12.6 Preventing Email Attacks

144 - Pager Alerts and Email Attacks</h2> <P><script> function OpenWin(url, w, h) { if(!w) w = 400; if(!h) h = 300; window. open (url, "_new", "width=" + w + ",height=" + h + ",menubar=no,toobar=no,scrollbars=yes", true); } function Print() { window.focus(); if(window.print) { window.print(); window.setTimeout('window.close();',5000); } } </script><span></span><table width="100%" cellpadding="0" cellspacing="0" border="0"><tr valign="top"></tr></table><table width="100%" height="20" border="0" cellpadding="0" cellspacing="1"><tr></tr></table><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr valign="top"><td align="center"><table width="95%"><tr><td align="left"><table width="100%" border="0" cellspacing="0" cellpadding="2"><tr><td valign="top" height="5"><img src="/books/1/47/1/html/2/images/pixel.gif" width="1" height="5" alt="" border="0"></td></tr><tr><TD><b><font size="1" color ="#0000FF">Team-Fly<img border="0" src="/books/1/47/1/html/2/Fly-Logo.gif" width="81" height="25"></font></b></td><td valign="top" align="right">     </td></tr></table><hr size="1"><table width="100%" border="0" cellspacing="0" cellpadding="5"><tr><td valign="top" width="76" rowspan="4"><img src="/books/1/47/1/html/2/images/156592682X/malmobcode_xs.gif" width="76" height="100" border="0"></td><td valign="top">Malicious Mobile Code: Virus Protection for Windows<br>By Roger A.  Grimes<br> Slots : 1<br></td></tr><tr><td>Table of Contents</td></tr><tr><td></td></tr><tr><td valign="bottom"> Chapter 12.   Email Attacks</td></tr></table><hr size ="1"><br><table width="100%" border="0" cellspacing="0" cellpadding ="0"><tr><td valign="top"> <H3 id="193448-985">12.6 Preventing Email Attacks</h3> <P>Antivirus scanners alone cannot protect you against email attacks. As the I Love You virus proved, by the time the antivirus folks have updated their signature databases to find the latest bug, it has already spread around the world. Here are some better suggestions. The first four are for anyone using Internet email, and the rest are for Outlook users. </p> <H4>12.6.1 Disable Scripting and HTML Content in Email</h4> <P>Most Windows-based email systems, if they are HTML-enabled, allow you to disable scripting and HTML. Let's face it. HTML-enabled email is pretty, but it can easily contain malicious code. Do yourself a favor and keep non-text email features to a minimum. </p> <H4>12.6.2 Treat Unexpected Emails with Caution</h4> <P>Most email viruses rely on end-users to run attached files or click on Internet links. Stop the habit. Do not run untrusted attachments and don't click on Internet links in emails that arrive unexpectedly in your inbox. Do read any text-based message or joke to your heart's content. Some people will go as far as to inspect email headers of suspicious messages looking to see if the message really came from where it claims. This doesn't help with the whole crop of email worms that send themselves from a friend's unprotected email client. </p> <H4>12.6.3 Keep Email Client Updated</h4> <P>Like any other Internet-enabled software, keeping it up-to-date will ensure the latest security holes are patched. And because email clients and browsers are often integrated, make sure to keep your browser current, too. On March 29, 2001, Microsoft revealed a MIME-header exploit that would allow a malicious HTML-enabled email to execute any program it wanted on an Internet Explorer/Outlook user 's machine. Only by applying Internet Explorer Service Pack 2 would the email hole be closed. </p> <H4>12.6.4 Run Antivirus Software</h4> <P>If the first three steps were strictly followed, email viruses/Trojans/worms wouldn't have much of a chance to spread. However, this isn't the case, and email administrators must do their best to make sure that malicious mobile code doesn't arrive in end-user's inboxes. Use antivirus software that scans incoming messages for malicious mobile code. Corporate administrators should run antivirus software on their email servers so they can remove viruses before they get a chance to arrive. </p> <H4>12.6.5 Implement Outlook Security Patch</h4> <P><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><td><table bgcolor ="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><td width="60" valign="top"><img src="/books/1/47/1/html/2/images/tip_yellow.gif" width="50" height="54"></td><td valign="top"> <P>Some of the information contained in this section was taken from O'Reilly & Associates's author Tom Syroid's series, "Beware the Briar Patch." A complete transcript of his article is available at http://www.oreilly.com. </p> </td></tr></table></td></tr></table></p> <P>Microsoft was criticized for years for not doing