Cyber Security Expo
Why anti-virus software is not enough by GFI Software Ltd on 09/09/02

This white paper explains why anti-virus software alone is not enough to protect your organization against the current and future onslaught of computer viruses. Examining the different kinds of email attacks that threaten todayís organizations, this paper describes the need for a solid server-based content-checking gateway to safeguard your business against email viruses and attacks.

Computer viruses will cost businesses around the globe more than $1.5 trillion in 2000, according to a PricewaterhouseCoopers study issued by Information Week Research in July 2000.

Email is the top distribution mechanism for the world"s most dangerous electronic viruses, such as deadly email viruses transported through Word macros (e.g., Melissa), infected attachments (e.g., Love Bug) and commands embedded in HTML mail. Furthermore, email is now being used to launch email attacks, targeted specifically at your organization to obtain confidential information or gain control of your servers.

Hefty damage: both widespread and targeted

"The bill to 50,000 US firms this year for viruses and computer hacking will amount to $266 billion, or 2.5 percent of USA"s GDP," reported Information Week Research in July 2000. By comparison, in 1999, computer viruses cost US business $12 billion, according to Computer Economics Inc.

Organizations are threatened both by email viruses that are released in the wild and gain notoriety in the media - like the VB-script worm Love Bug in 2000 and the macro virus Melissa and the Explore Worm in 1999 - and also by email attacks that are specifically targeted against them. Today, email has become a prime means for installing backdoors (Trojans) and other harmful programs to help potential intruders break into a corporate network. Described as "instructive viruses" or "spy viruses" by computer security experts, these may become potent tools in industrial espionage.

In February 2000, for example, Japanese police arrested a young man suspected of emailing viruses to a company to obstruct its operations and cause its computer system to shut down. Another case in point is the email attack on Microsoft"s network in October 2000, which a Microsoft Corp. spokesman described as "an act of industrial espionage pure and simple". According to reports, Microsoft"s network was hacked by means of a backdoor Trojan virus maliciously emailed to a network user.

Types of email attacks

To get to grips with the kind of email threats present today, it is best to take a quick look at the current main forms of email attack. These include:

Email Trojans
Trojans can be emailed to the victim and used to breach security (e.g., to steal information), or to cause damage (e.g., activate a distributed attack). As a Trojan attack usually requires the recipient to activate the program received, the sender often disguises the Trojan program as an attractive attachment, such as a joke, to convince the recipient to run the program.

Buffer overflows
Buffer overflows can be set up in such a way as to supply program instructions for the victim"s computer to execute. By exploiting a bug in the program under attack, the attacker emails the recipient a program for execution by his/her computer. They can also be used as Denial-of-Service attacks, causing the program to crash.

HTML viruses - that do not require user intervention
Also known as active content attacks or browser attacks, HTML attacks are aimed at those who use web browsers or HTML-enabled email clients to read their mail. Such attacks tend to use the scripting features of HTML or of the email client to illicitly execute code on the PC or to acquire private information from the recipient"s computer. Sometimes, these are used to make the victimís computer display some specific content or perform a Denial-of-Service attack.

While devastating viruses like the Melissa macro virus require the victim to execute them by opening the infected email attachment, this frightening new breed of HTML virus does not require user intervention in order to be activated. Alarming as this is, it is actually extremely easy for virus writers to make a virus that is executed simply by opening oneís email client.

The shocking ease of creating a virus today

Anyone with a little knowledge of Visual Basic can unleash chaos by exploiting well-known vulnerabilities in various commonly used email clients and products. A visit to the SecurityFocus site, for instance, will reveal various exploits that are available for Outlook, currently the most popular email client. A malicious script kiddie with the intent of producing a virus can easily study these exploits, perform experiments or just modify the exploit code - which is publicly available! - to execute a new code of his/her own.

