12.2 Email Programs

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 12.  Email Attacks

There are dozens of great email programs on the market today, including Microsoft's Outlook , Microsoft Outlook Express and MSN Hotmail , Netscape Messenger , Qualcomm's Eudora , Lotus Notes , Lotus cc:Mail , Pegasus Mail , and Sun Microsystems's Start Office . Most email attacks are written specifically for Microsoft Outlook, but can be successful to varying degrees on most of the popular email clients depending on the email program type and exploit.

12.2.1 Types of Email

Email software comes in three basic types:

• Client/server

• Web-based

• Host-based

The most popular type of email today is based on the client/server model. The main email software is located on the local client PC. It contacts a main mail server database to deliver and pick up messages. The mail server collects all messages and distributes them to either email clients or other email servers for further routing to their intended destination (called the store-and-forward model ). Most conventional email systems use the client/server model. Microsoft Exchange, Microsoft Outlook, Netscape Messenger, and Lotus Notes are all client/server email models.

Web-based email systems, such as HotMail or Yahoo! Mail , allow end users to pick up their email from any computer with an Internet-connected browser. The user must login with her email name and password. Then she can send and retrieve emails like she normally would, albeit, with less overall functionality. Web-based email creation takes place within an HTML web form. As such, many web-enabled email systems allow scripts to be inserted into the email's message text, and by default, they are sent to the destination user. Several email exploits have been successfully demonstrated with web-based emails, and many web-based host systems have been cracked to reveal other user's information.

Web-based email systems offer some security advantages. Because web-based email systems store email messages on a remote email server and use proprietary protocols, many virus attacks are less likely to gain access beyond the inbox. Most email worms are coded to use Microsoft Outlook's Messaging Application Programming Interface (MAPI) , which is not used with web-enabled clients.

Although not widely used today except in large companies, host-based email systems store the client and the server software on the same computer. Host email systems are mostly leftover relics from days when mainframes were king. They are text-based and menu driven. The December 1987 IBM Christmas worm spread on a Digital VAX host email system. Today, these types of email systems are considered to have a low risk of attack from malicious mobile code attack. While the rest of the world struggles to overcome the latest worldwide email attack, users of host-based systems sit back smiling. Of course, they don't have the myriad of new features either.

12.2.1.1 MIME

Multipurpose Internet Mail Extensions (MIME) was written as a way to send different file types in or along with an email. MIME-encoded messages are formatted in base64 , which allows text, graphics, audio, and other types of binary files to be transmitted along with the text. MIME formatting allows other character sets besides ASCII, and has become a standard for defining most nontext content on the Web and within computer operating systems. You'll see MIME formatting in emails and on web pages, and it defines how file content is handled within Windows.

MIME-enabled programs investigate the incoming content and call up different applications to handle it. Thus, when you download an audio file in Microsoft Internet Explorer, the Real Player sound program might automatically pop up and begin to play. It is MIME encoding within an email that allows an email client to display the attached file icon as represented by its executing program. For example, double-clicking on a Microsoft Word document icon in an email message will launch Microsoft Word. MIME objects are described with a format consisting of a type and subtype , and displayed as type/subtype (see Table 12-1). For example, a Microsoft Excel file would be MIME-encoded as application/x-msexcel. Being familiar with the basic MIME content types may help in reviewing email headers (covered here) or troubleshooting file attachment problems.

Table 12-1. Common MIME content types and subtypes

12.2.1.2 Encrypted email

Secure Multipurpose Internet Mail Extensions (S/MIME) and OpenPGP (formerly known as PGP/MIME)are the two most popular protocols for encrypting email between source and destination. S/MIME, developed by RSA Data Security, Inc. and OpenPGP, developed by the PGP Open Source group , both allow encryption and authentication using digital certificates. The protocols will not communicate with each other and require different certificates. Microsoft Outlook supports S/MIME, but PGP's popular freeware allows OpenPGP to work, too. Because secure email protocols use digital certificates and may require additional steps to approve the use of the certificate, some email attacks may be prevented from spreading from secure clients.

12.2.1.3 Newsgroups

Network News Transfer Protocol (NNTP) allows software clients called newsgroup readers to participate in the Internet's thousands of Usenet newsgroups. In the way that newsgroup readers are used today, they look a lot like email clients. Most Windows browsers include newsgroup readers or helper programs.

Newsgroups can be contrasted with list servers , which use normal email clients for shared email distribution. Both newsgroups and list servers have been involved in spreading email attacks and exploits. If active scripting is allowed, malicious content can be attempted when a reader opens up a message. As discussed in the last chapter, these types of exploits are of great concern to the Internet's governing security bodies.

