This white paper describes various methods used by email viruses and
worms to penetrate a protected network. Such methods include attachment
files containing harmful code, social engineering attacks, crafted MIME
headers, malicious use of HTML Script and similar technologies. A URL
is provided where you can test whether your email system is vulnerable
to threats like these. This document also examines the ways through which
email can be sanitized and filtered of malicious code using GFI’s
email content/exploit checking and anti-virus solution, GFI MailSecurity for
Email threats: a constant danger!
The widespread adoption of email through the years has been accompanied
by the development of malicious code, that is, email viruses and attacks.
Email has provided hackers and crackers with an easy way to distribute
harmful content to the internal network. Corporate LANs have been breached
by worms and viruses, as well as by crackers, through the use of email.
Hackers can easily circumvent the protection offered by a firewall by
tunneling through the email protocol. A typical firewall cannot protect
against such email attacks, because it simply does not analyse email and
Because email messages can include file attachments, hackers can send
infected files and hope that the recipient will open them, as happened
with Melissa and Manwella. This method makes use of social engineering
to urge the end user to run the file. Yet, other methods exist which allow
a skilled and possibly malevolent cracker to inject code through email
and run custom-made applications automatically while the end user reads
the email text. Such problems have been around since the use of HTML in
email and have been exploited by notorious worms such as the KaK worm,
BubbleBoy virus or the more recent Nimda.
Although anti-virus products can catch many viruses and worms, hackers
are able to dodge such protection by producing their own customized code.
This can result in dangerous threats penetrating the corporate network
through lesser known methods and through bypassing anti-virus protection
and other traditional anti-hacker protection. The threat posed by hackers
to the internal network is huge, as internal network security is low to
Methods used to attack your email
Attachments with malicious
Melissa and LoveLetter were among the first viri to illustrate the problem
with email attachments and trust. They made use of the trust that exists
between friends or colleagues. Imagine receiving an attachment from a
friend who asks you to open it. This is what happens with Melissa, AnnaKournikova,
SirCam and several other similar email worms. Upon running, such worms
usually proceed to send themselves out to email addresses from the victim"s
address book, previous emails, web pages caches to the local machine and
Virus writers place much emphasis on getting the victim to run the attachment.
Therefore they make use of different attractive attachment names, such
as SexPic.cmd and me.pif.
As administrators seek to block dangerous email attachments through the
recognition of well-known extensions, virus writers use other extensions
to circumvent such protection. Executable (.exe) files are renamed to
.bat and .cmd plus a whole list of other extensions and will still run
and successfully infect target users.
Many users try to avoid infection from email viruses by only double-clicking
on files with certain extensions, such as JPG and MPG. However, some viruses,
such as the AnnaKournikova worm, make use of multiple extensions to try
trick the user into running the file. The AnnaKournikova virus was transmitted
via an email attachment named "AnnaKournikova.jpg.vbs" which dupes recipients
into believing that that they are receiving a harmless JPG image of the
famous tennis star, rather than a Visual Basic Script containing infectious
Frequently, hackers try to penetrate networks by sending an attachment
that looks like a Flash movie, which, while displaying some cute animation,
simultaneously runs commands in the background to steal your passwords
and give the cracker access to your network.
To further entice the victim to run such an attachment, some hackers use
common vulnerabilities such as the Class ID (CLSID) extension of the application
to be run. This method allows these crackers to hide the actual extension
of the file, thereby concealing the fact that cleanfile.jpg is actually
a nasty HTA (HTML application) file. This method currently also circumvents
various email content filtering solutions which make use of simple file
checking methods, thus enabling the hacker to reach the target user easier.
Attachments in email are probably still the number one threat, and the
methods described here are well-known in the virus-writing community.
Emails with malformed MIME
The Nimda worm took the Internet by surprise, circumventing many email
security tools and breaking into servers and corporate networks as well
as infecting the home user. This worm uses a flaw within Outlook Express
and Internet Explorer to spread through email. Although this worm did
not only spread through email, this technology contributed much to its
success in infecting as many hosts as possible. Several corporate networks
had a problem with disinfecting their machines from this dangerous code.
The trick in Nimda is that it runs automatically on computers having a
vulnerable version of Internet Explorer or Outlook Express. As these are
basically installed on every Windows system, most users who received the
worm through email were infected with ease. This exploit makes use of
a malformed MIME header, which tells Outlook Express that the attached
infectious file is a WAV file. This allows the worm to be automatically
executed. This poses a large email security problem, as user intervention
to open infected files is not required.
MIME headers specify things such as the subject line, date or filename.
In the history of Outlook Express, the date and filename fields were previously
discovered to be vulnerable to buffer overflow attacks. By specifying
a long and well-crafted string, a skilled hacker could execute arbitrary
code on the target machines. Such vulnerabilities are prone to exploitation
for penetrating remote networks or for delivery of viruses and worms.
