WHITE PAPER
Why You Need an Email Exploit Detection Engine
Networks Must Supplement Anti-Virus Protection for Maximum Security



Introduction

The number of email viruses and attacks skyrocketed in 2001, causing security experts and vendors to dub it "the year of the virus." One new factor to emerge in 2001 was that virus-writers are using increasingly complex and sophisticated techniques in their bid to circumvent anti-virus software and disseminate their viruses. A case in point was the notorious Nimda virus that used multiple methods to spread itself and was based on an exploit rather than malicious code. Email security tools must evolve in the same way if such threats are to be blocked before they can cause harm. Anti-virus software, though essential, cannot combat such threats; an email exploit detection tool is also necessary.

What is an Exploit?

An exploit uses known vulnerabilities in applications or operating systems to execute a program or circumvent security measures. It "exploits" a feature of a program or the operating system for its own use, such as to execute arbitrary machine code, read/write files on the hard disk, or gain illicit access.

What is an Email Exploit?

An email exploit is an exploit launched via email. An email exploit is essentially an exploit that can be embedded in an email, and executed on the recipient's machine once the user either opens or receives the email. This allows the hacker to bypass firewalls and anti-virus products.

Difference between Anti-Virus Software & Email Exploit Detection Software

Anti-virus software is designed to detect malicious code. It does not necessarily analyze the method being used to execute the code.

Email exploit detection software analyzes emails for exploits - i.e., it scans for methods to execute a program on the user's system. An email exploit engine does not check whether the program is malicious or not. It simply assumes there is a security risk if an email is using an exploit in order to run a program.

In this manner, an email exploit engine works like an intrusion detection system (IDS) for email. The email exploit engine might cause more false positives, but it adds a new layer of security that is not available in a normal anti-virus package, simply because it uses a totally different way of securing email.

Anti-virus engines do protect against an exploit if it is frequently used to distribute worms or viruses, but they do not check for other exploits or attacks. An exploit detection engine checks for all known exploits.

Because the email exploit engine is optimized for finding exploits in email, it can therefore be more effective at this job than a general purpose anti-virus engine.

Faster Updates for Greater Protection

Since new email threats and exploits emerge regularly, an email exploit detection system must be kept up to date. The email exploit engine definition files must be updated whenever a new exploit or variant is made public or the in-house research team discovers potential exploits in well-known software.

Although keeping exploit and anti-virus engines up to date involve very similar operations, the results are different. Once an exploit is identified and incorporated in an exploit engine, that engine can protect against any new virus that is based on a known exploit. That means the exploit engine will catch the virus even before the anti-virus vendor is aware of its emergence, and certainly before the anti-virus definition files have been updated to counter the attack. This is a critical advantage, as shown by the following examples that occurred in 2001.

The Lessons of Nimda and BadTrans.B

Nimda and BadTrans.B are two viruses that became widely known worldwide in 2001 because they infected a colossal number of Windows computers with Internet access. Nimda alone is estimated to have affected about 8.3 million computer networks around the world, according to US research firm Computer Economics (November 2001).

Nimda is a worm that uses multiple methods to automatically infect other computers. It can replicate through email using an exploit that was made public months before Nimda hit, the MIME Header exploit. BadTrans.B is a mass-mailing worm that distributes itself using the MIME Header exploit. BadTrans.B first appeared after the Nimda outbreak.

With their highly rapid infection rate, both Nimda and BadTrans.B took anti-virus vendors by surprise. Though the vendors tried to issue definition file updates as soon as they learned about each virus, the virus had already succeeded in infecting a large number of PCs by the time the anti-virus updates were released.

Though both viruses used the same exploit, anti-virus vendors had to issue a separate definition file update for each. In contrast, an email exploit detection engine would have recognized the exploit used and identified the attempt to automatically launch an executable file using the MIME header exploit. As a result, it would have blocked both worms automatically, preventing infection.

Testing for Exploit Vulnerability

You can easily test whether your email system is vulnerable to the exploit described above and similar email exploits and threats. GFI has set up a testing zone that enables you to determine the susceptibility of your email system to email exploits such as malformed MIME headers, ActiveX exploits, CLSID file names, and more. The tests available on this zone are safe and do not do anything dangerous. They simply detect whether your email system is safeguarded against a number of email-borne threats.

Try the tests at: http://www.gfi.com/emailsecuritytest/

GFI MailSecurity

The first email security product to protect against email exploits is GFI MailSecurity for Exchange/SMTP, a package that includes an email exploit detection engine as one of four key components designed to provide comprehensive protection against email threats. Drawing on GFI's leading research on email exploits, this industry-first engine detects signatures of currently known email exploits and blocks any messages containing those signatures. The majority of the hazards identified by MailSecurity's exploit engine are not detected by any other program on the market today.

Coupled with this innovative feature, GFI MailSecurity for Exchange/SMTP also includes Multiple virus engines, for better protection; Email content and attachment checking - to quarantine dangerous emails; and an Email threats engine - to analyze and defuse HTML scripts, .exe files and more. This combination of features is unique in the industry, providing maximum protection against email-related network assaults. Other features of GFI MailSecurity for Exchange/SMTP include:

  • Automatic removal of HTML scripts
  • Automatic quarantining of Microsoft Word documents with macros
  • Detects attachment extension hiding
  • Rules-based configuration
  • Apply rules to AD users or groups
  • Approve/reject quarantined mail using the moderator client/email client/public folders
  • Lexical analysis
  • Seamless integration with Exchange Server 2000 through VS API
  • Excellent value

GFI MailSecurity for Exchange/SMTP can be deployed at the gateway level, or at the information store level (based on the Exchange 2000 VS API). An evaluation version can be downloaded from: http://www.gfi.com/mailsecurity

About GFI

GFI has six offices in the US, UK, Germany, France, Australia and Malta, and has a worldwide network of distributors. GFI is the developer of FAXmaker, Mail essentials, MailSecurity and LANguard, and has supplied applications to clients such as Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion 2000 (GEM) Packaged Application Partner of the Year award.


© 2002 GFI Software Ltd. All rights reserved. The information contained in this document represents the current view of GFI on the issues discussed as of the date of publication. Because GFI must respond to changing market conditions, it should not be interpreted to be a commitment on the part of GFI, and GFI cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. GFI MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. FAXmaker, Mail essentials, MailSecurity and LANguard and the FAXmaker, Mail essentials, MailSecurity and LANguard logos and the GFI logo are either registered trademarks or trademarks of GFI Software Ltd. in the United States and/or other countries. Microsoft, Exchange Server, VS API, Word, and Windows NT/2000/XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product or company names mentioned herein may be the trademarks of their respective owners. GFI. http://www.gfi.com info@gfi.com 1-888-2GFIFAX / +44-(0)20-8546 0640

back to top