12.2.1.4 Preview pane

Many email programs allow users to take a partial look, or preview, at the inside contents of an email prior to opening. If previewing is turned on in Microsoft Outlook, the message is displayed in the Preview pane . Depending on the email client, previewing an email can be the same as opening and viewing it. This feature led many early email virus alerts to falsely claim that a particular email virus didn't need the email opened in order to spread. If previewing does open the email message and allow its embedded content to launch, then the malicious embedded scripts can be activated without any action from the user.

Because email clients that launch embedded scripts and commands during Preview mode were seen as vulnerable, some email clients restrict what active content can do in a Preview window. Outlook was one of many to change its preview behavior. Table 12-2 summarizes the different effects of the Preview pane on emails in different versions of Outlook.

Table 12-2. Effect of preview pane on emails in different versions of Outlook

12.2.1.5 Hiding behind email

Talk to anyone who has received a angry email flame message and they will tell you that the anonymity created by email is viciously empowering to certain mindsets . An email, unless authenticated, never has to be from where it says it's from. Rogue hackers routinely set up dozens of web-based email accounts on Hotmail and Yahoo! and hack away. Very few email systems authenticate the user in any way before allowing the account to be used. Hundreds of email viruses and Trojans have coding in them to communicate with their malicious creator by contacting these anonymous email accounts. So, even if you track a hacker to a particular email address, they can be hard to catch. When the heat is on for the hacker, they just stop using the account. Unless you have the vast resources of the FBI, it is difficult to attribute a particular email address to a particular person.

All Internet emails have header information that, among other things, describes the originating email address, what MIME version it is using, date and time sent, and the path the email took to get from source to destination. In Microsoft Outlook 2000, you can choose View Options Internet Headers to see the header information, as shown in Example 12-1.

Example 12-1. Email header

 Received: from exchange1.CHKD.COM (mail.chkd.com [157.21.35.251])  by mail.phrinc.com with SMTP  (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id V8XS2X2V; Thu, 2 Nov 2000 14:32:21 -0500 Received: by chkd.evms.edu with Internet Mail Service (5.5.2650.21) id <W1112KL6>; Thu, 2 Nov 2000 14:21:54 -0500 Message-ID: <04C708E60B4CD31198440008C7A447ED03481B43@chkd.evms.edu> From: "Grimes, Patricia L" <GrimesPatricia@CHKD.COM> To: 'Roger' <rogergrimes@rogergrimes.com> Subject: A new virus...??? Date: Thu, 2 Nov 2000 14:21:53 -0500  MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C04502.284982B2" ------_=_NextPart_000_01C04502.284982B2 Content-Type: text/plain; charset="iso-8859-1" ------_=_NextPart_000_01C04502.284982B2 Content-Type: application/octet-stream; name="TUVEYEU.GIF.vbs" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="TUVEYEU.GIF.vbs" ------_=_NextPart_000_01C04502.284982B2-- 

If you carefully read the header, you can follow its path through the Internet from source to destination. Can you use this information to track a hacker? Sometimes you can, but usually not back to a decent hacker. Malicious hackers have email clients that intentionally falsify the header, making it appear as if it came from somewhere it didn't. Hackers can manipulate any one of the thousands of trusting SMTP servers on the Internet and create fake messages. Or they can use an Email Relay server. Relay servers take incoming email, assign the originating email address a new ID, strip out the old identifying information, and then send it onto its destination. (If tracked, the trail stops at the relay server.) Anonymous email is protected as a personal right on the Internet. There are many legitimate reasons why anonymous email is a good thing, such as cancer and AIDS peer discussions, and that leaves the malicious hacker a variety of ways to hide his tracks. Once malicious email code begins automatically replicating, it can take an internationally coordinated search team with the Internet's best spying tools to find the original launch point.

12.2.2 Why Is Outlook Such a Popular Target?

Microsoft's popular Outlook and Outlook Express programs are a malicious coder 's dream platform for several reasons. Both of them :

• Are widely used on millions of PCs

• Are available across several computing platforms including Windows, Macintosh, and Unix

• Allow the embedding of executable content, scripting, Java and ActiveX objects

• Have an easy-to-use programming API that allows other programs to access email addresses and send email

• Are very easy to exploit, until recently

• Are complex enough so that not all the security holes will ever be gone

12.2.3 Microsoft Outlook Technology

Microsoft Outlook comes in many flavors. First, there is the difference of Microsoft Outlook versus Microsoft Outlook Express . Microsoft wants the feature-rich Outlook client to be used by corporate users and Outlook Express for the home market. Both versions share core functionality. In fact, Microsoft will not support Outlook 2000 without Outlook Explorer installed. Both versions support HTML-enabled emails, forms, folders, SMTP, POP3, IMAP4, S/MIME, NNTP, and contact information. First released as Outlook Express 4 with Internet Explorer 4, Outlook Express is mainly an email and newsgroup reader.

