- Home Page
- Solutions
- Partners
- Products
- Support
- Technology
- AAA - 802.1X
- Appliances - Security
- Application Access
- Anti-Phishing / Pharming
- Anti-Spam
- Anti-Spyware
- Database Security
- Compliance
- Content Filtering
- Email Security
- End Point Security
- Firewall
- Integrated VPN / Firewall
- Intrusion Prevention / IPS
- Mobile
- Network Access Control (NAC)
- VPN / SSL VPN
- Traffic Management
- Unified Access Control
- Virus Protection
- Services
- Contact
- About 2Secure
- Search
The threat of email viruses & trojans
The widespread use of email has provided hackers and crackers with an easy way to distribute harmful content to the internal network. Hackers can easily circumvent the protection offered by a firewall by tunneling through the email protocol, since it does not analyze email content.Furthermore, email is also used to install trojans, targeted specifically at your organization to obtain confidential information or gain control of your servers. Described as "instructive viruses" or "spy viruses" by computer security experts, these can be potent tools in industrial espionage. A case in point is the email attack on Microsoft's network, which a Microsoft Corp. spokesman described as "an act of industrial espionage pure and simple". According to reports, Microsoft's network was hacked by means of a backdoor trojan virus maliciously emailed to a network user.
The threat of information leaks
Organizations often fail to acknowledge that there is a great risk of crucial data being stolen from within the company. Various studies have shown how employees use email to send out confidential corporate information. Be it because they are disgruntled and revengeful, or because they fail to realize the potentially harmful impact of such a practice, employees use email to share sensitive data that was officially intended to remain in-house.
Methods used to attack your email system
To get to grips with the kind of email threats present today, it is best to take a quick look at the current main methods of email attack.
These include:
Attachments with malicious content
Melissa and LoveLetter were among the first viri to illustrate the problem with email attachments and trust. They made use of the trust that exists between friends or colleagues. Imagine receiving an attachment from a friend who asks you to open it. This is what happened with Melissa, AnnaKournikova, SirCam and other similar email worms. Upon running, such worms usually proceed to send themselves out to email addresses from the victim's address book, previous emails, webpage caches to the local machine and similar methods. Virus writers place much emphasis on getting the victim to run the attachment. Therefore they make use of different attractive attachment names, such as SexPic.cmd and me.pif.
Many users try to avoid infection from email viruses by only double-clicking on files with certain extensions, such as JPG and MPG. However, some viruses, such as the AnnaKournikova worm, make use of multiple extensions to try trick the user into running the file. The AnnaKournikova virus was transmitted via an email attachment named 'AnnaKournikova.jpg.vbs' which dupes recipients into believing that that they are receiving a harmless JPG image of the famous tennis star, rather than a Visual Basic Script containing infectious code.
In addition, the Class ID (CLSID) extension allows hackers to hide the actual extension of the file, thereby concealing the fact that cleanfile.jpg is actually a nasty HTA (HTML application) file.This method currently also circumvents various email content filtering solutions which make use of simple file checking methods, thus enabling the hacker to reach the target user with greater ease.
Emails triggering known exploits
The Nimda worm took the Internet by surprise, circumventing many email security tools and breaking into servers and corporate networks as well as infecting the home user. The trick in Nimda is that it runs automatically on computers having a vulnerable version of Internet Explorer or Outlook Express. Nimda was one of the first in a line of viruses that exploit one flaw or another in order to disseminate. Variants of the Bagle virus that emerged in March 2004, for instance, exploited an old Outlook flaw in a bid to spread without any user intervention.
HTML mail with embedded scripts
Nowadays, all email clients can send and receive HTML mail. HTML mail can include scripts and Active Content, which can allow programs or code to be executed on the client machine. Outlook and other products use Internet Explorer components to display HTML email, meaning they inherit the security vulnerabilities found in Internet Explorer. Viruses based on HTML scripts have the added danger of being able to run automatically when the malicious mail is opened. They do not rely on attachments; therefore the attachment filters found in anti-virus software are useless in combating unknown HTML script viruses. The BadTrans.B virus, for example, combines an email exploit with HTML to propagate, using HTML to launch an attachment automatically once the email is received.
Anyone with a little knowledge of Visual Basic can unleash chaos by exploiting well-known vulnerabilities in various commonly used email clients and products. A visit to the SecurityFocus site, for instance, will reveal various exploits that are available for Microsoft Outlook. A malicious script kiddie with the intent of producing a virus can just modify the exploit code - which is publicly available! - to execute his/her code.
For example, an exploit for Internet Explorer and MS Access, which could be easily applied to Outlook and Outlook Express, is described on Guninski.com. A virus writer could easily exploit this to run Visual Basic code as soon as the victim opens the infected email. This would infect all HTML files and send itself to all the contacts on the recipient’s email address book. A key feature of this virus, however, is that it would execute simply when the user opens the email containing malicious HTML.
Why anti-virus software or a firewall is not enough
Some organizations lull themselves into a false sense of security upon installing a firewall. This is a wise step to protect their intranet, but it is not enough: Firewalls can prevent access to your network by unauthorized users. But they do not check the content of mail being sent and received by those authorized to use the system, for instance. This means that email viruses can still pass through this level of security. Nor does virus-scanning software protect against ALL email viruses and attacks: Anti-virus vendors cannot always update their signatures in time against the deadly viruses that are distributed worldwide via email in a matter of hours (such as the recent MyDoom, NetSky.B and Beagle worms). Companies using a single virus-scanning engine alone are not necessarily safeguarded when a new virus is released.
The Solution: A proactive approach
So how does one protect against these email threats? A proactive approach is needed which involves the content checking of all inbound and outbound email at server level, before distribution to your users. This way, all potentially harmful content is removed from an infected or dubious email, and only then is it forwarded to the user. By installing a comprehensive email content checking and anti-virus gateway on their mail server, companies can protect themselves against the potential damage and lost work time that current and future viruses may cause.
-
AAA - 802.1X
-
Appliances - Security
-
Application Access
-
Anti-Phishing / Pharming
-
Anti-Spam
-
Anti-Spyware
-
Database Security
-
Compliance
-
Content Filtering
-
Email Security
-
End Point Security
-
Firewall
-
Integrated VPN / Firewall
-
Intrusion Prevention / IPS
-
Mobile
-
Network Access Control (NAC)
-
VPN / SSL VPN
-
Traffic Management
-
Unified Access Control
-
Virus Protection
