Malicious attack types come in cycles. Two decades ago it was boot viruses. In the mid 1990s, macro viruses reined. Malicious e-mails have been a huge problem since the Melissa virus in 1999 and the Iloveyou worm of 2000. These days, malicious e-mails account for the majority of the e-mail traffic headed across the Internet, albeit using bots, viruses, worms, spam, or phishing attacks.
Preventing malicious e-mail attacks is one of the strongest defenses any network administrator can implement. In this chapter, we discuss the various e-mail threats, introduce Windows Vista's new Windows Mail application, and discuss e-mail defenses that should be enacted to secure any environment.
E-mail threats come in the form of malicious file attachments, embedded content, embedded links, leaked passwords, and some other miscellaneous categories.
Malicious file attachments still account for a large majority of all e-mail threats, although the percentage is decreasing as attackers begin to rely on embedded content more and more. In most instances, a malicious file attachment must be manually opened or executed by the end user to launch the malicious program or instructions. There have been a few isolated cases and periods of time where file attachments have been able to automatically execute when the user retrieved the e-mail (for example, buffer overflows and MIME-type mismatches), but those types of flaws are usually patched quickly. In most cases the user is tricked into opening the file attachment, thereby firing off the exploit.
Note | As we go to print, Microsoft is releasing a new client e-mail application called Windows Live Mail. Although it is a separate download and will not be a mandatory install, Microsoft is strongly recommending that all Vista users that would otherwise use Windows Mail implement Windows Live Mail instead. We agree. Windows Live Mail includes all the security features of Windows Mail, plus additional features (e.g. authenticated POP, HTTP mail support, RSS feeds, etc.). Windows Live Mail will also be available as an optional update through the normal Windows Updates patch management channels. When Windows Live Mail is installed, it takes over all the e-mail entry and exit points from Windows Mail (although it does not do this by default if you have Microsoft Outlook installed). Windows Mail is deprecated, but will still be available for use, if needed. All future Windows e-mail clients will be innovated from Windows Live Mail. Although a few details may differ between the two versions, all of the e-mail recommendations made in this chapter apply equally to Windows Mail, Windows Live Mail, or any other e-mail client. |
The e-mail often contains a forged sender e-mail address, an enticing message with various social engineering qualities, and an attached file. There are literally over 200 file types that have been used (or can be used) to launch malware. Table 10-1 lists file formats that have, or could be, used in malicious attacks. You'll also see that the table includes a malicious risk ranking for each file type. File types highlighted with bold type face are considered high risk for every organization. This means the file type is more likely to be used maliciously by unauthorized intruders or malware than legitimately by authorized users. Other file types, such as Microsoft Word or Microsoft Excel, are also high-risk, but they are still used legitimately the majority of the time. Administrators should always block the former high-risk file types from executing by default, and consider additional defense-in-depth techniques for minimizing attacks utilizing the latter file types.
FILE EXTENSION | MALICIOUS RISK | FILE TYPE | MALICIOUS USE DETAILS |
---|---|---|---|
.386 | Low | Windows virtual device driver (VxD) file | Essentially the same as an .exe file. |
.acf | Medium | Microsoft Agent file | Microsoft Agent (http://www.microsoft.com/msagent/default.asp) file, which is used by the Microsoft Agent ActiveX control. Vulnerability patched in MS06-068. |
.ade | Low | Microsoft Access Project file | Can contain auto-executing macros. Is not often used maliciously. |
.adn | Low | Microsoft Access Project Template | Can contain auto-executing filemacros. Is not often used maliciously. |
.adp | Low | Microsoft Access Project file | Can contain auto-executing macros. Is not often used maliciously. |
.ani | Medium | Windows Animated Cursor | Two exploits were announced by Flashsky Fangxing (flashsky@xfocus.org) on December 23, 2004. First, a Windows Kernel DoS exploit-Windows XP SP2 not vulnerable, but most other Windows versions are (NT to 2003) are. Second, an Integer buffer overflow-most Windows versions are vulnerable (NT to 2003), caused by LoadImage API in USER32.Lib. |
.arc | Low | PKArc file archive | Older, pre-Windows file archive file format. Still used occasionally by malware to bypass computer security defenses. |
.arj | Medium | File Archive file | Can be used by malware to bypass computer security defenses. Arj files can be created and unarchived using many popular programs including Winzip. More detail on .arj program can be found at http://www.filext.com/detaillist.php?extdetail=ARJ. |
.asf | Medium | Microsoft Advanced Streaming Format | Streaming audio or video files usually opened using Windows Media Player (WMP). ASF files can be exploited through buffer overflows, header malformation, or dangerous scriptable content. Can contain binary files, scripts, and HTML links, which can retrieve other content. ASF files can be renamed to other extensions (for example, MP3) and they will still be recognized as ASF files and opened in WMP. Great discussion on ASF and ASX files located at http://www.webreference.com/js/column51/asf.html. |
.asx | Medium | Windows Media Player file | ASX files are Windows Media Player textual command files that manage streaming of ASF files. They are very small in size (about 1K) because they contain no data, just instructions. Can call and invoke many other types of active content. Involved in a reported DoS vulnerability reported to NTBugtrack on November 22, 2006. Great discussion on ASF and ASX files located at http://www.webreference.com/js/column51/asf.html. |
