This white paper describes various methods used by email viruses and worms to penetrate a protected network. Such methods include attachment files containing harmful code, social engineering attacks, crafted MIME headers, malicious use of HTML Script and similar technologies. A URL is provided where you can test whether your email system is vulnerable to threats like these. This document also examines the ways through which email can be sanitized and filtered of malicious code using GFI’s email content/exploit checking and anti-virus solution, GFI MailSecurity for Exchange/SMTP.

• Email threats: a constant danger!
• Methods used to attack your email system
  • Attachments with malicious content
  • Emails with malformed MIME headers
  • HTML mail with embedded scripts
• Test if your email system is vulnerable to these methods!
• Protect against these threats with GFI MailSecurity
  • Virus scanning
  • Attachment checking
  • HTML Script removal
• About GFI

Email threats: a constant danger!

The widespread adoption of email through the years has been accompanied by the development of malicious code, that is, email viruses and attacks. Email has provided hackers and crackers with an easy way to distribute harmful content to the internal network. Corporate LANs have been breached by worms and viruses, as well as by crackers, through the use of email. Hackers can easily circumvent the protection offered by a firewall by tunneling through the email protocol. A typical firewall cannot protect against such email attacks, because it simply does not analyse email and its contents.

Because email messages can include file attachments, hackers can send infected files and hope that the recipient will open them, as happened with Melissa and Manwella. This method makes use of social engineering to urge the end user to run the file. Yet, other methods exist which allow a skilled and possibly malevolent cracker to inject code through email and run custom-made applications automatically while the end user reads the email text. Such problems have been around since the use of HTML in email and have been exploited by notorious worms such as the KaK worm, BubbleBoy virus or the more recent Nimda.

Although anti-virus products can catch many viruses and worms, hackers are able to dodge such protection by producing their own customized code. This can result in dangerous threats penetrating the corporate network through lesser known methods and through bypassing anti-virus protection and other traditional anti-hacker protection. The threat posed by hackers to the internal network is huge, as internal network security is low to ensure usability.

Methods used to attack your email system

Attachments with malicious content
Melissa and LoveLetter were among the first viri to illustrate the problem with email attachments and trust. They made use of the trust that exists between friends or colleagues. Imagine receiving an attachment from a friend who asks you to open it. This is what happens with Melissa, AnnaKournikova, SirCam and several other similar email worms. Upon running, such worms usually proceed to send themselves out to email addresses from the victim's address book, previous emails, web pages caches to the local machine and similar methods.

Virus writers place much emphasis on getting the victim to run the attachment. Therefore they make use of different attractive attachment names, such as SexPic.cmd and me.pif.

As administrators seek to block dangerous email attachments through the recognition of well-known extensions, virus writers use other extensions to circumvent such protection. Executable (.exe) files are renamed to .bat and .cmd plus a whole list of other extensions and will still run and successfully infect target users.

Many users try to avoid infection from email viruses by only double-clicking on files with certain extensions, such as JPG and MPG. However, some viruses, such as the AnnaKournikova worm, make use of multiple extensions to try trick the user into running the file. The AnnaKournikova virus was transmitted via an email attachment named 'AnnaKournikova.jpg.vbs' which dupes recipients into believing that that they are receiving a harmless JPG image of the famous tennis star, rather than a Visual Basic Script containing infectious code.

Frequently, hackers try to penetrate networks by sending an attachment that looks like a Flash movie, which, while displaying some cute animation, simultaneously runs commands in the background to steal your passwords and give the cracker access to your network.

To further entice the victim to run such an attachment, some hackers use common vulnerabilities such as the Class ID (CLSID) extension of the application to be run. This method allows these crackers to hide the actual extension of the file, thereby concealing the fact that cleanfile.jpg is actually a nasty HTA (HTML application) file. This method currently also circumvents various email content filtering solutions which make use of simple file checking methods, thus enabling the hacker to reach the target user easier.

Attachments in email are probably still the number one threat, and the methods described here are well-known in the virus-writing community.

Emails with malformed MIME headers
The Nimda worm took the Internet by surprise, circumventing many email security tools and breaking into servers and corporate networks as well as infecting the home user. This worm uses a flaw within Outlook Express and Internet Explorer to spread through email. Although this worm did not only spread through email, this technology contributed much to its success in infecting as many hosts as possible. Several corporate networks had a problem with disinfecting their machines from this dangerous code.

The trick in Nimda is that it runs automatically on computers having a vulnerable version of Internet Explorer or Outlook Express. As these are basically installed on every Windows system, most users who received the worm through email were infected with ease. This exploit makes use of a malformed MIME header, which tells Outlook Express that the attached infectious file is a WAV file. This allows the worm to be automatically executed. This poses a large email security problem, as user intervention to open infected files is not required.

MIME headers specify things such as the subject line, date or filename. In the history of Outlook Express, the date and filename fields were previously discovered to be vulnerable to buffer overflow attacks. By specifying a long and well-crafted string, a skilled hacker could execute arbitrary code on the target machines. Such vulnerabilities are prone to exploitation for penetrating remote networks or for delivery of viruses and worms.

