12.3 Email Exploits

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 12.  Email Attacks

Every since the Melissa virus went around the world in a few days, email viruses/worms/Trojans became one of the biggest threats to a computer. A well-crafted bug will not only blanket the world in hours by sending itself automatically to every person on every address book, but it can modify or damage every file on a computer or network in the same amount of time. By the time the local network administrator figures out that something is wrong, thousands of emails have been sent and tens of thousands of files have been damaged.

12.3.1 Email Worms

Email worms are among the most popular types of malicious code. They appear to be coming from your closest friends and they automatically send themselves to everyone in your email address book. Virus coders depend on human psychology to help their viruses spread. The ILOVEYOU virus message apparently spoke to everyone. The Melissa virus was snapped up by pornography lovers. There is even an email virus targeted at children named Pokemon. Here is a sampling of email viruses that have made headlines.

12.3.1.1 Bubbleboy

In the past, one of things antivirus researchers could always reassure people with is, "You can't get a virus by simply reading an email!" The Bubbleboy VBScript virus, and its predecessors, invalidated that advice. The Bubbleboy email virus arrived in 1999 with the subject line, "Bubble-boy is back!" Exploiting an ActiveX security hole, the virus was among the first that did not need the user to open a file attachment in order to do its harm. In truth, an infected email had to at least be previewed (and previewing is the same as opening an email in most email clients ). The embedded script would utilize WSH to do the rest. The virus would write a file called UPDATE.HTA to the Windows Startup folder. When the PC restarted, it automatically invoked the malicious HTML application, which then modified the owner and organization properties of Windows to Bubbleboy and Vandelay Industries, respectively. Then it sent a copy of itself to everyone in the user's Outlook contact list. Microsoft eventually released the Scriptlet/Eyedog security patch to close the hole and Bubbleboy became just another historic virus in the evolution of malicious code.

The Bubbleboy virus was named after a famous Seinfeld episode in which a character, George (who often works for Vandelay Industries), ends up fighting with a Bubbleboy.

12.3.1.2 ILoveYou virus

An email virus/worm started out in the Philippines in the early morning of May 5, 2000, blanketed the world a few hours later. Written in VBScript by a few college students, it arrived in everyone's inbox with a subject line of ILOVEYOU. The message text said, "Kindly check the attached LOVELETTER coming from me." It included a file attachment called LOVE-LETTER-FOR-YOU.TXT.VBS . The ILOVEYOU virus would earn the title as the most wide-spread virus in history. Never had so much damage been done so quickly. It impacted the world and slowed production in most of the world's computerized nations.

When the file attachment in the email was clicked, WSH was called to execute the malicious commands. The user was even prompted to bypass any "unsafe code" warnings initiated by Outlook. It would then modify the registry, adding copies of itself as MSKERNEL32.VBS and WIN32DLL.VBS to the autorun areas. It then scanned the hard drive and overwrote the following files with copies of itself: .JPG, .JPEG, .MP3, .MP2, .VBS, .VBE, .JSE, .CSS, .WSH, .SCT , and .HTA , effectively destroying each file (actually, .MP3 and .MP2 files were not overwritten, just hidden, and a virus copy was left in their place). It utilized Outlook to send copies of itself to all email address in the address book. It changed the home page of Internet Explorer to point to a malicious web link, which tried to download another file. The file, WIN-BUGSFIX.EXE , attempted to steal passwords and other information. The worm even checked to see if the user's machine was connected to IRC chat channels, and if so, overwrote the SCRIPT.INI file to try to infect current channels with the DCC SEND command. All in all, it did a lot of damage and did it quickly.

This attack was significantly more serious than Melissa, and it was the first malicious mobile code attack I had seen that shut down more than just email systems. It spread so quickly that anything Internet- related or email-enabled was shut down. Paging systems, cell phone systems, the telephone company, and newspaper departments were all overwhelmed. It took the world days to clean up, and variants are still popping up all the time.

One ILOVEYOU variant, called VBS.Loveletter.bd, downloads a password-stealing program to copy online banking information off computers that connect to the United Bank of Switzerland. This is just one example where a virus can be used to compromise confidential information.

12.3.1.3 Hiding viruses

Malicious files have often tried to hide their true selves by appearing as one type of file when they are really something else. By default, Windows hides certain default file types. This can make a file called PICTURE.GIF.EXE appear as PICTURE.GIF . The user, thinking picture files are safe to execute, could then double-click on the file attachment, and end up with an executed malicious program instead. With the FBI Secret virus, a malicious attachment arrives as TUVEVEU.GIF.VBS. But if you let Windows hide file extensions, by default, the file attachment will appear to be a harmless .GIF file.

