You’ve probably received from acquaintances dozens of e-mail messages like the following: “Hi, this is Bob. I’ll be out of the office next week and won’t be checking my e-mail. If you need something, try me after that…” and so forth.
Now imagine that you’re checking your bank account online a few hours later. Unbeknownst to you, your browser has been redirected to a hacker site. The login screen looks exactly like your bank’s, but the form is silently transmitting your username and password to thieves.
You didn’t open an attachment that came with the e-mail from “Bob.” You didn’t even click a link in the message. By merely previewing the e-mail, a program was planted on your PC that allows someone to quietly eavesdrop when you log into almost any financial site.
That’s the frightening hacker attack that MessageLabs, a respected e-mail and virus monitoring company, warns is just starting to make its way around the Internet.
The Most Inhospitable Hosts
Here’s how the scam is said to work:
• Fan Mail From Some Friend.Virus-infected PCs send out e-mails using names and addresses found on the local hard drive. That’s why the message you received seemed to be from someone you know.
• Exploits Without Attachments.Many viruses require that the victims open an e-mail attachment or visit a malicious Web site. But the “phishing” exploit described above requires none of this. Instead, the e-mail plants a program on your computer using a built-in feature of Microsoft Windows called the Windows Scripting Host (WSH).
• Where You Go, You Know Not Where.The hacker’s program adds lines into an unrelated Windows document known as the “Hosts” file. When you enter, for example, www.citibank.com in your browser, the Hosts file can tell your browser to go instead to www-citibank.com, a completely different site. The name of the hacker site may look slightly different in your browser’s address bar than the name of your legitimate banking site, but many people don’t notice such small details.
• It’s A Numbers Game.The hacker’s look-alike site can’t really log you into your online banking account — but it doesn’t have to. After you type your username and password into the phony login screen, it will probably display a realistic “error message” saying a bad password was entered. The hacker’s program will then deliver you to the real banking site, where your password this time works fine.
Most people would assume they’d made a simple typographical error on their first try and think nothing of it. But the thieves now know the right username and password to your account because you entered them correctly when using the hackers’ look-alike screen.
Adopting Effective Counter-Measures
When reports started circulating last week about MessageLabs’ warning, the writers tended to suggest that end users should disable or uninstall the Windows Scripting Host, without explaining what the feature does or how you would get rid of it.
I’ll go into that in a minute, but first take a deep breath. Don’t panic. You may already have defenses in place that make you immune to “phishing” attacks of this new type.
The Windows Scripting Host exists to run programs called scripts, usually VisualBasic or Jscript. Unfortunately, vulnerable browsers and e-mail programs can be induced to run these scripts without any notice to you.
The key in that last sentence is “vulnerable” browsers and e-mail programs. Your applications are not vulnerable if they categorize incoming e-mail messages as part of the so-called “Restricted Zone.” When restricted, such messages cannot execute many kinds of potentially harmful files.
Microsoft’s own Outlook XP and 2003 e-mail programs, for example, automatically classify e-mail as part of this Restricted Zone. And you can add this protection to older versions of Outlook by installing Mirosoft’s “E-Mail Security Update” on top of Outlook 2000 and Outlook 98.
In addition, Microsoft has released a patch for current versions of Windows to give them immunity to the latest style of attack (more on that later).
Only users of Outlook 97 and older, therefore, would be susceptible to a stealth attack, such as the one described above. If your company still uses Outlook 97, you should immediately upgrade to a modern version of the program.
Bedtime For Windows Scripting Host
On the other hand, the fact that a powerful capability like Windows Scripting Host was fully enabled by default in Windows, where it could be accessed silently by an e-mail message, is the kind of boneheaded mistake that has made the defense of Windows a nightmare for end users and network administrators alike. (WSH is factory-installed in Windows 2000, Me, XP, and 2003 and is added to Windows 95, 98, and NT when you install Internet Explorer 5 or higher.)
If you don’t use or need the features of WSH, it’s possible to disable it to prevent it from running script files at any time.
There’s a different procedure to disable WSH under different versions of Windows, so I can’t give you all the necessary instructions here. A good step-by-step guide is provided on the WSH page of Sophos PLC, a security consulting firm.
If you’re in a company of any size, however, there’s a good chance that scripts may play an important role in keeping your business going.
“A lot of corporations are using WSH to do systems management,” says Jason Chan, consulting services technical lead for security firm Symantec Corp. “To the extent that a corporation is doing these things, they’re going to be restricted in disabling this.”
Chan cautions that Windows users who would otherwise be protected can expose themselves to the risk of script attacks if they lower their security settings. Configuring an e-mail program to consider e-mails as part of the Trusted Zone, for example, can open the door to threats that otherwise would be turned away.
Besides using a modern e-mail program that refuses to run scripts, your company gets a great deal of protection against phishing attacks by running the basic security repertoire that every network should have. That includes a hardware firewall or personal (software) firewall, an antivirus scanner, an antispam filter, and a spyware remover. (Details on the best of these components, which comprise what I call a “security baseline,” are available in a separate article.)
Patching Windows Is Smarter Than Disabling WSH
MessageLabs has reportedly seen only about 30 copies of “silent e-mails” around the world that seek to hijack users’ Hosts files. Still, that could easily be the leading edge of a wave of new and more virulent e-mails.
Such a wave of malignant messages might primarily affect only Windows 95 and 98 users. But there are enough of those users connected to the Internet that they could seriously threaten corporate networks via the spam and denial-of-service attacks the compromised machines could launch.
Maksym Schipka — a Ukrainian national who is a senior antivirus researcher for MessageLabs in its Gloucester, England, office — says PC users who’ve upgraded to the latest security patches for Windows within the past four months are fully protected against the new “phishing” attack. In addition, he says, Service Pack 2 for Windows XP, which was released last August, closes the security hole.
“This problem was previously addressed by Microsoft to invalidate these attempts,” Schipka says. Of course, that still leaves at risk many PC users who haven’t upgraded to the latest software — but they’re vulnerable to many other problems besides the new Windows Scripting Host exploit. These users should immediately run Windows Update (or use a commercial patch-management program) to protect themselves against such threats.
Schipka wasn’t immediately able to identify the specific Microsoft patch that corrects the security vulnerability. Nor had MessageLabs at press time posted on its Web site a technical bulletin about the new-style attack.
In my view, keeping your operating system and your security applications freshly updated will do more to protect you from harm than disabling WSH will.