Attachments with malicious content
Melissa and LoveLetter were among the first worms to illustrate the problem with email attachments and trust. They made use of the trust that exists between friends or colleagues. Imagine receiving an attachment from a friend who asks you to open it. This is what happens with Melissa, SirCam worm and several other similar email worms. Upon running, such worms usually proceed to send themselves out to email addresses from the victim's address book, previous emails, web pages caches to the local machine and similar methods.
Virus writers place much emphasis on getting the victim to run the attachment. Therefore they make use of different attractive attachment names, such as SexPic.cmd and me.pif.
As administrators seek to block dangerous email attachments through the recognition of well-known extensions, virus writers use other extensions to circumvent such protection. Executable (.exe) files are renamed to .bat and .cmd plus a whole list of other extensions and will still run and successfully infect target users.
Many users try to avoid infection from email viruses by only double-clicking on files with certain extensions, such as JPG and MPG. However, some viruses, such as the AnnaKournikova worm, make use of multiple extensions to try trick the user into running the file. The AnnaKournikova virus was transmitted via an email attachment named 'AnnaKournikova.jpg.vbs' which dupes recipients into believing that that they are receiving a harmless JPG image of the famous tennis star, rather than a Visual Basic Script containing infectious code.
Frequently, hackers try to penetrate networks by sending an attachment that looks like a Flash movie, which, while displaying some cute animation, simultaneously runs commands in the background to steal your passwords and give the cracker access to your network.
To further entice the victim to run such an attachment, some hackers use common vulnerabilities such as the CLSID extension of the application to be run. This method allows these crackers to hide the actual extension of the file, thereby concealing the fact that cleanfile.jpg is actually a nasty HTA (HTML application) file. This method currently also circumvents various email content filtering solutions which make use of simple file checking methods, thus enabling the hacker to reach the target user easier.
Attachments in email are probably still the number one threat, and the methods described here are well-known in the virus-writing community.
Emails with malformed MIME headers
The Nimda worm took the Internet by surprise, circumventing many email security tools and breaking into servers and corporate networks as well as infecting the home user. This worm uses a flaw within Outlook Express and Internet Explorer to spread through email. Although this worm did not only spread through email, this technology contributed much to its success in infecting as many hosts as possible. Several corporate networks had a problem with disinfecting their machines from this dangerous code.
The trick in Nimda is that it runs automatically on computers having a vulnerable version of Internet Explorer or Outlook Express. As these are basically installed on every Windows system, most users who received the worm through email were infected with ease. This exploit makes use of a malformed MIME header, which tells Outlook Express that the attached infectious file is a WAV file. This allows the worm to be automatically executed. This poses a large email security problem, as user intervention to open infected files is not required.
MIME headers specify things such as the subject line, date or filename. In the history of Outlook Express, the date and filename fields were previously discovered to be vulnerable to buffer overflow attacks. By specifying a long and well-crafted string, a skilled hacker could execute arbitrary code on the target machines. Such vulnerabilities are prone to exploitation for penetrating remote networks or for delivery of viruses and worms.
HTML mail with embedded scripts
Nowadays, all email clients can send and receive HTML mail. This can trigger the running of HTML Scripts, such as JavaScript and ActiveX. Outlook and other products use Internet Explorer components to display HTML email, meaning they inherit the security problems found in Internet Explorer. These vulnerabilities can be exploited by email to hack into corporate networks, disseminate dangerous worms, and enable the execution of system functions such as reading, writing and deleting files.
The BubbleBoy and HapTime email viruses use HTML email to circumvent security measures and infect computers. These worms use HTML Scripts exploit security holes in Outlook and Internet Explorer so that the infectious code is executed immediately upon opening the email or viewing it in the preview pane (i.e., upon receiving the email).
Such worms do not make use of attachments, and many email filtering solutions which rely only on file checking fail to protect against these real risks. The success and distribution of a worm that makes use of HTML Script exploits depends on the number of vulnerable hosts rather than on some social engineering ploy. This means that, once the email has been downloaded by the email client, only the necessary precautions - that is, a patched and up to date email client - can prevent infection. While this is feasible in a home environment, corporate administrators find it difficult to keep up with the patches.
