|
This white paper explains why anti-virus software alone is not enough to protect
your organization against the current and future onslaught of computer viruses.
Examining the different kinds of email attacks that threaten today’s organizations,
this paper describes the need for a solid server-based content-checking gateway
to safeguard your business against email viruses and attacks.
Computer viruses will cost businesses around the globe more than $1.5
trillion in 2000, according to a PricewaterhouseCoopers study issued by
Information Week Research in July 2000.
Email is the top distribution mechanism for the world"s most dangerous
electronic viruses, such as deadly email viruses transported through Word
macros (e.g., Melissa), infected attachments (e.g., Love Bug) and commands
embedded in HTML mail. Furthermore, email is now being used to launch
email attacks, targeted specifically at your organization to obtain confidential
information or gain control of your servers.
Hefty damage: both widespread and
targeted
"The bill to 50,000 US firms this year for viruses and computer
hacking will amount to $266 billion, or 2.5 percent of USA"s GDP," reported
Information Week Research in July 2000. By comparison, in 1999, computer
viruses cost US business $12 billion, according to Computer Economics
Inc.
Organizations are threatened both by email viruses that are released
in the wild and gain notoriety in the media - like the VB-script worm
Love Bug in 2000 and the macro virus Melissa and the Explore Worm in 1999
- and also by email attacks that are specifically targeted against them.
Today, email has become a prime means for installing backdoors (Trojans)
and other harmful programs to help potential intruders break into a corporate
network. Described as "instructive viruses" or "spy viruses" by computer
security experts, these may become potent tools in industrial espionage.
In February 2000, for example, Japanese police arrested a young man suspected
of emailing viruses to a company to obstruct its operations and cause
its computer system to shut down. Another case in point is the email attack
on Microsoft"s network in October 2000, which a Microsoft Corp. spokesman
described as "an act of industrial espionage pure and simple". According
to reports, Microsoft"s network was hacked by means of a backdoor Trojan
virus maliciously emailed to a network user.
Types of email attacks
To get to grips with the kind of email threats present today, it is best
to take a quick look at the current main forms of email attack. These
include:
Email Trojans
Trojans can be emailed to the victim and used to breach security (e.g.,
to steal information), or to cause damage (e.g., activate a distributed
attack). As a Trojan attack usually requires the recipient to activate
the program received, the sender often disguises the Trojan program as
an attractive attachment, such as a joke, to convince the recipient to
run the program.
Buffer overflows
Buffer overflows can be set up in such a way as to supply program instructions
for the victim"s computer to execute. By exploiting a bug in the program under
attack, the attacker emails the recipient a program for execution by his/her
computer. They can also be used as Denial-of-Service attacks, causing the program
to crash.
HTML viruses - that do not
require user intervention
Also known as active content attacks or browser attacks, HTML attacks are
aimed at those who use web browsers or HTML-enabled email clients to read their
mail. Such attacks tend to use the scripting features of HTML or of the email
client to illicitly execute code on the PC or to acquire private information
from the recipient"s computer. Sometimes, these are used to make the victim’s
computer display some specific content or perform a Denial-of-Service attack.
While devastating viruses like the Melissa macro virus require the victim
to execute them by opening the infected email attachment, this frightening
new breed of HTML virus does not require user intervention in order to
be activated. Alarming as this is, it is actually extremely easy for virus
writers to make a virus that is executed simply by opening one’s email
client.
The shocking ease of creating a
virus today
Anyone with a little knowledge of Visual Basic can unleash chaos by exploiting
well-known vulnerabilities in various commonly used email clients and
products. A visit to the SecurityFocus site, for instance, will reveal
various exploits that are available for Outlook, currently the most popular
email client. A malicious script kiddie with the intent of producing a
virus can easily study these exploits, perform experiments or just modify
the exploit code - which is publicly available! - to execute a new code
of his/her own.
For example, many virus writers are now making use of a specific vulnerability
called "Malformed MIME header". Hugely widespread viruses and
worms like Nimda, BadTrans.B and Klez made use of this security hole to
disseminate. In fact, a number of viruses and email worms that use this
single issue have successfully to infect a vast number of hosts, even
though this vulnerability was first made public and patched on Mar 29,
2001. Besides, virus writers making use of this vulnerability can change
their old virus to add an auto-executing feature as seen with the Yaha
worm. This worm did not originally use the Malformed MIME header vulnerability
but only did so at a later stage; this clearly increased the probability
that the virus would infect the victim
To cite another example, an exploit for Internet Explorer and MS Access,
which could be easily applied to Outlook and Outlook Express (when MS
Access is available), is described on Guninski.com. A virus writer could
easily exploit this to run Visual Basic code as soon as the victim opens
the infected email. This would infect all HTML files and send itself to
all the contacts on the recipient’s email address book. A key feature
of this virus, however, is that it would execute simply when the user
opens the email containing malicious HTML.