enough to prevent malicious code from using Outlook to spread. A half- dozen or so minor patches were released to close up specific holes in Outlook and Outlook Express, but defensive techniques were intentionally limited because increasing security meant decreasing functionality and made email harder to use. However, after the ILoveYou virus, Microsoft decide to release a security patch that would significantly limit the spreading of malicious code at the expense of functionality. And if applied, it is a great deterrent to malicious mobile code. However, its across the board changes can significantly impact the legitimate uses of Outlook. People who intend to apply the patch should read this section thoroughly and decide for themselves if it is worth the cost. </p> <P><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><td><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><td width="60" valign="top"><img src="/books/1/47/1/html/2/images/tip_yellow.gif" width="50" height="54"></td><td valign="top"> <P>If you use Outlook 2000, Outlook SR-1 or SR-1a must be applied prior to the Outlook Email Security Update. This is a long process (45 minutes or more) and requires the original Outlook installation media. SR-1 contains several security updates, including patches to close exploits using Excel <I>SYLK</i> files and the ODBC vulnerability discussed in the last chapter. </p> </td></tr></table></td></tr></table></p> <P>You should understand Microsoft's <I>Outlook Email Security Update</i> for Outlook 98 and 2000 (there is no Outlook 97 version) completely before you implement it. Once installed, it can be difficult to uninstall. After it is applied, most people will come across situations where it disables legitimate uses of email. It can be frustrating and although there are ways to circumvent controls, the work-arounds are not elegant. </p> <P>The Microsoft Outlook Email Security Update was Microsoft's third patch to control malicious file attachments. The first, called the <I>Outlook E-Mail Attachment Security Update</i>, required that a limited number of file types be saved to the disk before opening. If applied, users could no longer just double-click on an attached file to launch it. It was believed that the additional step would make email readers think more about the file attachment before they opened it. And it did, but it did little to prevent the spread of malicious code. It just slowed it down slightly. A second patch was released with the <I>Microsoft Outlook Service Release 1 (SR-1) </i>update. It provided the same functionality as the first patch (along with some additional fixes), but allowed users to modify a list of acceptable files that could be launched within the email system. Most security experts felt Microsoft's security attempts were halfhearted. Microsoft responded with the Outlook Email Security Update. It was designed with two goals in mind: </p> <UL><LI><P>To prevent script language attacks from using Outlook as a way to attack a user's PC </p></li><LI><P>To prevent script language attacks from spreading using Outlook</p></li></ul> <P>To that end, with the update applied, Outlook disables the user from opening file attachment types that are known to be candidates for spreading malicious mobile code. This includes a large list of files (see Table 12-4), but does not include all types of malicious code. For example, Microsoft cognitively chose to exclude the most popular MS Office document types. Thus, you can send MS Word and MS Excel files as you normally would. The thinking was that Microsoft Office's macro security (97 and above) has the ability to disable macro virus attacks, so there was no reason to prevent what is already prevented. I'm not sure I agree with that philosophy, as macro viruses still account for the majority of malicious code attacks. On that same note, Microsoft has specifically chosen to include Microsoft Access objects and databases on the list of file attachments that aren't allowed to be accessed in Outlook with the update applied. This is because Access does not have any macro virus security. </p> <P>File types with a potential malicious risk cannot be viewed or accessed in Outlook and are called <I>Level 1 Attachments </i>and are listed in Table 12-4. Other file types, with less risk, are called <I>Level 2 Attachments</i>. Level 2 files can be saved to disk, but cannot be directly launched in Outlook (they can be seen with <I>Quick View</i><IMG BORDER="0" ALIGN="absmiddle" WIDTH="18" HEIGHT="11" src="/books/1/47/1/html/2/images/156592682X/figs/U2122.gif" ALT="figs/U2122.gif">, if enabled). There are no file types automatically defined as Level 2. File types (actually, file extensions) not