.atf | Low | Symantec pcAnywhere autotransfer file | Can initiate a pcAnywhere file-transfer session. |
.avi | Medium | Microsoft video file format | AVI stands for Audio Video Interleave. Has been used in some exploits, such as MS-05-050, which was caused by a DirectX graphics vulnerability. User could download file and be exploited, including allow remote file execution (but not privilege escalation). |
.b64 | Medium | Base 64 MIME-encoded | Can be used to send MIME file attachments. Has been used to send malware. |
.bas | Low | Visual Basic (VB) class module | Can contain malicious instructions. Association may not exist on newer PCs. |
.bat | High | DOS batch file | Can contain malicious DOS command interpreter instructions. |
.bhx | Medium | Winzip file archive | Has been used by a few worms to bypass antivirus scanners. |
.bmp | Medium | Windows Bitmap graphics file | Integer buffer overflow, announced by flashsky fangxing (flashsky@xfocus.org) on December 23, 2004-most Windows versions are vulnerable (NT to 2003), caused by LoadImage API in USER32.Lib. Tough call, as this format is very popular for legitimate use. |
.cab | Low | Microsoft cabinet archive file | Opens in Windows Explorer and IE, and can help install malicious files. Commonly used by Microsoft to install legitimate files, but could be used by malware to bypass computer security defenses. Unexpected CAB files arriving via e-mail or from untrusted Web sites should not be executed. |
.cap | Low | Ethereal packet capture file | Contains network packets captured from a network protocol analyzer. Ethereal's dissectors (the filters that parse network packets into protocol disassemblies) are often subject to buffer overflows. But to date, no popular malware attack has used .cap files to exploit a computer. |
.cbl | Medium | Microsoft Interactive Training file | User=field allows an exploitable buffer overflow (SEH pointer). Microsoft Interactive Training (Orun32.exe) must be present, although it is often present by default in OEM versions of Windows XP. First exploit of this file type announced on June 14, 2005 by iDEFENSE labs. Patched by MS05-31. HK_CR\MITrain.Document\shell\open\command is related to the Orun32.exe program. |
.cbm | Medium | Microsoft Interactive Training file | User= field allows an exploitable buffer overflow (SEH pointer). Microsoft Interactive Training (Orun32.exe) must be present, although it is often present by default in OEM versions of Windows XP. First exploit of this file type announced on June 14, 2005 by iDEFENSE labs. Patched by MS05-31. HK_CR\MITrain.Document\shell\open\command is related to the Orun32.exe program. |
.cbo | Medium | Microsoft Interactive Training file | User= field allows an exploitable buffer overflow (SEH pointer). Microsoft Interactive Training (Orun32.exe) must be present, although it is often present by default in OEM versions of Windows XP. First exploit of this file type announced on June 14, 2005 by iDEFENSE labs. Patched by MS05-31. HK_CR\MITrain.Document\shell\open\command is related to the Orun32.exe program. |
.cer | Low | Digital certificate | Can be used to install a malicious certificate in IE to permit automatic downloading of malicious content |
.ceo, ce0 | Low | Used by Winevar worm. NETCOM guidance 2004-11 recommends blocking this file extension. | |
.chm | High | Windows Compiled Help File | Windows Help Files (.hlp) can be compiled for better performance and feature sets. Malformed Compiled Help Files have been involved in many announced exploits over the years, including Microsoft Security Bulletin MS05-031 and exploits in 2006 (http://www.securityfocus.com/bid/17926/discuss). Can be opened in Internet Explorer automatically without user intervention using Ms-its moniker. |
.cmd | High | Command file | Contains batch file-like DOS interpreter script commands. Can contain malicious instructions. |
.cnt | Low | Microsoft Help Workshop Help Contents file | There is a stack-based memory corruption in Microsoft Help Workshop while processing .CNT Help Contents files. The tool is a standard component of Microsoft Visual Studio 6.0 and 2003 (.NET) for building and managing help projects and could be also downloaded alone from the Microsoft download center. Original announcement on January 18, 2007 (http://www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpp). |
.com | Medium | Program executable | Older, legacy DOS and 16-bit Windows executables. Still work under all Windows versions, except newer 64-bit Windows. |
.cpl | High | Control Panelapplet | Executable program written to run in Control Panel context. Can be infected by viruses or used by malware programs to install themselves. Example includes a Win32.Beagle variant (http://www.securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm!cpl.html). Legitimate used all throughout Windows, but rarely needed to be accepted in e-mail, IM, and so on. |
.crl | Low | Certificate Revocation List | CRL's list revoked digital certificates. Could be used in an attack to maliciously invalidate otherwise valid digital certificates in a denial of service attack. |
.crt | Low | Digital Certificate | Can be used to install a malicious certificate in IE to permit automatic downloading of malicious content. |
.cs | Medium | Windows scripting file | Scripting file that can be executed by Cscript.exe, can contain malicious commands. |
.css | Medium | Cascading Style Sheet | Used by IE and other browsers. Used by web developers to easily deliver a consistent look-n-feel style to a Web site without having to recode the style each web page. Has been exploited maliciously many times. Should not be disabled in IE in most cases, but rarely needs to be sent in e-mail, IM, and so on. |
.ctl | Low | Certificate Trust List | Could be used by remote attacker to trick victim into installing the attacker as a trusted publisher. |