Microsoft Outlook is a corporate email and collaboration tool. It not only does email and newsgroups, but calendaring, scheduling, notes, journaling, contact management, and allows the remote sharing of resources. Outlook can be installed as Internet-only or in a Corporate/Workgroup mode with connection to Microsoft Exchange as an email server. Internet-only Microsoft Outlook stores information in personal folder files ( .PST extensions). The default .PST file is called OUTLOOK.PST . Corporate/Workgroup editions can store information in several different file types:

• .PST

• .MDB

• .OST

Personal folder files (PST) are used anytime the user wants to store their email away from the main email database. A personal folder file can be used to store email messages, folders, forms, and files. The .PST file can be copied and saved like any other file, and it is a great way to back or restore email. When .PST files are used, Outlook information is picked up from the server, saved to the .PST file, and cleared from the server's database. All message manipulation occurs in the personal folder file. .PST files are a great option when the Exchange mail server is located over a slow, wide area network or Outlook is located on a laptop.

With a normal corporate Outlook user with an Exchange server, the user's personal messages are stored within an Exchange server file ( PRIVATE.MDB ) called the private information store . Virus prevention and removal tools can be applied against the Private Information Store to protect all users at once. Offline folder files (.OST ) are used for accessing Outlook offline without a current connection to a mail server. OUTLOOK.OST is the default name when you turn offline functionality on. For laptop users, when they are connected to the Exchange server, they manipulate their email on the Exchange server. Then at predetermined times, Outlook copies (synchronizes) all the user's mail from the Exchange Private Store to the user's local OUTLOOK.OST file. When the Outlook client cannot contact the Exchange server, it uses the offline folder file. When connected back to the server, all additions, deletions, and modifications are resynchronized between the two message stores.

There are some security drawbacks with .PST files. Operations on Exchange-stored messages will not affect messages stored in .PST or .OST files. When cleaning up the mess from a large email virus, the removal tools can clean up all of the infected messages from the Exchange server, but .PST files must be treated separately. Offline storage files will usually get updated by Exchange at the next resynchronization.

12.2.3.1 Outlook interfaces

Microsoft has provided several ways for external programs and processes to access Microsoft Outlook through a few different interfaces:

• Simple MAPI

• Collaboration data objects (CDO)

• Common messaging calls (CMC)

The Message Application Program Interface (MAPI) was invented by Microsoft as a way for external programs to access mail functionality. By writing to the generic MAPI interface, any Windows application can become mail-enabled. MAPI became a Windows email standard, and is supported by several email clients (including Netscape's Messenger and Eudora). Simple MAPI is a core set of twelve MAPI function calls, including MAPIReadMail , MAPIAddress , and MAPISendMail . Email worms love to exploit these three functions.

Collaboration data objects is another Microsoft way of interfacing with Outlook, and was intended to replace Simple MAPI and CMC. CDO was originally called Active Messaging and is really nothing more than an additional scripting interface extending the MAPI structure. It is a part of Microsoft Exchange Server, has been ported to Active Server Pages, and is now used for Microsoft Outlook. CDO is installed by default as a part of Outlook 98, but must be loaded as an option with Outlook 2000. CMC is a small set of API functions that allow developers to add messaging capabilities to their programs. Microsoft has discontinued the support of CMC. Most programs, including malicious email worms, use the Simple MAPI instruction set to interface with Microsoft Outlook.

12.2.4 Windows Scripting Host

For years , Windows has needed a batch file language. In DOS, the batch file programming language allowed users to automate any DOS command. Early versions of Windows did not have a Windows-based batch language, until Windows Scripting Host (WSH) was released. Originally called ActiveX Scripting in Internet Explorer 3.0, it is automatically installed with Internet Explorer, Windows 98, Windows 2000, and Office 2000, and can be added to Windows 95 and Windows NT 4.0.

As a client-side scripting tool, it automatically executes VBScript and JScript (or JavaScript) files in its default state, but it can be modified to run almost any scripting language. WSH Version 2.0 will even allow different scripting languages to be mixed within the same file. The main WSH executables are WSCRIPT.EXE and CSCRIPT.EXE . WSCRIPT.EXE is a Windows version, while CSCRIPT.EXE is for running scripts at the command line. WSCRIPT.EXE is usually located at C:\<%WINDIR%> , whereas CSCRIPT.EXE is located in the C:\<%WINDIR%>\COMMAND folder. Type either executable's name at a command line followed by a /? to see a list of runtime parameters. There are other supporting .WSH files, including WSHOM.OCX and WSHEXT.DLL .