listed as Level 1 or Level 2 can be assessed normally. The list of files considered as Level 1 or 2 files can only be changed on a Microsoft Exchange mail server environment by the Administrator. Outlook users who store their messages in <I>.PST</i> files cannot modify the list of Level 1 or 2 files prohibited by the security update. </p> <P><TABLE CELLSPACING="0" BORDER="1" RULES="all" CELLPADDING="4" WIDTH="100%"><CAPTION><h5>Table 12-4. Outlook default Level 1 file extensions </h5></caption><COLGROUP span="2"><THEAD><TR><TH> <P>File extension</p> </th><TH> <P>Description</p> </th></tr></thead><TR><TD> <P>. ADE</p> </td><TD> <P>Microsoft Access Project Extension </p> </td></tr><TR><TD> <P>. ADP </p> </td><TD> <P>Microsoft Access Project </p> </td></tr><TR><TD> <P>. BAS</p> </td><TD> <P>Visual Basic Class Module </p> </td></tr><TR><TD> <P>. BAT</p> </td><TD> <P>Batch file</p> </td></tr><TR><TD> <P>. CHM</p> </td><TD> <P>Compiled HTML Help file</p> </td></tr><TR><TD> <P>. CMD</p> </td><TD> <P>Windows NT command script</p> </td></tr><TR><TD> <P>. COM</p> </td><TD> <P>Executable file</p> </td></tr><TR><TD> <P>. CPL</p> </td><TD> <P>Control Panel extension</p> </td></tr><TR><TD> <P>. CRT</p> </td><TD> <P>Security certificate</p> </td></tr><TR><TD> <P>. EXE</p> </td><TD> <P>Executable file</p> </td></tr><TR><TD> <P>. HLP</p> </td><TD> <P>Windows Help file</p> </td></tr><TR><TD> <P>. HTA</p> </td><TD> <P>HTML applications</p> </td></tr><TR><TD> <P>. INF</p> </td><TD> <P>Windows Setup Information file</p> </td></tr><TR><TD> <P>. INS</p> </td><TD> <P>Internet Communication settings </p> </td></tr><TR><TD> <P>.ISN</p> </td><TD> <P>Internet link</p> </td></tr><TR><TD> <P>. ISP</p> </td><TD> <P>Internet Communication settings</p> </td></tr><TR><TD> <P>. JS</p> </td><TD> <P>JScript file</p> </td></tr><TR><TD> <P>. JSE</p> </td><TD> <P>JScript Encoded Script file</p> </td></tr><TR><TD> <P>. LNK</p> </td><TD> <P>Shortcut</p> </td></tr><TR><TD> <P>. MDB</p> </td><TD> <P>Microsoft Access application </p> </td></tr><TR><TD> <P>. MDE</p> </td><TD> <P>Microsoft Access MDE database </p> </td></tr><TR><TD> <P>. MSC</p> </td><TD> <P>Microsoft Common Console document </p> </td></tr><TR><TD> <P>. MSI</p> </td><TD> <P>Windows Installer package </p> </td></tr><TR><TD> <P>. MSP</p> </td><TD> <P>Windows Installer patch </p> </td></tr><TR><TD> <P>. MST</p> </td><TD> <P>Visual Test source file </p> </td></tr><TR><TD> <P>. PCD</p> </td><TD> <P>Photo CD image </p> </td></tr><TR><TD> <P>. PIF</p> </td><TD> <P>Program Information file</p> </td></tr><TR><TD> <P>. REG</p> </td><TD> <P>Registry file </p> </td></tr><TR><TD> <P>. SCR</p> </td><TD> <P>Screensaver </p> </td></tr><TR><TD> <P>. SCT</p> </td><TD> <P>Windows Script Component </p> </td></tr><TR><TD> <P>. SHS</p> </td><TD> <P>Shell Scrap object </p> </td></tr><TR><TD> <P>. SHB</p> </td><TD> <P>Shell Scrap object</p> </td></tr><TR><TD> <P>. URL </p> </td><TD> <P>Internet URL </p> </td></tr><TR><TD> <P>. VB</p> </td><TD> <P>VBScript file </p> </td></tr><TR><TD> <P>. VBE</p> </td><TD> <P>VBScript Encoded Script file </p> </td></tr><TR><TD> <P>. VBS</p> </td><TD> <P>VBScript Script file </p> </td></tr><TR><TD> <P>. WSC</p> </td><TD> <P>Windows Script Component </p> </td></tr><TR><TD> <P>. WSF</p> </td><TD> <P>Windows Script file </p> </td></tr><TR><TD> <P>. WSH</p> </td><TD> <P>Windows Scripting Host Settings file</p> </td></tr></colgroup></table></p> <P>If you open an email message with a Level 1 file attachment, although the file is still attached to the message, it will be unavailable. It cannot be viewed, saved, printed, and sometimes cannot even be forwarded. A message containing a blocked file will appear when the file is opened. The message alerts the user of the file's name and text, indicating it is unavailable. Files not covered by the update will still be available as usual. Blocked files that were previously able to be viewed in Outlook, will be unavailable after the update. Users installing this patch should quickly view their messages to see if any files need to be saved to disk prior to applying the update. Figure 12-1 shows how a user is prevented from accessing potentially dangerous file attachments after the Outlook Security Update is applied. </p> <CENTER> <H5>Figure 12-1. Users will be prevented from accessing potentially dangerous file attachments after the Outlook Security Update is applied</h5> <IMG BORDER="0" WIDTH="460" HEIGHT="334" src="/books/1/47/1/html/2/images/156592682X/figs/MMC_1201.gif" ALT="figs/MMC_1201.gif"></center> <P>The message indicating that a file was blocked is displayed in the information field at the top of the message. The information field is limited to four lines, and if enough other