.cur | Medium | Windows cursor graphic file | Integer buffer overflow, announced by flashsky fangxing (flashsky@xfocus.org) on December 23, 2004, most Windows versions are vulnerable (NT to 2003); caused by LoadImage API in USER32.Lib. |
.dbg | Low | Debug file | Can contain malicious machine language instructions that can be compiled by debug.exe into malware. |
.desklink | Low | Desktop link to program | Could be used maliciously. |
.der | Low | Digital Certificate | Can be used to install a malicious certificate in IE to permit automatic downloading of malicious content. |
.dhtml | Low | Dynamic HTML file | Has been used in malicious attacks, but is not longer a popular attack vector. |
.dif | Low | Data Interchange Format | Older common spreadsheet file format, commonly used in conversion. Has been used a few times in older malicious attacks. |
.dll | High | Dynamic Linking Library | Most DLLs are legitimate program files containing pre-compiled library routines that other programs can call, or can contain complete programs. Have been involved in many viruses and worms. Because of Windows File Protection, most Windows system dlls cannot be overwritten or modified by malware, but rogue dlls can be installed. |
.doc | High | Microsoft Office Word document | Can contain malicious macros, scripts, objects, links, and executables. Very difficult to block because legitimate use is very common. By default, many malicious objects are blocked by default Microsoft Office security settings. Note that recently many Office document formats have been targeted for zero-day attacks. |
.dochtml | Low | Microsoft Office Word document in HTML format | Can contain malicious macros, scripts, objects, links, and executables. Very difficult to block because legitimate use is very common. By default, many malicious objects are blocked by default Microsoft Office security settings. |
.docmhtml | Low | Microsoft Office Word document in MIME encapsulated format | Can contain malicious macros, scripts, objects, links, and executables. Not commonly used. By default, many malicious objects are blocked by default Microsoft Office security settings. |
.docxml | Low | Microsoft Office Word Document | Can contain malicious macros, scripts, objects, links, and executables. By default, many malicious objects are blocked by default Microsoft Office security settings. |
.dot | Medium | Microsoft Office Document Template | Can be manipulated by malware to contain malicious objects that are then added to every new document that relies on the related template file. Very commonly manipulated by early Microsoft Office macro files, but not as commonly modified by malware today. |
.dothtml | Low | Microsoft Office Document Template in HTML format | Can be manipulated by malware to contain malicious objects that are then added to every new document that relies on the related template file. |
.dsm | Medium | Nullsoft WinAmp media file | Has been involved in malicious exploits. |
.dun | Low | DUN export file | Can contain malicious dial-up connection information that initiates outward calls. |
.edt | Low | Adobe Reader PDF ebook file | Involved in at least one announced exploit (http://www.idefense.com/application/poi/display?id=163) in 2004. If ebook functionality is not needed, it can be blocked without affecting overall Adobe Reader functionality. |
| Medium | Outlook Express e-mail message | Used by Nimda and many other worms. |
.emf | Medium | Enhanced Metafile file | Windows graphics file format buffer overflow, MS05-053. High criticality if not patched. In January 2007, also found to be vulnerable in OpenOffice versions prior to 2.1.0 and Star Office versions prior to 8. |
.eml | Medium | Outlook Express e-mail message | Used by Nimda and many other worms. |
.eot | Low | Embedded Open Type font | Malicious font file could be used to take complete control of an unpatched Windows computer. Patch is MS06-002. Font extension is normally .eot, but could be anything. |
.exe | High | Application file | Can be used to launch malicious executables. Cannot block on a Windows system, but should be blocked in e-mail, IM, and so on. |
.far | Medium | Nullsoft WinAmp media file | Has been involved in malicious exploits. |
.fav | Low | IE Favorites list | Can be used to list malicious Web sites. Don't block on Windows, but block coming through e-mail, IM, and so on. |
.gadget | Medium | Vista Sidebar Gadget | Sidebar gadgets can contain nearly any type of Active content and scripting. They can be sent in e-mail and downloaded from the Internet. There is a good chance that malware writers will try to take advantage of Vista's new Sidebar gadgets feature. |
.gif | Low | Graphic file format | GIF stands for Graphics Interchange Format. Although normally just a picture or image data file. It has been malformed to cause improper application handling and buffer overflows in many applications, including IE, Windows Messenger (see Microsoft Security Bulletin MS05-022), and Sun's Java (http://www.frsirt.com/english/advisories/2007/0211). Sun Java exploit announcement. |
.gzip | Low | Gzip file format | Can be used by malware to bypass computer security defenses. Very common on Unix/Linux platforms, but can also be used in Windows. See .tar also. |
.hhp | Medium | Microsoft HTML Help Workshop file | Used in buffer overflow exploit announced February 2006 (http://www.frsirt.com/english/advisories/2006/044). |
.hlp | Medium | Microsoft Help File | Used legitimately throughout Windows, but has been used in multiple exploits. Block in e-mail, IM, and so on. |
.hpj | Low | Microsoft Workshop Help File | Microsoft Help Workshop 4.03 .0002 is a standard component of Microsoft Visual Studio 6/2003 (.NET). It can also be downloaded alone from the Microsoft download center. January 22, 2007 exploit located at http://www.anspi.pl/~porkythepig/visualization/hpj-x01.cpp. |
.hqx | Low | Macintosh BinHex 4 Compressed Archive | Has been used to spread malware. |
