Your support is needed and is appreciated as Amigaworld.net is primarily dependent upon the support of its users.
|
|
|
|
 |
Miscellaneous News : Trojan writers exploit Outlook to get around content filtering |
| posted by Anonymous on 2-Feb-2003 18:09:43 (1884 reads) |
Virus authors and Trojan writers are using fresh malware tricks to fool traditional content filtering packages, email security firm MessageLabs says.
A feature of Microsoft Outlook can be exploited to evade content filters and persuade an email recipient that an attachment is safe to open - even when it contains malicious code.
How the New Exploit Works
The exploit relies on especially crafted email headers, creating an attachment with three file-extensions. Standard email packages will not generate these headers; these emails must either be created by hand, or using hacker tools (many of which are freely available, MessageLabs warns).
The first extension (e.g. .jpg) is visible to the email user, and is intended to persuade them that the attachment is "safe". The final extension (also, for example, .jpg) is used by Microsoft Outlook to set the icon to represent the application for opening the attachment.
However, the unusual middle extension (.EXE) is used by Outlook to determine how to launch the attachment, therefore an .EXE file will be executed if a user double clicks on an infected attachment. Other examples may include .COM, .PIF, .SCR, or .VBS.
Clear and present danger
In the last week MessageLabs stopped more than 3,000 copies of a Trojan called Sadhound, which had been distributed using this trick. MessageLabs says it has stopped other emails containing this attack mechanism.
The company warns there are now many tools freely available to VX writers that can be used to assist them in fooling potential victims.
Many content filtering mechanisms block double extension attachments automatically.
But that doesn't necessarily happen with triple extensions, hence the risk that malware may get past content filters until virus signature updates are applied.
There is a workaround involving blocking file attachment with triple extensions or with very long filenames (another hallmark of the exploit) at email gateways.
Alex Shipp, a senior anti-virus technician at MessageLabs, advises admins to carefully check the rules of content filtering tools to see whether a rule blocking triple extensions can be added.
MessageLabs also advises end-users to be extra careful about opening attachments. In particular, users should check for the existence of the three dots in the filename that Outlook displays (another hallmark of the exploit). |
|
|
|
|
| STORYID: 168
|
| Poster | Thread |  L8-X
 |  |
Re: Trojan writers exploit Outlook to get around content fil
Posted on 2-Feb-2003 18:22:45
| | [ #1 ] |
| |
 |
Elite Member
 |
Joined: 24-Dec-2002
Posts: 2630
From: Glasgow, UK | | |
|
| Time to ditch Outlook methinks!  
_________________
|
| | Status: Offline |
| | DaveyD
 | |
Re: Trojan writers exploit Outlook to get around content fil
Posted on 2-Feb-2003 21:29:59
| | [ #2 ] |
| |
 |
Team Member
 |
Joined: 5-Jun-2002
Posts: 2738
From: Belfast, N.Ireland | | |
|
| | | Status: Offline |
| | cyka
| |
Re: Trojan writers exploit Outlook to get around content fil
Posted on 3-Feb-2003 9:33:00
| | [ #3 ] |
| |
 |
Regular Member
 |
Joined: 24-Jan-2003
Posts: 486
From: Back in the dales | | |
|
| i have never owned windows or outlook express so i'm ok for the time being. hehe Amigas are invincible to PC virus. hehe.
_________________
Dogs come when called, We cats take a messege and get back later - maybe!!!!
|
| | Status: Offline |
| | spudmiga
| |
Re: Trojan writers exploit Outlook to get around content fil
Posted on 3-Feb-2003 14:18:16
| | [ #4 ] |
| |
 |
Cult Member
 |
Joined: 12-Dec-2002
Posts: 855
From: England, United Kingdom | | |
|
| | | Status: Offline |
| | Anonymous
| |
Re: Trojan writers exploit Outlook to get around content fil
Posted on 3-Feb-2003 14:21:25
| | [ # ] |
| | As you may know, when/if a worm virus gets into your computer it heads straight for your email address book and sends itself to everyone in there, thus infecting all your friends and associates.
This trick won't keep the virus from getting into your computer, but it will stop it from using your address book to spread further, and it will alert you to the fact that the
worm has gotten into your system.
As you may know, when/if a worm virus gets into your computer it heads straight for your email address book and sends itself to everyone in there, thus infecting all your friends and associates.
This trick won't keep the virus from getting into your computer, but it will stop it from using your address book to spread further, and it will alert you to the fact that the
worm has gotten into your system. Here's what you do:
First: Open your address book and click on "new contact" or "new person" just as you would do if you were adding a new friend to your list of email addresses.
Second: In the window where you would type your friend's FIRST name, type in !000 (that's an exclamation mark followed by 3 zeros). In the window below where it prompts you to enter the new email address, type in WormAlert.
Third: Then complete everything by clicking add, enter, OK, etc.
Now, here's what you've done and why it works: the "name" !000 will be placed at the top of your address book as entry #1. This will be where the worm will start in an effort to send itself to all your friends. But when it tries to send itself to !000, it will be undeliverable because of the phony email address you entered (WormAlert). When the first attempt fails, because of the phony address, the worm goes no further and your friends will not be infected.
Here's the second great advantage of this method: If an email cannot be delivered, you will be notified of this in your InBox almost immediately. Hence, if you ever get an email telling you that an email addressed to WormAlert could not be delivered, you know right away that you have the worm virus in your system. You can then take steps to get rid of it.
TTFN |
| | |
| | agima
| |
Re: Trojan writers exploit Outlook to get around content fil
Posted on 8-Jul-2004 20:01:14
| | [ #6 ] |
| |
 |
Regular Member
|
Joined: 4-Feb-2004
Posts: 197
From: :morF | | |
|
| Windows is SOOO huge how in the world can anybody ever keep track of patch all the holes? Probably time to move away from MS if you really have a need for security or just don't want to reformatt you machine all the time.
_________________
AMIGA...Amiga...amiga...agima...agimA...AGIMA
|
| | Status: Offline |
| |
|
|
[ home ][ about us ][ privacy ]
[ forums ][ classifieds ]
[ links ][ news archive ]
[ link to us ][ user account ]
|
6 crawler(s) on-line.
167 guest(s) on-line.
1 member(s) on-line.