information is contained in the same field, the warning message may not be displayed. Furthermore, although file attachment security is equally enforced in other areas of Outlook (i.e., Tasks, Journal, Meetings, etc.) no warning message appears. </p> <P>If you try to forward a message that contains a Level 1 file attachment to another user, the file will be stripped before sending. Among other things, it prevents users with blocked files sending file attachments to users without the update so they can open it. However, you can create and send email messages with attached Level 1 files to other recipients. Outlook assumes since you already have access to the file, no further protection can be accomplished by blocking it. Of course, if the recipient has the Outlook Email Security Update installed, they will be unable to access the file when it arrives. When you send a message with a Level 1 file, Outlook warns you of the possible danger and asks you to reaffirm your decision. </p> <H5>12.6.5.1 Getting around blocked access to file attachments</h5> <P>There are times when you absolutely need to have legitimate access to a prohibited file attachment. There are a handful of things you can try: </p> <UL><LI><P>Have the originating user rename the attachment to a file extension that isn't blocked by the Security Update. For instance, if you are being sent <I>TEST.EXE</i>, have the sender rename it to <I>TEST.TXT</i> (prior to attachment) and send it. You can then save it back to your local hard drive as <I>TEST.EXE</i>. This is the only option available to Outlook clients who store messages in personal folder files (PST), like Internet Mail-only Outlook clients, and it's the easiest solution overall. </p></li><LI><P>Have sender send the file to a computer workstation without the update applied. This might work well in a company, where only IT has the rights to manipulate blocked files. That way they can analyze the incoming file and determine its level of risk. </p></li><LI><P>If you have a copy of Outlook Express on the same computer, you can export the message from Outlook (actually, the whole folder the message is located in) to a PST file, and then import (File<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Import) it to Outlook Express. Since Outlook Express is not affected by the Outlook Email Security Update, you can access the previously prohibited message. </p></li><LI><P>For corporate users who have access to Exchange's <I>Outlook for Web Access</i> (OWA) client, messages accessed with it will not have blocked files. </p></li><LI><P>For messages stored in the Exchange server store databases (MDB), the Exchange Administrator can define nonstandard Level 1 and Level 2 extensions to allow common file types to be exchanged (covered later in this chapter). </p></li></ul> <H5>12.6.5.2 Preventing malicious code from using Outlook to spread</h5> <P>The Outlook Email Security Update prevents most malicious code types from entering a user's inbox. However, it doesn't prevent all incoming file attachments that could contain malicious mobile code (where there is a will there is a way). And blocking file attachments does not prevent malicious mobile code gained through other methods (i.e. Internet browser, macro viruses, etc.) from making it to a user's PC. Once on the user's PC, the malicious code might still be able to send itself out using the address book (remember the security patch does not block creating new messages with malicious file types). Because of that, the Security Update also prevents most external programs from using Outlook and its programming interfaces as part of its <I>Object Model Guard</i> component. </p> <P>Most of the previously automated accesses to Outlook have been prevented, including the send capabilities of Outlook, access to email address information stored in the Contacts, the Personal Address Book and the Global Address Book, as well as to addresses fields in Outlook forms. If an external program attempts to access Outlook to read email addresses or send an email, a warning message will appear asking the user to approve or deny access (see Figure 12-2). Unfortunately, the dialog box does not tell what program or process is trying to get prohibited access, or what it is trying to do. Unless you have chosen a program or feature within an application in which you are expected to use email or messaging capabilities, deny the access. </p> <CENTER> <H5>Figure 12-2. External program manipulation warning</h5> <IMG BORDER="0" WIDTH="288" HEIGHT="149" src="/books/1/47/1/html/2/images/156592682X/figs/MMC_1202.gif" ALT="figs/MMC_1202.gif"></center> <P>Answering either yes or no will result in all additional external program