HTML mail with embedded scripts
Nowadays, all email clients can send and receive HTML mail. This can trigger the running of HTML Scripts and Active Content, such as JavaScript and ActiveX. Outlook and other products use Internet Explorer components to display HTML email, meaning they inherit the security problems found in Internet Explorer. These vulnerabilities can be exploited by email to hack into corporate networks, disseminate dangerous worms, and enable the execution of system functions such as reading, writing and deleting files.

The BubbleBoy and HapTime email viruses use HTML email to circumvent security measures and infect computers. These worms use HTML Scripts exploit security holes in Outlook and Internet Explorer so that the infectious code is executed immediately upon opening the email or viewing it in the preview pane (i.e., upon receiving the email).

Such worms do not make use of attachments, and many email filtering solutions which rely only on file checking fail to protect against these real risks. The success and distribution of a worm that makes use of HTML Active Content exploits depends on the number of vulnerable hosts rather than on some social engineering ploy. This means that, once the email has been downloaded by the email client, only the necessary precautions - that is, a patched and up to date email client - can prevent infection. Yet, corporate administrators can find it difficult to keep up with the patches.

Test if your email system is vulnerable to these methods!

You can easily test whether your email system is vulnerable to any of the threats described above: GFI has set up a testing zone that enables you to see how well protected your email system is against emails that contain .vbs attachments, CLSID file names, malformed MIME headers and ActiveX exploits. The tests available on this zone are safe and do not do anything dangerous - they simply detect whether your email system is safeguarded against a number of email-borne threats.

Try the tests at: http://www.gfi.com/emailsecuritytest/

Be sure to visit this page regularly: GFI Security Labs is constantly researching email threats and will add new vulnerability tests to those currently available.

Protect against these threats with GFI MailSecurity

GFI's GFI MailSecurity for Exchange/SMTP protects against the methods described above through the content filtering, attachment checking and virus scanning of all incoming and outgoing emails at server level. GFI MailSecurity’s key features include multiple virus engines, for better protection; email content and attachment checking, to quarantine dangerous emails; an exploit shield, to disable Windows/Office exploits launched via email; and an email threats engine, to analyse & defuse HTML scripts, .exe files & more.

Virus scanning
While traditional virus scanners operate on the desktop machine, GFI MailSecurity blocks viruses at server level, meaning that network users behind GFI MailSecurity never get to see a virus. GFI MailSecurity is unique in that it allows you to use multiple virus engines to protect your company from virus threats. GFI MailSecurity comes bundled with the Norman Virus Control and BitDefender anti-virus engines and supports automatic updating of signature files. The McAfee virus engine is also available as an optional extra.

Virus scanning is a widely accepted way of catching known viruses and worms. However, when a new virus outbreak occurs, traditional virus scanners are usually slow to issue signatures against these new threats. But the protection provided by GFI MailSecurity is multi-layered and is not just limited to virus scanning.

Attachment checking
GFI MailSecurity can also block suspicious or dubious file types that could contain dangerous content, such as *.exe, *.vbs and other files. GFI's security research team keeps an updated list of executable attachment types, which is used to capture future and unknown viruses and worms as well as existing ones. GFI MailSecurity also performs Class ID (CLSID) extension checking, which allows it to easily catch would-be attacks that are based on this method. This adds an important level of security to the virus scanning and attachment checking components in GFI MailSecurity.

HTML Active Content removal
As described above, Active Content is prone to exploitation through email. While JavaScript and similar technologies are much used on HTTP (hypertext transfer protocol), these have little use in email. GFI MailSecurity can easily protect against these threats by filtering out HTML tags and attributes which can be used to execute Active Content through email. This stops unknown worms and viruses which make use of HTML to infect the host as well as well known simple attacks such as email wiretapping.

For more information about GFI MailSecurity for Exchange/SMTP, please visit http://www.gfi.com/mailsecurity/

GFI

GFI has six offices in the US, UK, Germany, France, Australia and Malta, and has a worldwide network of distributors. GFI is the developer of FAXmaker, Mail essentials, GFI MailSecurity and LANguard, and has supplied applications to clients such as Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion 2000 (GEM) Packaged Application Partner of the Year award.

For more information
Please email sales@gfi.com or contact one of the GFI offices.

© 2002 GFI Software Ltd. All rights reserved. The information contained in this document represents the current view of GFI on the issues discussed as of the date of publication. Because GFI must respond to changing market conditions, it should not be interpreted to be a commitment on the part of GFI, and GFI cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. GFI MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. FAXmaker, Mail essentials, GFI MailSecurity and LANguard and the FAXmaker, Mail essentials, GFI MailSecurity and LANguard logos and the GFI logo are either registered trademarks or trademarks of GFI Software Ltd. in the United States and/or other countries. Microsoft, Exchange Server, VS API, Word, and Windows NT/2000/XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product or company names mentioned herein may be the trademarks of their respective owners. GFI. http://www.gfi.com info@gfi.com 1-888-2GFIFAX / +44 (0) 870 770 5370

back to top