Recently I saw this thread on the TMG Forum and found it very interesting as it was quiet easy to repro. Yesterday Microsoft released a signature update that address this issue. The problem that TMG’s administrators were facing is documented here:
Make sure to go to TMG Update Center and force an update (in case Malware Inspection is not showing as 1.119.1988.0). If it is higher than that you should be fine as shown below:
Hello folks, a quick post here just to let you know that me and my friend Tom Shinder will be presenting at TechEd US (in Orlando) and TechEd Europe (in Amsterdam). We will deliver the same session in both events, which is Understanding and Deploying Hosted Cloud: Concepts and Implementation. We will also use this opportunity to network with the IT PRO / SEC Community and record an episode for our Security Talk Show (From End to Edge and Beyond) with your participate, so I really hope to see you there !
Here it is why you can’t miss TechED 2012.
Today I received an email from a friend with the subject: Remove my photo from FACEBOOK. On the body of the email it says:
“Hey, who gave you permission to post my photo at Facebook??? Be aware that I didn’t like that and I would like you to remove ASAP. Are you playing around with me?”
Under this paragraph a link pretending to be to the Facebook picture. Here it is the original email (in Portuguese):
Well, when I saw that I knew it was fake e-mail (a typical social engineering e-mail) and I also knew that if I wait a little bit, probably Hotmail will be redirecting this to my Junk Mail. But I was curious to understand what this was about, so I copied the URL to a lab environment that I have (isolated from my production network).
I configured my TMG’s live logging to watch the particular client where I was doing the test and here it is what I saw:
1. A redirect from the short URL:
2. Another redirect from the target (notice my friend’s email address is on the GET Request:
3. Right after that this is what I see on my client workstation:
4. Immediately FEP 2010 opened the window below on the client workstation:
5. When I clicked show details this is what I got:
A severe threat (Trojan) that was trying to land into my system. I was luck to have FEP 2010 fully updated and ready to mitigate such risk, however some users might not have that.
What about your friend?
The best thing you can do if you believe your friend is sending compromised content (probably because he was compromised) is to take an action to inform Hotmail that this happened. From Hotmail web interface you can flag that message saying that your friend was hacked:
…or you can also send the message to Junk folder and flag that your friend was hacked:
Keep yourself and your friends safe!