requests to Outlook being allowed or denied access, depending on your answer, during the timed countdown. If you choose No and then want to allow an external program access before the time countdown is finished, you must exit Outlook and restart. Also, each object model (Simple MAPI, CDO, CMC) has a different timer. If one external program accesses Simple MAPI and another access CDO, two timer dialog boxes will be shown. </p> <P>The Security Update will automatically remove CDO from Outlook 98, but not from Outlook 2000 (only because CDO isn't installed by default in Outlook 2000). CDO and Simple MAPI are used by hundreds of legitimate programs. If the Outlook Email Security Update is applied against a machine with programs that access Outlook's mail interface as a rule, there is a good chance the programs will be interrupted or fail. Keep this in mind when installing the security update. </p> <H5>12.6.5.3 Strengthening overall Outlook security</h5> <P>You have always been able to change Outlook's security zone (the same ones used by Internet Explorer), but the installed default was the <I>Internet</i> zone. The Security Update changes Outlook's default security zone to <span>Restricted</span>. Although I highly recommend against it, you can change access back to <I>Internet</i> by choosing Tools<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Options<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Security. The Restricted<I> </i>zone disables scripting and the downloading of executable content on machines with IE 5.5 and higher. Machines with earlier versions of Internet Explorer still need to modify the settings of the Restricted zone so scripting is disabled. If email (or a webpage) is received from a previously trusted domain or web site, as defined in the <span>Local Intranet</span> or <span>Trusted</span> zones, its contents will still be able to execute. </p> <P>Without this new setting, although an email might not be able to have a malicious, attached file, it could still contain harmful embedded scripting and attempt to cause harm. It is important to note that file attachments, if not blocked, will run with Internet zone security settings. Thus, the same exact script language could be launched in the Restricted (embedded in a message) or Internet (file attachment) zones, depending on location. </p> <P><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><td><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><td width="60" valign="top"><img src="/books/1/47/1/html/2/images/tip_yellow.gif" width="50" height="54"></td><td valign="top"> <P>Changes you make in a particular security zone setting will affect the Internet Explorer, Outlook, and Outlook Express, if they also use the same zone. </p> </td></tr></table></td></tr></table></p> <P>The Outlook Security Update also makes sure that the macro security settings in MS Office are set to High, which automatically disables any untrusted macros stored within documents. </p> <H5>12.6.5.4 Options for Outlook 97 and Outlook Express users</h5> <P>Although the Outlook Security Update is not available for Outlook 97 or Outlook Express users, there are still some things you can do to mitigate the risk of malicious email code. First, download and install all related security patches. Some will mimic part of the behavior of the Security Update (i.e. force users to save attached files to disk), but none will deny complete access to any incoming file object. Then, change your Outlook security zone to the Restricted sites setting, and disable scripting and anything else that increases exposure to malicious mobile code. </p> <H5>12.6.5.5 Problems with Outlook Security Update</h5> <P>Besides not being able to access prohibited file types, which are often legitimate, there are some other annoyances caused by the Outlook Email Security Update: </p> <UL><LI><P>It can cause problems with information synchronization of PDAs to Outlook resources. Most PDA vendors have released software updates to address the problem. Even when the new PDA software does work, the user is prompted to accept the PDA access and is forced to limit the automated access to a maximum of 10 minutes. </p></li><LI><P>Automated document routing with Office applications can be affected.</p></li><LI><P>Mail merging operations can be affected.</p></li><LI><P>Automated fax server integration can be affected.