Another intervention-free virus could make use of the GMT field buffer
overflow vulnerability in Outlook and Outlook Express, as described on
SecurityFocus.com. The victim would download the email sent by an infected
user upon which the recipient’s Outlook client would crash and execute
a malicious code. This in turn would send the offending email to all the
contacts in the victim’s address book. Here, the virus would continue
to replicate, repeatedly causing email clients to crash, and resulting
in a total standstill in Internet traffic.
Why anti-virus software or a firewall
is not enough
Some organizations lull themselves into a false sense of security upon
installing a firewall. This is a wise step to protect their intranet,
but it is not enough: Firewalls can prevent access to your network by
unauthorized users. But they do not check the content of mail being sent
and received by those authorized to use the system, for instance. This
means that email viruses can still pass through this level of security.
Nor does virus-scanning software protect against ALL email viruses and
attacks: Anti-virus vendors cannot always update their signatures in time
against the deadly viruses that are distributed worldwide via email in
a matter of hours (such as the LoveLetter virus and its variants). This
means that companies using a single virus-scanning engine alone are not
necessarily safeguarded when a new virus is released.Yet, once an email
virus has entered the system, it takes one quick click for an unwitting
user to activate it.
The solution: A
proactive approach
So how does one protect against HTML mail viruses, future macro viruses,
and email attacks?
A proactive approach is needed which involves the content checking of
all inbound and outbound email at server level, before distribution to
your users. This way, all potentially harmful content is removed from
an infected or dubious email, and only then is it forwarded to the user.
By installing a comprehensive email content checking and anti-virus gateway
on their mail server, companies can protect themselves against the potential
damage and lost work time that current and future viruses may cause. This
kind of tool, such as GFI MailSecurity for Exchange/SMTP, provides
email content checking, exploit detection and anti-virus for Exchange/SMTP.
It can be deployed at the gateway level, or at information store level
(based on the Exchange 2000 VS API).
Key features include: Multiple virus engines - Don"t
depend on 1 only; Email content & attachment checking -
Quarantine dangerous emails; Exploit shield - Email intrusion detection
& defence; Email threats engine - Analyses & defuses HTML
scripts, .exe files & more. Other features include:
- Automatic removal of HTML scripts
- Automatic quarantining of Microsoft Word documents with macros
- Detects attachment extension hiding
- Rules-based configuration
- Apply rules to AD users or groups
- Approve/reject quarantined mail using the moderator client/email client/public
folders
- Lexical analysis
- Seamless integration with Exchange Server 2000 through VS API
- Anti-spam (gateway version)
- Great value
An evaluation version can be downloaded from: http://www.gfi.com/mailsecurity
About GFI
GFI has six offices in the US, UK, Germany, France, Australia and
Malta, and has a worldwide network of distributors. GFI is the developer of
GFI FAXmaker, Mail essentials, GFI MailSecurity and GFI LANguard, and has supplied
applications to clients such as Microsoft, Telstra, Time Warner Cable, Shell
Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI is
a Microsoft Gold Certified Partner and has won the Microsoft Fusion 2000 (GEM)
Packaged Application Partner of the Year award.
For more information
Please email sales@gfi.com or contact one
of the GFI offices.
© 2002 GFI Software Ltd. All rights reserved. The information contained
in this document represents the current view of GFI on the issues discussed
as of the date of publication. Because GFI must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of GFI, and GFI
cannot guarantee the accuracy of any information presented after the date of
publication. This White Paper is for informational purposes only. GFI MAKES
NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. GFI FAXmaker, GFI Mail
essentials, GFI MailSecurity and GFI LANguard and the GFI FAXmaker, GFI Mail
essentials, GFI MailSecurity, GFI DownloadSecurity and GFI LANguard logos and
the GFI logo are either registered trademarks or trademarks of GFI Software
Ltd. in the United States and/or other countries. Microsoft, Exchange Server,
VS API, Word, and Windows NT/2000/XP are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries. Other
product or company names mentioned herein may be the trademarks of their respective
owners. GFI. http://www.gfi.com info@gfi.com 1-888-2GFIFAX / +44-(0)870-770-5370
|