.ht | Low | Hyperterminal file | Can initiate dial-up connections to untrusted hosts. |
.hta | High | HTML application | Frequently used by worms and Trojans. |
.htm | High | HTML file | Can initiate an Internet browser session and can be used to automatically download and execute rogue files. |
.html | High | HTML file | Can initiate an Internet browser session and can be used to automatically download and execute rogue files. |
.htt | Low | Internet Explorer stylesheet | Can be used/manipulated by adware/malware to display unwanted browser Windows and popups. |
.ico | Medium | Windows Icon graphic file | Was involved in an integer buffer overflow, announced by flashsky fangxing (flashsky@xfocus.org) on December 23, 2004; most Windows versions were vulnerable (NT to 2003) before the patch was released. The vulnerability was caused by LoadImage API in USER32.Lib. |
.idc | Medium | Interactive Disassembler application file | Normally only used by IDA Pro Disassembler (http://www.datarescue.com/idabase). Can be used by viruses. Proof of Concept virus was released (http://www.sarc.com/avcenter/venc/data/w32.gatt.html). |
.inf | Low | Install configuration file/security | As a Setup Information installer template configuration file, it can be used to maliciously manipulate existing programs or to install new malicious programs. As a security template, it can be used to downgrade existing security permissions. |
.ini | Low | Application configuration settings file | Can be used to maliciously change a program's default settings. Also, Desktop.ini can be used to auto-launch malicious programs. |
.ins | Low | Internet communication settings | Can be used to initiate Internet connections to untrusted sources. |
.iso | Low | Image file for disks, CD-ROMs, DVDs, etc. | There is worm that can arrive and spread using iso images. Very low risk. See http://www.trendmicro.com/vinfo/images/WORM_BAHISHO_A2.gif for more details. |
.isp | Low | Internet communication settings | Can be used to initiate Internet connections to untrusted sources. |
.it | Medium | Nullsoft WinAmp media file | Has been involved in malicious exploits. |
.its | High | Microsoft Infotech Storage Library | Has been used in buffer overflows. Not installed by Microsoft by default, can be installed by many legitimate "teaching" programs. Related to compiled help file exploit (http://www.securityfocus.com/bid/17926/discuss). |
.jar | Low | Java archive file | Can launch Java attacks. |
.jav | Low | Java applet | Can launch Java attacks. |
.java | Low | Java applet | Can launch Java attacks. |
.jfif | Low | JPEG File Interchange File Format | The JPEG graphics file format has been involved in a few buffer overflows, including Microsoft MS04-028. |
.jpe | Low | JPEG graphics files | The JPEG graphics file format has been involved in a few buffer overflows, including Microsoft MS04-028. |
.jpeg | Low | JPEG graphics files | The JPEG graphics file format has been involved in a few buffer overflows, including Microsoft MS04-028. |
.jpg | Low | JPEG graphics file | The JPEG graphics file format has been involved in a few buffer overflows, including Microsoft MS04-028. |
.js | High | JavaScript file | Can contain malicious code that can easily be decoded and read by Windows and IE. These files are executed by Wscript.exe, Cscript.exe, or JScript.dll. |
.jse | Medium | Encoded JavaScript file | Can contain malicious code. JSE files are encoded JavaScript files that can easily be decoded and read by Windows and IE. These files are executed by Wscript.exe, Cscript.exe, or JScript.dll. JSE files are as easy to create as JavaScript files, but haven't been popularly used so far. |
.key | Low | Windows Registry modification file | Could contain malicious Registry keys and values. |
.lnk | Low | Shortcut link | Can be used to automate malicious actions. |
.lsf | Low | Streaming audio or video file | Can be exploited through buffer overflows, head malformation, or dangerous scriptable content. |
.lsx | Low | Streaming audio or video file | Can be exploited through buffer overflows, head malformation, or dangerous scriptable content. |
.lzh | Medium | Archive file format | Can be used by malware to bypass computer security defenses. Is used on Windows platforms, especially by game developers or Japanese programmers, but is not common. |
.m3u | Low | XMPPlay audio file | XMPlay is an audio player, supporting different audio formats and playlists. XMPlay was shown to be buffer overflow-exploitable on November 20, 2006, http://www.milw0rm.com/exploits/2815. XMPlay can also be buffer overflowed by ASX files (http://www.milw0rm.com/exploits/2824). |
.mad | Low | Microsoft Access module shortcut | Can carry out macro manipulation that isn't controlled by Office security settings. |
.maf | Low | Microsoft Access module form | Can contain malicious behavior. |
.mag | Low | Microsoft Access module diagram | Can contain malicious behavior. |
.mam | Low | Microsoft Access module macro | Can contain malicious behavior. |
.maq | Low | Microsoft Access module query | Can contain malicious behavior. |
.mar | Low | Microsoft Access module report | Can contain malicious behavior. |
.mas | Low | Microsoft Access module stored procedure | Can contain malicious macros and procedures. |
.mat | Low | Microsoft Access module table | Can contain malicious behavior. |
.mav | Low | Microsoft Access module view | Can contain malicious behavior. |
.maw | Low | Microsoft Access module shortcut | Can contain malicious behavior. |
.mda | Low | Microsoft Access extension | Can contain malicious behavior. |
.mdb | Low | Microsoft Access application or database | Can contain malicious behavior. |
.mdbhtml | Low | Access application or database in HTML format | Can contain malicious macros. |
.mde | Low | Microsoft Access database with all modules compiled and source code removed | Can contain malicious macros. |
.mdn | Low | Microsoft Access database template | Can contain malicious behavior. |