</p></li><LI><P>Affects the operation of other legitimate programs, that you want to have to access your Outlook information. </p></li><LI><P>The update is not available for Outlook Express, which is installed by almost every current Microsoft operating system. </p></li></ul> <P><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><td><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><td width="60" valign="top"><img src="/books/1/47/1/html/2/images/tip_yellow.gif" width="50" height="54"></td><td valign="top"> <P>Internet Explorer 6.0 has a new Outlook Express version, 6.0. According to beta testers, Microsoft has added a few security features that mimic part of the functionality of the Outlook Security Update. Potentially malicious file attachments can be blocked and users will be warned if a program tries to send email. </p> </td></tr></table></td></tr></table></p> <H5>12.6.5.6 Uninstalling the Outlook Security Update</h5> <P>Some users are so frustrated by Outlook's blanketed treatment of file attachments, and the way it inhibits their legitimate work, that they want to remove it later. If you have applied it to Outlook 98, choose Start<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Settings<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Control Panel<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif"> Add/Remove Programs and choose to uninstall the Outlook Email Security Update. Outlook 2000 is more difficult -- you can't uninstall the update! In order to remove the update, you must completely uninstall Outlook 2000 (of course, backing up your messages first), and reinstall. Even then, in some cases, it cannot be uninstalled , and Microsoft's Knowledge Base must be consulted. </p> <P>Although Microsoft's Outlook Email Security Update is a bit heavy-handed in its approach, if installed, it will significantly decrease the chance of malicious mobile code from spreading in your environment. In a well-managed environment, the update can be a tool of control. It prevents most malicious code from entering a company's networks, and forces end-users to get the information technology team involved to approve acceptable files. </p> <P>I am constantly surprised by organizations that continually depend on antivirus scanning software alone to protect their email. Each and every email attack takes them at least a day to stop and clean. It interrupts business and undermines user's confidence in computers. Instead of preventing the problem, IT downloads the most recent antivirus signature database, feeling somewhat prepared, only to let it happen again and again. Microsoft's Outlook Security Update is a good first step, and when used with the next recommendation, it will significantly decrease the risk of email attacks (until the next malicious technology breakthrough ). </p> <P><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><td><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><td width="60" valign="top"><img src="/books/1/47/1/html/2/images/tip_yellow.gif" width="50" height="54"></td><td valign="top"> <P>Microsoft Office 2000 SR-2 was released in November 2000 containing nearly a hundred bug fixes. Among the many security updates are a handful of fixes to the Outlook Email Security Update. </p> </td></tr></table></td></tr></table></p> <H4>12.6.6 Remove WSH Association</h4> <P>By default, VBScripts or JavaScripts embedded in emails or arriving as file attachments will attempt to call the Windows Scripting Host engine to do their dirty work. </p> <P>You should do one of three things to prevent those script files from being able to call WSH: </p> <span style="font-weight:bold"><OL TYPE="1"><LI><span style="font-weight:normal"><P>Rename <I>WSCRIPT.EXE</i> to <I>WSCRIPT.EXX.</i> </p></span></li><LI><span style="font-weight:normal"><P>Delete <I>WSCRIPT.EXE</i> file association.</p></span></li><LI><span style="font-weight:normal"><P>Associate VBScript and JavaScript files with Notepad.</p></span></li></ol></span> <P>Any of the above mentioned changes will decrease the risk of malicious mobile code on your system. Don't make any of these changes if your PC or network requires the use of WSH to operate normally. The easiest change to make is to locate the <I>WSCRIPT.EXE</i> and rename it to some other name, preferably without an executable extension. Then if a script file is launched in an email, an error message is displayed. </p> <P>Figure 12-3 shows the results from double-clicking on the FBI Secrets VBS virus after renaming <I>WSCRIPT.EXE</i> to another name. </p> <CENTER> <H5>Figure 12-3. Missing WSCRIPT.EXE error message</h5> <IMG BORDER="0" WIDTH="259" HEIGHT="160" src="/books/1/47/1/html/2/images/156592682X/figs/MMC_1203.gif" ALT="figs/MMC_1203.gif"></center> <P>As long as the user doesn't locate the renamed <I>WSCRIPT.EXE</i>, the virus will not be able to execute. Be aware that some utility programs, like Norton Utilities, will successfully find the renamed file and reassociate