0000ff;\">Sent by:\u00c2\u00a0<span style=\"text-decoration: underline;\"><span style=\"color: #0000ff; text-decoration: underline;\">the-espositos.net<\/span><\/span><\/span><br \/>\n<span style=\"color: #0000ff;\">Number of Images: 1<\/span><br \/>\n<span style=\"color: #0000ff;\">Attachment File Type: ZIP [PDF]<\/span><\/p>\n<p><span style=\"color: #0000ff;\">WorkCentre Pro Location: Machine location not set<\/span><br \/>\n<span style=\"color: #0000ff;\">Device Name: B5SQ1CXA7J<\/span><\/p>\n<p><span style=\"color: #0000ff;\">Attached file is scanned image in PDF format.<\/span><br \/>\n<span style=\"color: #0000ff;\">Adobe(R)Reader(R) can be downloaded from the following URL:\u00c2\u00a0<span style=\"color: #0000ff;\"><span style=\"text-decoration: underline;\">http:\/\/www.adobe.com\/<\/span><\/span><\/span><\/p><\/blockquote>\n<p>It had a ZIP file attached. \u00c2\u00a0Looks pretty legit, right? Except, I don&#8217;t own a Xerox anything. Now the company I work for may, but anyone sending me documents from work wouldn&#8217;t appear to be coming from my personal domain. But being who I am, I had to open it to see what was inside.<\/p>\n<p>Taking precautions, I saved the attachment and scanned it. No viruses. Disappointing. Maybe it&#8217;s sophisticated enough that there isn&#8217;t a signature for it yet? So, I used a &#8220;non-standard&#8221; method of unzipping it, which would not execute any binary code within. I was really expecting a sophisticated attack vector. \u00c2\u00a0I thought I&#8217;d actually get a PDF file that I&#8217;d be tricked into opening with the latest version of Adobe that I was just instructed to download. So, I&#8217;d open the PDF, with new software I trusted, downloaded from a verified source and still be subject to an exploited flaw that would compromise my system. What a Zero day attack that would have been!<\/p>\n<p>I was planning how to identify the flaw and counter it&#8217;s effects (I will admit I was pretty clueless here, getting ready to allow my VM to succumb to the attack while another VM snooped and recorded all the outbound ethernet traffic), when I looked and saw a lone .exe file sitting all alone and vulnerable in the directory. Scanning it produced nothing also. So it was just a lame windows Trojan exe.<\/p>\n<p>I was hoping with the creative nature of the introduction to this threat, that we&#8217;d have something exciting and potentially dangerous. But sadly it was just a new dress on an old pig.<\/p>\n<p>Remember, don&#8217;t open attachments in email if you don&#8217;t know what they are. If it was something important, someone you know would say, &#8220;Did you get the images I sent you the other day?&#8221; To which you can reply, &#8220;No, send them again. Um, were they safe for work?&#8221;<\/p>\n<p>Virtual Machines deleted. A lot of work for nothing.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I got an interesting email today. The contents of which are below (links weren&#8217;t suspicious, but were removed): Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro. Sent by:\u00c2\u00a0the-espositos.net Number of Images: 1 Attachment File Type: ZIP [PDF] WorkCentre Pro Location: Machine location not set Device Name: &#8230; <span class=\"more\"><a class=\"more-link\" href=\"https:\/\/andrew.the-espositos.net\/blog\/2013\/09\/creativity-and-cracking\/\">[Read more&#8230;]<\/a><\/span><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":{"0":"entry","1":"post","2":"publish","3":"author-siteuser","4":"post-232","6":"format-standard","7":"category-technical"},"_links":{"self":[{"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/posts\/232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/comments?post=232"}],"version-history":[{"count":0,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/posts\/232\/revisions"}],"wp:attachment":[{"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/media?parent=232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/categories?post=232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/tags?post=232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}