For example, many virus writers are now making use of a specific vulnerability called "Malformed MIME header". Hugely widespread viruses and worms like Nimda, BadTrans.B and Klez made use of this security hole to disseminate. In fact, a number of viruses and email worms that use this single issue have successfully to infect a vast number of hosts, even though this vulnerability was first made public and patched on Mar 29, 2001. Besides, virus writers making use of this vulnerability can change their old virus to add an auto-executing feature as seen with the Yaha worm. This worm did not originally use the Malformed MIME header vulnerability but only did so at a later stage; this clearly increased the probability that the virus would infect the victim

To cite another example, an exploit for Internet Explorer and MS Access, which could be easily applied to Outlook and Outlook Express (when MS Access is available), is described on A virus writer could easily exploit this to run Visual Basic code as soon as the victim opens the infected email. This would infect all HTML files and send itself to all the contacts on the recipientís email address book. A key feature of this virus, however, is that it would execute simply when the user opens the email containing malicious HTML.

Another intervention-free virus could make use of the GMT field buffer overflow vulnerability in Outlook and Outlook Express, as described on The victim would download the email sent by an infected user upon which the recipientís Outlook client would crash and execute a malicious code. This in turn would send the offending email to all the contacts in the victimís address book. Here, the virus would continue to replicate, repeatedly causing email clients to crash, and resulting in a total standstill in Internet traffic.

Why anti-virus software or a firewall is not enough

Some organizations lull themselves into a false sense of security upon installing a firewall. This is a wise step to protect their intranet, but it is not enough: Firewalls can prevent access to your network by unauthorized users. But they do not check the content of mail being sent and received by those authorized to use the system, for instance. This means that email viruses can still pass through this level of security.

Nor does virus-scanning software protect against ALL email viruses and attacks: Anti-virus vendors cannot always update their signatures in time against the deadly viruses that are distributed worldwide via email in a matter of hours (such as the LoveLetter virus and its variants). This means that companies using a single virus-scanning engine alone are not necessarily safeguarded when a new virus is released.Yet, once an email virus has entered the system, it takes one quick click for an unwitting user to activate it.

The solution: A proactive approach

So how does one protect against HTML mail viruses, future macro viruses, and email attacks?

A proactive approach is needed which involves the content checking of all inbound and outbound email at server level, before distribution to your users. This way, all potentially harmful content is removed from an infected or dubious email, and only then is it forwarded to the user.

By installing a comprehensive email content checking and anti-virus gateway on their mail server, companies can protect themselves against the potential damage and lost work time that current and future viruses may cause. This kind of tool, such as GFI MailSecurity for Exchange/SMTP, provides email content checking, exploit detection and anti-virus for Exchange/SMTP. It can be deployed at the gateway level, or at information store level (based on the Exchange 2000 VS API).

Key features include: Multiple virus engines - Don"t depend on 1 only; Email content & attachment checking - Quarantine dangerous emails; Exploit shield - Email intrusion detection & defence; Email threats engine - Analyses & defuses HTML scripts, .exe files & more. Other features include:

  • Automatic removal of HTML scripts
  • Automatic quarantining of Microsoft Word documents with macros
  • Detects attachment extension hiding
  • Rules-based configuration
  • Apply rules to AD users or groups
  • Approve/reject quarantined mail using the moderator client/email client/public folders
  • Lexical analysis
  • Seamless integration with Exchange Server 2000 through VS API
  • Anti-spam (gateway version)
  • Great value

An evaluation version can be downloaded from:

About GFI

GFI has six offices in the US, UK, Germany, France, Australia and Malta, and has a worldwide network of distributors. GFI is the developer of GFI FAXmaker, Mail essentials, GFI MailSecurity and GFI LANguard, and has supplied applications to clients such as Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion 2000 (GEM) Packaged Application Partner of the Year award.

For more information
Please email or contact one of the GFI offices.

© 2002 GFI Software Ltd. All rights reserved. The information contained in this document represents the current view of GFI on the issues discussed as of the date of publication. Because GFI must respond to changing market conditions, it should not be interpreted to be a commitment on the part of GFI, and GFI cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. GFI MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. GFI FAXmaker, GFI Mail essentials, GFI MailSecurity and GFI LANguard and the GFI FAXmaker, GFI Mail essentials, GFI MailSecurity, GFI DownloadSecurity and GFI LANguard logos and the GFI logo are either registered trademarks or trademarks of GFI Software Ltd. in the United States and/or other countries. Microsoft, Exchange Server, VS API, Word, and Windows NT/2000/XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product or company names mentioned herein may be the trademarks of their respective owners. GFI. 1-888-2GFIFAX / +44-(0)870-770-5370

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.