Viruses, Trojans Exploiting Outlook Idiosyncrasy

Advances in content filtering techniques are prompting virus authors and Trojan writers to resort to exploiting the veiled quirkiness of email software.
Advances in content filtering techniques are prompting virus authors and trojan writers to resort to exploiting the veiled quirkiness of email software.

Specifically, malware (malicious software) authors are exploiting an idiosyncrasy in Microsoft Outlook to give their malware a better chance of dodging any content filters, and then persuading an email recipient that an attachment is safe to open when in fact it contains some malicious program.

The latest effort is the W/32Sadhound worm, and several security software vendors are reporting thousands of interception of the worm since the weekend.

Part of what has made this attack so successful is the use of a zero-day exploit technique that affects various versions of Outlook and Outlook Express. The malware uses a long filename and three extensions, and makes it possible for malicious code to bypass security software and mask the true identity of executable e-mail attachments.

The malware relies on specially crafted email headers, creating an attachment with three file-extensions. Standard email packages will not generate these headers; these emails must either be created by hand or using hacker tools. An example of such a filename may be:

            "malware.JPG              .EXE                  .JPG"  

When a specially crafted filename is used in an e-mail attachment, the first part of the filename and the icon make the file appear legitimate to an end user. The middle extension, unseen by the end user, is used by vulnerable versions of Outlook and Outlook Express to run the executable.

This triple extension exploit technique takes advantage of two weaknesses, one in Microsoft Outlook and Outlook Express and the other in gateway security software. The former involves the way in which attachments are executed and displayed to the user, making attachments appear as benign looking file via the filename and icon. The latter involves a design flaw in various gateway security software programs in the way the long filenames are processed.

The following applications have been found to be vulnerable to this type of attack, according to iDefense:

  • Outlook 5.5 SP2 without the MS02-058 patch

  • Antigen 7.0

  • Trend Micro Inc. Interscan with eManager

  • Outlook Express 6.X
  • In initial tests, Microsoft Outlook versions 2000 and 2002 were not found to be vulnerable. However, various options used with the tool used to construct exploit e-mails was found to not be fully functional within vulnerable versions, based upon specific attributes of variants created by the tool. This is one of the reasons why a .eml patch tool is included with the Lookout tool. Regardless, multiple software programs not addressed above are suspected of being vulnerable to this type of attack.

    The Welsh virus writer, Simon Vallor, aka Gobo, Si, and rootbreaker, is responsible for at least three mass mailing worms in the wild, including Gokar and Redsi. He was recently sentenced to two years in jail for his malicious code crimes. However, his tools are still widely available on the Internet to help create and spread malicious code. Vallor is known to have developed and used the specially crafted exploit technique mentioned in this report, according to officials at iDefense and Messagelabs.

    For more information, visit this Messagelabs page.

    Winpao Trojan Steals Information

    The Winpao Trojan is programmed to steal information from the computer it affects and sends it along with the name of the Trojan that has attacked the computer to the virus author, according to Panda Software.

    The stolen information includes the server name, the email password, mail received, message subjects, the password files, the SMTP ID and the user name. It also searches for antivirus programs or system monitors and terminates them.

    The appearance of files with random names appearing in all drives for no apparent reason is an indication that Winpao is present in a computer.

    The Trojan originated in China and is being given a low risk and threat rating. For more information, visit this Panda Software site.

    Netspree Discloses Information

    Also reported out today by Panda Software is Netspree, a low-threat worm that discloses information from infected computers. By doing this it leaves the computer vulnerable, since any user could access affected computers. Netspree can also use the affected computer to carry out denial of service attacks. This worm can infect computers running any Windows OS. However, it can only spread through computers with Windows XP/2000/NT installed. Read more here.

    Compiled by Esther Shein.






    0 Comments (click to add your comment)
    Comment and Contribute

     


    (Maximum characters: 1200). You have characters left.