.mdt | Low | Microsoft Access database wizard file | Can contain malicious behavior. |
.mdz | Low | Microsoft Access database wizard template file | Can contain malicious behavior. |
.mht | Medium | MIME HTML document | Can contain malicious content. |
.mhtml | Medium | MIME HTML document | Can contain harmful commands. |
.mid | Medium | Malformed header has been used to buffer overflow Windows Media Player (http://www.frsirt.com/english/advisories/2006/5039). | |
.midi | Medium | Malformed header has been used to buffer overflow Windows Media Player (http://www.frsirt.com/english/advisories/2006/5039). | |
.mim | Medium | MIME-encoded file or archive file | Is a MIME (Multipurpose Internet Mail Extensions) file. Many e-mail clients, including sometimes Outlook and OE, create a .MIM file when forwarding an e-mail with an attachment. Attachment could be anything. In malicious e-mails, the .MIM attachments are often zip or executable files. See http://www.securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html. |
.mmf | Low | Microsoft Mail or Outlook item file | Can carry malware. |
.mov | High | Quicktime movie files | Involved in multiple vulnerabilities over the years, including buffer overflows announced on 11/10/05 and 12/20/05 (http://www.frsirt.com/english/advisories/2005/3012). |
.msg | Low | Microsoft Mail or Outlook Express item | Can carry malware. |
.msh | Low | Microsoft Shell Command file | New file format in Windows Vista, used to replace previous shell language files (.bat, .cmd, and so on). Demonstration viruses have already been developed exploiting this file format (http://www.f-secure.com/v-descs/danom.shtml). |
.msi | Medium | Microsoft Installer package | Can be used to install or modify software. |
.msp | Low | Microsoft Installer package | Can be used to install malware. |
.mst | Low | Visual Basic test source file | Can be used maliciously. |
.nch | Low | Outlook Express folder | I could not find how this was used to spread malware. Many malware programs look inside legitimate NCH files to find more e-mail addresses to spread to. However, NETCOM guidance 2004-11 recommends this file extension be blocked, so I mention it here just in case. |
.nrg | Low | Nero cd-rom or dvd image file | There is a very low-risk worm that can spread using Nero image files. See http://www.trendmicro.com/vinfo/images/WORM_BAHISHO_A2.gif for more details. |
.nws | Low | Outlook Express news message | Network newsgroup protocol. Can carry viruses, worms, and other malware. |
.ocx | High | ActiveX control | Can be used to install malicious ActiveX programs. |
.oft | Low | Outlook Template file | Outlook Template file can contain malicious scripting or objects. Not commonly used by malware. e-mail worms and viruses can sometimes harvest legitimate e-mail addresses from OFT files. |
.oss | Low | Microsoft Office Saved Searches file | Can be used to exploit unpatched versions of Microsoft Windows/Outlook/Office. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0034 |
.ovl | Low | Program overlay file | Commonly used by legitimate programs. Can be used to install malware or legitimate ones can be infected by viruses. |
.pcap | Low | Ethereal packet file | Can be used to buffer overflow capture Ethereal, not popularly used to exploit. |
.pct | Low | Apple PICT graphics file | Used in QuickDraw and QuickTime applications, among other applications. Buffer overflow announced in both Windows and Unix on November 11, 2005. |
.pdc | Low | Microsoft compiled script | Can contain dangerous code. |
| Medium | Adobe Reader Portable Document Format | Involved in several exploits over the years. Difficult to block because of widespread legitimate use. |
.pi | Medium | On some systems, PIF files come across as .pi, or so I've been told. NETCOM 2004-11 recommends that it be blocked. | |
.pic | Low | Apple PICT graphics file | Used in QuickDraw and QuickTime applications, among other applications. Buffer overflow announced in both Windows and Unix on November 11, 2005. |
.pict | Low | Apple PICT graphics file | Used in QuickDraw and QuickTime applications, among other applications. Buffer overflow announced in both Windows and Unix on November 11, 2005. |
.pif | High | Program information file | Can run malicious programs. |
.pl | Medium | Perl script file | Can contain rogue code. |
.pls | Medium | Winamp Playlist | Malformed playlist file (containing overly large filenames) can cause a buffer overflow in Winamp (http://www.frsirt.com/english/advisories/2006/0361). |
.png | Medium | Portable Network Graphics file | PNG is an open source graphics format with lossy compression (http://www.libpng.org/pub/png). Has been involved in several exploits, including multi-browser buffer overflows. Last PNG IE buffer overflow resolved by MS05-025. |
.pol | Low | Windows Policy File | Can be used to lower security settings on Windows 9x and above machines. |
.pot | Low | Microsoft PowerPoint template file | Can contain scripted exploits. |
.pothtml | Low | Microsoft PowerPoint template file in HTML format | Can contain malicious content. |
.ppa | Low | Microsoft PowerPoint add-in | Can contain malicious content. |
.ppt | Low | Microsoft PowerPoint presentation | Can contain malicious content. |
.ppthtml | Low | Microsoft PowerPoint presentation in HTML format | Can contain malicious content. |
.pptmhtml | Low | Microsoft PowerPoint presentation in MIME-encoded HTML format | Can contain malicious content. |
.prf | Low | Outlook profile settings | Can override default or trusted settings. |
.pst | Low | Outlook or Exchange personal store file | Can contain malicious attachments and be imported into Outlook or Outlook Express. |
.pwl | Low | Windows 9x password file | Could be used to overwrite legitimate passwords in Windows 9x. |
.py | Low | Python script file | Can contain rogue code. |
.qtl | Medium | Quicktime Media Link | QTL files allow flexibility in the way that Quicktime files are accessed. QTL files can hold Javascript coding. QTL files can end in any extension (For example, MP3, MOV, QT). Has been used in at least one widespread XSS attack (http://www.gnucitizen.org/blog/myspace-quicktime-worm-follow-up). |