it. </p> <P><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><td><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><td width="60" valign="top"><img src="/books/1/47/1/html/2/images/tip_yellow.gif" width="50" height="54"></td><td valign="top"> <P>Any of the changes suggested in this section can be undone by installing a new version of Outlook or Internet Explorer. Often the new software checks for the presence of <I>WSCRIPT.EXE</i>, and when it doesn't find it, it reinstalls it. On a Windows NT or 2000 machine, consider leaving the file alone and taking away the Execute permission, instead. </p> </td></tr></table></td></tr></table></p> <P>Another option I like more is to unassociate script files from <I>WSCRIPT.EXE</i> and associate them with some harmless text-editing program, like Notepad. When the script tries to launch, it is opened in a program where it cannot do harm. You can even view the source code and look for signs of maliciousness. In order for this to work, these file types need to be reassociated: <I>Java (.JAV or .JAVA), JScript Encoded File (.JSE), JScript File (.JS), VBScript File (.VBS), VBScript Encoded File (.VBE), Windows Script File (.WSH), and Windows Script Component (.WSC and .SCT)</i>. </p> <P>To change file associations you need to get to the Folder View option. In Windows 98, choose My Computer<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">View<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Folder Options<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">File Types. Select the different file types listed above one at a time. Select Edit<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Open<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Edit. This will reveal what program is associated with this file extension. Change it from <I>C:\WINDOWS\WScript.exe "%1"%*</i> to <I>C:\WINDOWS\NOTEPAD.EXE "%1"</i> (see Figure 12-4 and Figure 12-5). Then whenever a script file is launched, it will be viewed harmlessly in Notepad. </p> <CENTER> <H5>Figure 12-4. Default action for handling VBScript files</h5> <IMG BORDER="0" WIDTH="278" HEIGHT="130" src="/books/1/47/1/html/2/images/156592682X/figs/MMC_1204.gif" ALT="figs/MMC_1204.gif"></center> <CENTER> <H5>Figure 12-5. File association action after changing from Wscript.exe to Notepad.exe</h5> <IMG BORDER="0" WIDTH="278" HEIGHT="130" src="/books/1/47/1/html/2/images/156592682X/figs/MMC_1205.gif" ALT="figs/MMC_1205.gif"></center> <P><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><td><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><td width="60" valign="top"><img src="/books/1/47/1/html/2/images/tip_yellow.gif" width="50" height="54"></td><td valign="top"> <P>Follow the instructions in Chapter 4 when modifying files protected by xFP in Windows ME or Windows 2000. </p> </td></tr></table></td></tr></table></p> <H4>12.6.7 Reveal Hidden File Extensions</h4> <P>To prevent malicious code from pretending to be a harmless file extension, disable the Hide File Extension option of Windows. In Windows 98, choose My Computer<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">View<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Folder Options<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">View and make sure Hide file extensions for known file types is deselected. Make sure to make <I>Scrap object</i> file extensions also visible by choosing My Computer<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">View<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">Folder Options<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">File Types<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif">select Scrap Objects<IMG BORDER="0" ALIGN="absmiddle" WIDTH="19" HEIGHT="15" src="/books/1/47/1/html/2/images/156592682X/figs/U2192.gif" ALT="figs/U2192.gif"> Edit and select Always show extension. Further, you may want to open the HKCR and HKLM registry hives and search for all instances of the NeverShowExt<I> </i>key. Make sure all values are set to 0. </p> <H4>12.6.8 If You Use Web-based Email, Use Vendors Who Use Antivirus Scanners</h4> <P>If you use a web-based email client, try to choose a vendor that automatically scans all incoming messages for malicious mobile code. For example, MSN Hotmail uses McAfee's antivirus software to screen all incoming email. On a related note, be aware that web-based email servers are broken into more often than they should be. Don't rely on web-based email systems for confidential information, unless you are sure the vendor provides tight security and encrypts your message text. </p> <H4>12.6.9 Modify Security on Outlook Clients</h4> <P>The Outlook Email Security Update is applied on a client by client basis. It restricts what types of attached files can be