12.3.1.4 Hybris

Hybris has been one of the most sophisticated email worms to date. Hybris contains malicious coding that infects the WSOCK32.DLL on the victim's computer. From there it can send itself to other incoming email addresses. Its claim to fame is its ability to be able to download 32 different encrypted plug-ins, which give the virus new functionality. One plug-in allows the virus to encrypt itself and another to create random-looking email messages with different subjects, text, and filenames (in four different languages). It also looks for PCs already compromised with the SubSeven remote access Trojan. It even harasses the alt.comp.virus newsgroup by sending encoded messages. In the first few days, the newsgroup had received over 3000 messages.

12.3.2 Email Exploits

Not all malicious email code comes in the form of viruses, worms, or Trojans. Malicious code can also be embedded in the body of the email message or attached as an HTML link.

12.3.2.1 Users don't even have to open email to execute exploit

Microsoft found an exploit (see Microsoft Knowledge Base Article #Q267884) where a malicious HTML message could grab information from Microsoft Outlook Express's preview pane and send that content to a remote site for review. A remote hacker could send a specially crafted email and gain access to a user's email messages. Another security hole allowed a malicious HTML message with a malformed header to cause a buffer overflow exploit in either Outlook or Outlook Express. The rogue header would cause the buffer overflow while the email was downloading, so that it didn't even require the user to open the email, or even be present. This type of exploit has been found before. As we already know, buffer overflows can cause anything from program lockup to complete system compromise on an exploited machine. Microsoft was able to post a patch for both vulnerabilities shortly after their announcement.

12.3.2.2 Internet cache vulnerability

There have been at least two separate exploits involving the same related vulnerability. CERT Advisory CA-2000-14 discusses an exploit involving the temporary cache area used by Internet Explorer and most versions of Outlook. When viewing a web page, or reading an email with embedded HTML code, file objects are temporarily downloaded to the computer's predefined Internet cache area (this happens whether or not the user approves running the same later). Internet Explorer's security mechanisms handle HTML content regardless of whether it is downloaded in the browser or Outlook. Files downloaded into cache area are covered under the Internet Security zone.

Files attached to emails are downloaded to wherever the user or program decides and are not normally downloaded into a random cache. These exploits are concerned with what Microsoft calls inline files, or files (i.e. graphics, audio, etc.) embedded in an HTML view. Inline files, treated like downloaded graphics in a browser, are temporarily stored in a cache directory.

In the first exploit, known as the Cache Bypass Vulnerability, malicious inline files are able to be stored outside the cache area. Inline files stored outside the cache are covered by the My Computer zone, thereby inheriting significantly fewer security restrictions. An HTML email can open a file that is not in the cache, but only if it knows the file's name and complete path. The complete path isn't so hard to guess, but downloaded inline files are often assigned a random name and GUID . In order to be retrieved or launched, a malicious exploit would have to be able to know ahead of time the random name or GUID. In this exploit, a malicious HTML email can store rogue files outside the normal cache area and predefine its name and location. A second tandem exploit can be used to launch the malicious code in the unprotected My Computer Security zone. Like a buffer overflow, almost anything can be accomplished.

12.3.2.3 Compiled help vulnerability

Another related exploit is called the Compiled Help Vulnerability. Microsoft's HTML Help is a new standard help system for the Windows platform. It allows anyone to create sophisticated help files for applications, but is also designed for use with interactive books, training guides, tutorials, and electronic newsletters. As such, it uses some of the underlying components of Internet Explorer, and allows HTML, graphics, and scripting languages to be used. Furthermore, help files can be compiled (and assigned the .CHM extension) for faster execution. Whenever a compiled help file is clicked on, an HTML Help program ( HH.EXE ) calls the HTML Help ActiveX control (HHCTRL.OCX) and a related file in Internet Explorer ( SHDOCVW.DLL ) to show the help file.

CERT Advisory CA-2000-12 announced that a malicious web site or email could download a harmful compiled help file to a user's temporary cache and later execute the file with Internet Explorer's ShowHelp call. Microsoft patched the first compiled help vulnerability, only to see other researchers reveal related weaknesses. CERT went further in their announcement by addressing the vulnerabilities caused by any program with a default path storage area, including email and chat programs, which place downloaded files in predictable locations.

12.3.2.4 vCard buffer overflow

Outlook and Outlook Express both support the Internet email technology of vCards as defined in RFC 2426 . vCards are used in many email clients as a standard way of exchanging sender address book information as a file attachment. When a receiver gets a vCard, they simply double-click on it to add all the sender's information to their own address book. It was discovered in February 2001 that Outlook and Outlook Express could create a malformed vCard and cause a malicious buffer overflow on a PC. Microsoft was notified and soon had a patch out.

Although the exploits listed earlier involve Outlook or Outlook Express, all Windows-based email clients are full of potential holes. Both Eudora and Pegasus have had multiple documented email exploits and viruses specifically targeted toward their programs as well.