.qtif | Medium | Quicktime file | Can be used to accomplish a buffer overflow in vulnerable versions of QuickTime (http://www.frsirt.com/english/advisories/2006/0128). |
.rar | Medium | WinRAR archived files | Being used by malware to bypass detectors that normally open zip files, but don't open RAR files. Used by Bagle worm among others. http://www.geocities.com/marcoschmidt.geo/rar-archive-file-format.html |
.rat | Low | Internet Explorer content ratings file | Part of Internet Explorer's content advisor rating feature. Can be installed to allow malicious Web sites to be approved as secure. Also can be used on IIS Web sites to pre-rate content to be delivered to visitors. If installed on IIS, could be used to execute malicious program instructions. Has been involved in a malicious buffer overflow announcement in the past. |
.rc | Low | Microsoft Visual Studio file | http://www.secunia.com/advisories/23856. Affected products: Microsoft Visual Studio 6 SP6 and prior. |
.rdp | Low | Remote Desktop Top connection shortcut | If an end user can be tricked into running a malicious RDP file, it could execute local commands, or map a drive (should provide warning in XP Pro and above) to remote malicious machine and give attacker access to local files. Currently not popularly exploited. |
.reg | Low | Registry entry file | Can create malicious registry keys or values. |
.rjs | Medium | RealPlayer skin file | Can be downloaded and applied automatically through a web browser without the user's permission. A skin file is a bundle of graphics and an .ini file, stored together in ZIP format. Fixed in RealPlayer versions above 10.5. |
.rm | Medium | RealPlayer media file | Involved in multiple vulnerabilities over the year. The latest buffer overflow was announced on November 10, 2005. |
.rpt | Low | Crystal Reports report file | RPT file has been used in multiple buffer overflow exploits. First reported in November 2006 (http://www.frsirt.com/english/advisories/2006/4691), and again in January 2007 (http://www.lssec.com/advisories/LS-20061102.pdf). RPT file extension represents many other types of "report files" and isn't used exclusively in Crystal Reports. Other .rpt file formats have not been reported as vulnerable. |
.rtf | Medium | Rich Text Format file | Can script other attacks and contain embedded malicious links. |
.scf | Medium | Windows Explorer command | Could be used maliciously in future attacks. |
.scp | Low | DUN script | Can initiate rogue outbound connections. |
.scr | High | Windows screen saver file | Usually legitimate, but can contain worms or Trojans, and has been used in many popular worm attacks in the past. Essentially, an SCR file is the same as an any other EXE file, and can do anything to a system. |
.sct | Medium | Windows scriptlet file | Can contain malicious commands. |
.shb | High | Shell scrap object | Can mask rogue programs by containing links to other programs. Shell scrap file objects can have hidden extensions even when Windows is told to display hidden file extensions. |
.shs | High | Shell scrap object | Can mask rogue programs by containing links to other programs. Shell scrap file objects can have hidden extensions even when Windows is told to display hidden file extensions. |
.shtml | Low | HTML file with server-side include directives | Could contain malicious content, but not popularly used. |
.sit | Low | Mac Stuff-it compression archive file | Could be used to sneak malware past antivirus scanners. |
.slk | Low | Excel SLK data-import file | Can contain hidden malicious macros. |
.smi | Medium | RealPlayer file | Real Networks RealPlayer Synchronized Multimedia Integration Language (SMIL) file parser in RealPlayer was found to have a buffer overflow in March 2005 by eEye. |
.smil | Medium | RealPlayer file | Real Networks RealPlayer Synchronized Multimedia Integration Language (SMIL) file parser in RealPlayer was found to have a buffer overflow in March 2005 by eEye. |
.spl | High | Shockwave Flash object | Flash files have been involved in multiple exploits. |
.stl | Low | Certificate Trust List (CTL) | Can induce user to trust a rogue certificate. |
.stm | Medium | Nullsoft WinAmp media file | Has been involved in malicious exploits. |
.swf | High | Shockwave Flash object | Flash files have been involved in multiple exploits, including MS06-020 released in May 2006. |
.sys | Medium | Driver or configuration file | Used by many autorun files, including config.sys. Can be used to install malicious programs. Legitimate .sys files can be infected by viruses. |
.tar | Medium | Unix archive file format | TAR stands for Tape Archive file format. Common Linux/Unix archive file format, but is used in Windows. Can be used by malware to bypass computer security defenses. |
.TAZ | Medium | Unix archive file format | Can be used my malware to bypass computer security defenses. |
.tga | Medium | Quicktime file | Can be used to accomplish a buffer overflow in vulnerable versions of Quicktime (http://www.frsirt.com/english/advisories/2006/0128). |
.tgz | Medium | Unix archive file format | Can be used by malware to bypass computer security defenses. |
.tif | Low | Common graphics file format | Has been involved in exploits before. |
.tiff | Low | Common graphics file format | Has been involved in exploits before. |
.tz | Medium | Unix archive file format | Can be used to accomplish a buffer overflow in vulnerable versions of Quicktime (http://www.frsirt.com/english/advisories/2006/0128). |
.ult | Medium | Nullsoft WinAmp media file | Has been involved in malicious exploits. |
.url | High | Internet shortcut | Can connect user to malicious Web site or launch a malicious action. |
.uu | Low | Older (UUENCODE) archive file format | UUecode file format used to send program files and other objects through plain-text e-mail. Used to be common across most PC platforms, but is not super common today. Can be used by malware to bypass computer security defenses. |
