Advances in content filtering techniques are prompting virus authors and trojan writers to resort to exploiting the veiled quirkiness of email software. Specifically, malware (malicious software) authors are exploiting an idiosyncrasy in Microsoft Outlook to give their malware a better chance of dodging any content filters, and then persuading an email recipient that an attachment […]
Advances in content filtering techniques are prompting virus authors and trojan writers to resort to exploiting the veiled quirkiness of email software.
Specifically, malware (malicious software) authors are exploiting an idiosyncrasy in Microsoft Outlook to give their malware a better chance of dodging any content filters, and then persuading an email recipient that an attachment is safe to open when in fact it contains some malicious program.
The latest effort is the W/32Sadhound worm, and several security software vendors are reporting thousands of interception of the worm since the weekend.
Part of what has made this attack so successful is the use of a zero-day exploit technique that affects various versions of Outlook and Outlook Express. The malware uses a long filename and three extensions, and makes it possible for malicious code to bypass security software and mask the true identity of executable e-mail attachments.
The malware relies on specially crafted email headers, creating an attachment with three file-extensions. Standard email packages will not generate these headers; these emails must either be created by hand or using hacker tools. An example of such a filename may be:
"malware.JPG .EXE .JPG"
When a specially crafted filename is used in an e-mail attachment, the first part of the filename and the icon make the file appear legitimate to an end user. The middle extension, unseen by the end user, is used by vulnerable versions of Outlook and Outlook Express to run the executable.
This triple extension exploit technique takes advantage of two weaknesses, one in Microsoft Outlook and Outlook Express and the other in gateway security software. The former involves the way in which attachments are executed and displayed to the user, making attachments appear as benign looking file via the filename and icon. The latter involves a design flaw in various gateway security software programs in the way the long filenames are processed.
The following applications have been found to be vulnerable to this type of attack, according to iDefense:
In initial tests, Microsoft Outlook versions 2000 and 2002 were not found to be vulnerable. However, various options used with the tool used to construct exploit e-mails was found to not be fully functional within vulnerable versions, based upon specific attributes of variants created by the tool. This is one of the reasons why a .eml patch tool is included with the Lookout tool. Regardless, multiple software programs not addressed above are suspected of being vulnerable to this type of attack.
The Welsh virus writer, Simon Vallor, aka Gobo, Si, and rootbreaker, is responsible for at least three mass mailing worms in the wild, including Gokar and Redsi. He was recently sentenced to two years in jail for his malicious code crimes. However, his tools are still widely available on the Internet to help create and spread malicious code. Vallor is known to have developed and used the specially crafted exploit technique mentioned in this report, according to officials at iDefense and Messagelabs.
For more information, visit this Messagelabs page.
Winpao Trojan Steals Information
The Winpao Trojan is programmed to steal information from the computer it affects and sends it along with the name of the Trojan that has attacked the computer to the virus author, according to Panda Software.
The stolen information includes the server name, the email password, mail received, message subjects, the password files, the SMTP ID and the user name. It also searches for antivirus programs or system monitors and terminates them.
The appearance of files with random names appearing in all drives for no apparent reason is an indication that Winpao is present in a computer.
The Trojan originated in China and is being given a low risk and threat rating. For more information, visit this Panda Software site.
Netspree Discloses Information
Also reported out today by Panda Software is Netspree, a low-threat worm that discloses information from infected computers. By doing this it leaves the computer vulnerable, since any user could access affected computers. Netspree can also use the affected computer to carry out denial of service attacks. This worm can infect computers running any Windows OS. However, it can only spread through computers with Windows XP/2000/NT installed. Read more here.
Compiled by Esther Shein.
Ethics and Artificial Intelligence: Driving Greater Equality
FEATURE | By James Maguire,
December 16, 2020
AI vs. Machine Learning vs. Deep Learning
FEATURE | By Cynthia Harvey,
December 11, 2020
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2021
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