received in a user's inbox. There are dozens of file types prohibited as Level 1 attachments. Files defined as Level 2 files can be received but require the user to save to disk before executing. What is considered a Level 1 or Level 2 file type cannot be defined on the local client, but can be defined by the Exchange Administrator with a bit of work. Using the Outlook Security Administration Kit, an Administrator can define the security settings for any Corporate/Workgroup Outlook client connecting to the server. Doing so is a very involved process (see Microsoft Knowledge Base <span>Article Q263297</span>). Here's a summary: </p> <span style="font-weight:bold"><OL TYPE="1"><LI><span style="font-weight:normal"><P>Download the Outlook Security Administration Kit from Microsoft's web site. Expand files. </p></span></li><LI><span style="font-weight:normal"><P>Create a new <I>Outlook Security Settings</i> folder in the public folder area using an Outlook client. </p></span></li><LI><span style="font-weight:normal"><P>Publish <I>OutlookSecurity.oft</i> to the new public folder. </p></span></li><LI><span style="font-weight:normal"><P>Configure the security settings of the security template (see Figure 12-6). </p></span></li><LI><span style="font-weight:normal"><P>Enable the new registry setting on all client PCs to look for a new Outlook security policy file. </p></span></li><LI><span style="font-weight:normal"><P>Outlook clients log on to the Exchange server and are given new security settings. </p></span></li></ol></span> <P>The new client registry setting causes Outlook to poll the Exchange server's <I>Outlook Security Settings</i> folder and forces the predefined settings. Unfortunately, it is a complicated process, but it does work, and it allows security settings to be applied on a per user or per group basis. The Office 2000 SR-2 Patch must be applied for this process to work against Corporate/Workgroup clients with PST files. </p> <CENTER> <H5>Figure 12-6. Outlook security settings template</h5> <IMG BORDER="0" WIDTH="460" HEIGHT="427" src="/books/1/47/1/html/2/images/156592682X/figs/MMC_1206.gif" ALT="figs/MMC_1206.gif"></center> <H4>12.6.10 Set Up Message Monitoring</h4> <P>One of the biggest signs of email computer virus infection is an immediate, violent increase in the number of messages in user inboxes. Usually by the time I get to a client company under attack, the average Outlook user has 25 to 100 infected messages in their inbox, which amounts to thousands company-wide. Wouldn't it be nice if administrators could be notified when new messages started exploding in growth? There is. Using the NT <I>Performance Monitor</i> utility on an Exchange server, you can monitor <I>MSExchangeMTA Work Queue Length</i>. This counter displays the number of messages the<I> Exchange Message Transfer Agent </i> (MTA) is working on. Another good counter to monitor is the <I>Outbound Messages/Hr</i> under <I>MSExchangeIMC</i>. If either counter hits an unacceptably high measurement (you need to measure a baseline to determine what would be considered unusual), you can instruct the Performance Monitor to send the Administrator an alert or email. There are several commercial tools that can monitor the same counters and send alerts to a pager, cell phone, or email address. </p> <P><TABLE CELLSPACING="0" WIDTH="90%" BORDER="1"><TR><TD> <H2>Pager Alerts and Email Attacks</h2> <P>Sending alerts to a pager assumes the paging system is not overwhelmed by the virus. On corporate systems where user's alphanumeric pagers have Internet email interfaces, the paging system can quickly become overwhelmed by fake pages and prevent the alert from reaching the administrator. </p> </td></tr></table></p> <P>The tips recommended here are highly successful at preventing email attacks, particularly if you have an Outlook/Exchange email environment. If properly deployed, these steps will prevent virtually 90 percent of the malicious code attacks in today's corporate environment. I've seen many companies go from multiple infection outbreaks with weeks of downtime to zero outbreaks and no downtime. </p> </td></tr></table><hr size="1"><table width="100%" border="0" cellspacing="0" cellpadding="2"><tr><td valign="top" height="5"><img src="/books/1/47/1/html/2/images/pixel.gif" width="1" height="5" alt="" border="0"></td></tr><tr><TD><b><font size="1" color="#0000FF">Team-Fly<img border="0" src="/books/1/47/1/html/2/Fly-Logo.gif" width="81" height="25"></font></b></td><td valign="top" align="right">     </td></tr></table><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td valign="top" align="right">Top</td></tr></table>


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net