.uue | Low | Older (UUENCODE) archive file format | UUecode file format used to send program files and other objects through plain-text e-mail. Used to be common across most PC platforms, but is not super common today. Can be used by malware to bypass computer security defenses. |
.xxe | Low | XX-encoded file | See http://www.membrane.com/synapse/library/uuenc.html for more information on xx-encoding. Recommended to be blocked by NETCOM 2004-11 guidance document. |
.vb | Medium | VBScript file | Can contain malicious code that will be launched in Windows and IE and executed by Wscript.exe, Cscript.exe, or VBScript.dll. |
.vbs | High | VBScript file | Can contain malicious code that will be launched in Windows and IE and executed by Wscript.exe, Cscript.exe, or VBScript.dll. |
.vbe | Medium | Encoded VBScript file | Can contain malicious code. VBE files are encoded VBScript files that can easily be decoded and read by Windows and IE. These files are executed by Wscript.exe. |
.vcf | Medium | vCard file format | Used in many e-mail clients, including Outlook and Outlook Express to communicate recipient addressing details. Has been involved in a few exploits. |
.vxd | High | Virtual device driver | Can be used to execute malicious code. |
.wab | Medium | Outlook Express Address book | Has been used in remote buffer overflow. See http://www.microsoft.com/technet/security/Bulletin/MS06-016.mspx and MS06-076. |
.wbk | Low | Microsoft Word backup document | Can contain malicious content. |
.wiz | Low | Microsoft Word Wizard file | Used by Microsoft to launch enduser-friendly "wizards" that walk new users through common tasks. Could be used to automate future social engineering attack, but is not a common malware vector. |
.wma | Medium | Nullsoft WinAmp media file | Has been involved in malicious exploits. |
.wmf | Medium | Windows metafile | Has been involved in multiple buffer overflow exploits, including MS05-053 and another exploit discovered on December. 27, 2005. Bug is Microsoft's Graphics Rendering Engine. WMF files can be named to other extensions that will still execute as if they are WMF files. In January 2007, it was also found to be vulnerable in OpenOffice versions prior to 2.1.0 and Star Office versions prior to 8. |
.ws | High | WSH script file | Windows script file, executed by Wscript.exe, can execute malicious code. |
.wsc | High | Windows scriptlet file | Windows script file, executed by Wscript.exe, can execute malicious code. |
.wsf | High | WSH script file | Windows script file, executed by Wscript.exe, can execute malicious code. |
.xla | Low | Microsoft Excel add-in program | Add-ins can contain dangerous macros and code. |
.xlb | Low | Microsoft Excel file | Can contain harmful content. |
.xlc | Low | Microsoft Excel Chart | Can contain harmful content. |
.xld | Low | Microsoft Excel dialog box file | Can contain malicious content. |
.xlk | Low | Microsoft Excel Backup file | Can contain malicious content. |
.xll | Low | Microsoft Excel file | Can contain malicious content. |
.xlm | Low | Microsoft Excel macro file | Can contain malicious content. |
.xls | High | Microsoft Excel spreadsheet | Can contain dangerous macros and code. |
.xlshtml | Low | Microsoft Excel spreadsheet in HTML format | Although not popularly used, can contain malicious content. |
.xlsmhtml | Low | Microsoft Excel spreadsheet in MIME-encoded HTML format | Although not popularly used, can contain malicious content. |
.xlt | Low | Microsoft Excel spreadsheet template file | Could contain malicious content. |
.xlthtml | Low | Microsoft Excel spreadsheet template in HTML format | Could contain malicious content. |
.xlv | Low | Microsoft Excel Visual Basic module | Can contain malicious content or commands. |
.xml | Low | XML file | Likely to be the next language of choice for malicious coders. |
.xsl | Low | XML conversion/translation file | Likely to be the next language of choice for malicious coders. |
.z | Low | Gzip file format | Can be used by malware to bypass computer security defenses. Very common on Unix/Linux platforms, but can also be used in Windows. |
.zip | High | Pkzip or Winzip archive file | Can be used maliciously several ways, including: 1) To allow malware to bypass file integrity checkers and antivirus software that does not unzip zip files. 2) Can contain a zip file within a zip file (several levels of nesting possible) to bypass security programs that do not do recursive scanning. 3) Can be used to auto-launch programs when file is unzipped. 4) Can be used to overwrite other legitimate files. 5) Can be used to create an overwhelming number of directories and subdirectories causing quota problems, low disk space, and other operating system abnormalities. Latter problem has also been used to bypass security programs that do not handle long and "deep" directory names well. |
Table 10-1 is quite a lengthy list. Essentially, it is good evidence that nearly any file type can be maliciously manipulated to take advantage of an application's vulnerability. In addition, depending on how the file is launched, the operating system may consider a file as executable regardless of the extension. For instance, open a command prompt and run the following commands:
C:\Users\Jesper\Downloads>copy %systemroot%\notepad.exe dummy.duh 1 file(s) copied. C:\Users\Jesper\Downloads>dummy.duh
When you execute dummy.duh, Notepad launches. The command shell "peeks" into the file header and executes anything that looks like an executable even if the extension is something else altogether. If you double-click dummy.duh in Windows Explorer, you get an "unknown file extension" dialog box because Windows Explorer does not do the same thing. In other words, extensions are a poor way to judge whether something is executable or not. For reference, Internet Explorer also peeks into files to determine what they really are to decide how to handle them.