HTML mail with embedded
Nowadays, all email clients can send and receive HTML mail. HTML mail
controls, which can allow programs or code to be executed on the client
Outlook and other products use Internet Explorer components to display
HTML email, meaning they inherit the security vulnerabilities found in
Internet Explorer. These vulnerabilities can be exploited by email to
hack into corporate networks, disseminate dangerous worms, and enable
the execution of system functions such as reading, writing and deleting
files. Viruses that use HTML email to circumvent security measures and
infect computers include the Kak worm, BubbleBoy and HapTime.
Viruses based on HTML scripts have the added danger of being able to run
automatically when the malicious mail is opened. They do not rely on attachments;
therefore the attachment filters found in anti-virus software are useless
in combating unknown HTML script viruses.
The BadTrans.B virus, for example, combines an email exploit with HTML
to propagate, using HTML to launch an attachment automatically once the
email is received.
Test if your email system is vulnerable
to these methods!
You can easily test whether your email system is vulnerable to any of
the threats described above: GFI has set up a testing zone that enables
you to see how well protected your email system is against emails that
contain .vbs attachments, CLSID file names, malformed MIME headers and
ActiveX exploits. The tests available on this zone are safe and do not
do anything dangerous - they simply detect whether your email system is
safeguarded against a number of email-borne threats.
Try the tests at: http://www.gfi.com/emailsecuritytest/
Be sure to visit this page regularly: GFI Security Labs is constantly
researching email threats and will add new vulnerability tests to those
Protect against these threats with
GFI MailSecurity for Exchange/SMTP protects against the methods described
above through the content filtering, attachment checking and virus scanning
of all incoming and outgoing emails at server level. GFI MailSecurity’s
key features include multiple virus engines, for better protection; email
content and attachment checking, to quarantine dangerous emails; an exploit
shield, to disable Windows/Office exploits launched via email; and an
email threats engine, to analyse & defuse HTML scripts, .exe files
While traditional virus scanners operate on the desktop machine, GFI MailSecurity
blocks viruses at server level, meaning that network users behind GFI MailSecurity
never get to see a virus. GFI MailSecurity is unique in that it allows you
to use multiple virus engines to protect your company from virus threats.
GFI MailSecurity comes bundled with the Norman Virus Control and BitDefender
anti-virus engines and supports automatic updating of signature files.
The McAfee virus engine is also available as an optional extra.
Virus scanning is a widely accepted way of catching known viruses and
worms. However, when a new virus outbreak occurs, traditional virus scanners
are usually slow to issue signatures against these new threats. But the
protection provided by GFI MailSecurity is multi-layered and is not just limited
to virus scanning.
GFI MailSecurity can also block suspicious or dubious file types that could
contain dangerous content, such as *.exe, *.vbs and other files. GFI"s
security research team keeps an updated list of executable attachment
types, which is used to capture future and unknown viruses and worms as
well as existing ones. GFI MailSecurity also performs Class ID (CLSID) extension
checking, which allows it to easily catch would-be attacks that are based
on this method. This adds an important level of security to the virus
scanning and attachment checking components in GFI MailSecurity.
HTML Active Content removal
transfer protocol), these have little use in email. GFI MailSecurity can
easily protect against these threats through its patented HTML script
defuser, which analyses HTML email for HTML scripts and Active Content.
The HTML script defuser disables any scripts it finds and forwards the
now harmless email to the recipient, including formatting and images.
For more information about GFI MailSecurity for Exchange/SMTP, please
GFI has six offices in the US, UK, Germany, France, Australia and Malta, and
has a worldwide network of distributors. GFI is the developer of GFI FAXmaker,
Mail essentials, GFI MailSecurity and GFI LANguard, and has supplied applications
to clients such as Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants,
NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI is a Microsoft Gold
Certified Partner and has won the Microsoft Fusion 2000 (GEM) Packaged Application
Partner of the Year award.
For more information
Please email email@example.com or contact one
of the GFI offices.
© 2002 GFI Software Ltd. All rights reserved. The information contained in
this document represents the current view of GFI on the issues discussed as of
the date of publication. Because GFI must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of GFI, and GFI cannot
guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. GFI MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, IN THIS DOCUMENT. GFI FAXmaker, GFI Mail essentials, GFI MailSecurity
and GFI LANguard and the GFI FAXmaker, GFI Mail essentials, GFI MailSecurity,
GFI DownloadSecurity and GFI LANguard logos and the GFI logo are either registered
trademarks or trademarks of GFI Software Ltd. in the United States and/or other
countries. Microsoft, Exchange Server, VS API, Word, and Windows NT/2000/XP are
either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries. Other product or company names mentioned herein
may be the trademarks of their respective owners. GFI. http://www.gfi.com firstname.lastname@example.org
1-888-2GFIFAX / +44-(0)870-770-5370