Programmers can use WSH to automate nearly everything concerning a Windows computer, including system administration, installation of applications, registry modifications, and creation or deletion of documents, files, and folders. With WSH installed, you can double-click on a valid script file in Windows Explorer or type in a script filename in the Start Run box. The Windows Script Host engine will start, parse the file, and execute the instructions. Script files wishing to use WSH as their host engine must call it as shown in Example 12-2 and Example 12-3.

Example 12-2. Using VBScript to call WSH engine

 Set obj = Wscript.CreateObject("WScript.Shell") or  Set obj = CreateObject("WScript.Shell") 

Example 12-3. Using JScript to call WSH engine

 obj = WScript.CreateObject("WScript.Shell") or obj = new ActiveXObject("WScript.Shell") 

The code in Example 12-2 and Example 12-3 is common at the beginning of malicious script files. If you see any of those statements within a script file, you can be assured the code is attempting to use WSH to execute. You might see WshShell.RegWrite or RegRead if the script is writing to or reading the registry. Those two commands are common in malicious code as the rogue program places itself, so it always gets executed when Windows starts. The Shell.Run is a function used to run external programs, and is one of WSH's most powerful and exploited features. For example, Shell.Run "Notepad.exe" will start the Notepad application, but Shell.Run can also call MAPI mail functions and protocols such as HTTP and FTP. WSH can even be used to call complex large applications, such as Microsoft Outlook or Word, to borrow functionality. The following script function allows Outlook to be used to send messages: CreateObject ("Outlook.Application").

While WSH has no little innate functionality to directly manipulate files and folders, it can easily call upon the Scripting Runtime Library (as discussed in the last chapter) and its FileSystemObject to create, read, and delete local file system objects. If you see a scripting line similar to Scripting.FileSystemObject, you can assume the script is trying to access local system resources. Common instructions include CreateTextFile, WriteLine, GetFile, CreateFolder , and DeleteFile , all of which pretty much do what their names indicate . Because WSH launches scripts without any sandbox security model to stop what they can do, it is a great tool for malicious code writers. Table 12-3 shows potential malicious WSH scripting commands.

Table 12-3. Examples of potentially malicious WSH scripting commands

 set obj = Wscript.CreateObject("Wscript.Shell") obj.Run "rundll32.exe shell32.dll,SHFormatDrive" 

 set obj = Wscript.CreateObject("Shell.Application") obj.ShutdownWindows 

 set obj = Wscript.CreateObject("Wscript.Shell") obj.Run=("Command.com /C DEL *.EXE, 0, False") 

 set obj = Wscript.CreateObject("WScript.Shell") obj.RegWrite "HKey_Local_Machine\Software\Microsoft", "TestValue" 

Internet Explorer 4.0 and higher treats WSH files as unsafe ActiveX controls. This means at the higher levels of zone security, they will usually not be launched, and at lower levels will at least prompt the user that an unsafe control is trying to run and ask the user to allow or disallow (unless the Initialize and script ActiveX controls not marked as safe option are enabled. If executed on the local drive by Windows Explorer or with the Start Run command, and thus under the My Computer zone, WSH files will execute without further warning. All of Microsoft's precautions don't seem to work as well as they had hoped, as MMC script files are the most popular type of email attack.

You might see WScript.Network called as it lets scripts manage printers and network connections. A malicious script can use this to map a new drive share.

12.2.4.1 Encoded scripts

You might think that you can prevent malicious scripts from executing on your computer by first examining them to see if they contain references to FileSystemObject . Unfortunately, with the latest versions of WSH, scripts can be encoded to prevent the script file from being clear-text readable. This functionality was allowed to prevent the theft of intellectual property rights. Encoded JScript files have the extension .JSE and encoded VBScript files will have the extension .VBE . An encoded script file will be decoded on the fly and then executed normally.

12.2.4.2 Future of WSH

The current version of Windows Scripting Host, WSH 2.0, is also known as Windows Scripting 5.1 . WSH 2.0 includes a new file type, the Windows Scripting File (.WS or .WSF) . .WSF files are XML-based script files, which means Microsoft has big plans for the future of WSH. It is not going away. Unfortunately, until WSH gets better security management, you need to be aware of what it can do, and how to protect computers under your charge.