Security engineers should realize that every file type should be considered as a potentially malicious avenue until proven otherwise and plan their computer defense accordingly. Figure 10-1 shows a malicious screensaver executable (.scr) sent via e-mail.
Figure 10-1: Screensavers are basically executables.
Note | I had to use an old pre-Windows Mail example for Figure 10-1, as Windows Mail will not display many potentially malicious file types and cannot be used to demonstrate the vulnerability. This is discussed in more detail in the material that follows. |
Many users don't understand the malicious risk posed by file attachments, and will gladly launch any file attachment, regardless of the file type. But the years of the ongoing onslaught of spam and phishing attacks have made many users more savvy. They will avoid executing untrusted executables (.EXE, .BAT, and so on), but open picture files, data file formats, videos, and other "safe" file types. As Table 10-1 shows, data and multimedia formats are often used to spread malware. In the last 18 months, application document formats, such as Office files, have been increasingly used to spread targeted zero-day attacks. This means that many file types that were previously thought to be "safe" are no longer very safe.
Other times, malware creators attempt to masquerade their "more malicious" file type as a "safe" file type. For instance, because Windows (by default) will hide registered file extensions, executable malware named Readme.txt.exe can sometimes appear as Readme.txt when presented as a file attachment. Figure 10-1 shows another trick, where the real file extension is placed to the far right of the fake file extension in an attempt to fool the user. What might look like Message.doc is really Message.doc <lots of spaces>.exe. The e-mail creator even placed a fake antivirus message in the text of the e-mail body in order to further fool an unsuspecting reader.
Note | I had to use an old pre-Windows Mail example for Figure 10-2, as Windows Mail is not subject to the multiple file extension trick and cannot be used to demonstrate the vulnerability. |
Or another example: a file named Readme.1st could really be an MS Word document utilizing an unpatched vulnerability. As shown in Figure 10-3, Microsoft Office documents can be named with any file extension not already registered in Windows, and still open automatically in the referenced Microsoft Office application because Windows peeks into the file format, as described earlier.
Figure 10-3: File extensions are not a good way to make security decisions.
Most e-mail clients allow sending and receiving of web-based HTML content inside of an e-mail. Malicious attackers will often craft web-based attacks and send them as an e-mail. The unsuspecting user opens the e-mail, and the e-mail client renders the embedded HTML content. Several years ago mail clients ignored basic security recommendation and automatically displayed executable HTML content when the e-mail was opened or viewed. Any executable content would automatically display and any malicious code would automatically launch. Unless the very newest mail clients, such as Outlook 2007 or 2003, are universally used, allowing incoming e-mail to contain non-text content is among the riskiest computing behaviors around.
Malicious e-mails often contain embedded URL links that, when clicked, take users to malicious Web sites, execute rogue code, or launch dangerous scripts. Figure 10-4 shows a link pointing to a malicious executable.
Figure 10-4: By hovering over a link in an e-mail, you can see where the link actually goes.
This technique is almost universally used for phishing attacks, where users are lured to submit personal information to a rogue Web site. Hovering over the link will display the link, but that in and of itself is often very difficult to parse and often the link goes somewhere illegitimate. For instance, all the popular search engines allow redirection from the search engine to other sites. A link that seems to go to http://www.google.com/ <some strange stuff here> may actually land you on a rogue Web site somewhere.
Last, many e-mail protocols are well known for passing e-mail server logon credentials in clear text between the client and server. Malicious intruders can sniff network traffic and find the user's logon name and password, which can then be used outside of e-mail. Figure 10-5 shows a sniffed POP3 network connection revealing the user's logon name and password.
Figure 10-5: Many e-mail protocols are clear-text.
Corporate e-mail protocols are typically not clear-text protocols. For instance, an organization that uses Exchange Server typically uses native Windows authentication, which is far more secure. However, IMAPv4 and POP3, two very common protocols in academia and with Internet service providers (ISP), are both clear-text.
Malware writers can use e-mails in many other malicious ways. Phishing attacks can induce the reader into revealing their logon name, passwords, and other financial identity information to criminals. "Nigerian" scams (http://www.en.wikipedia.org/wiki/Advance_fee_fraud) have led to innocent people losing tens of millions of dollars and even being murdered. Lest you think only idiots fall for these types of scams, Nobel prize-winners in physics and many millionaires have been taken in by e-mail scams. Being smart doesn't always override the alluring promise of get-rich-quick schemes.
E-mails have also been used to execute buffer overflows on e-mail servers and clients. During the last few years, several antivirus software programs that are supposed to protect e-mail users have been susceptible to buffer overflows from specially crafted e-mails. When the antivirus program inspected incoming e-mail attachments, a buffer overflow was used to take over the server or exploit the client. Security vulnerabilities in security software are not uncommon and reveal one of the risks when utilizing third party defensive software.
Business users often access personal e-mail accounts using computers owned by their organizations while on the organizational network. Whether using an Internet browser or using a normal e-mail client, personal e-mail accounts present a risk to the organizational computing environment by bypassing the corporate e-mail protection mechanisms. Particularly, web-based mail access presents a very high risk. While Outlook or Windows Mail may block high-risk file attachments, a web-based e-mail account may still allow malicious file attachments or embedded content to be transferred and executed. Whether this risk is acceptable needs to be addressed in the organizational security policy. It needs to be considered in light of the hardship posed by not permitting people to access their personal e-mail at work. Blocking personal e-mail access will almost certainly result in a significant increase of organizational e-mail volume as people shift to using their work-based e-mail system for personal use.