Click Here
home features news forums classifieds faqs links search
5630 members 
Amiga Q&A /  Free for All /  Emulation /  Gaming / (Latest Posts)
Login

Nickname

Password

Lost Password?

Don't have an account yet?
Register now!

Support Amigaworld.net
Your support is needed and is appreciated as Amigaworld.net is primarily dependent upon the support of its users.
Donate

Menu
Main sections
Home
Features
News
Forums
Classifieds
Links
Downloads
Extras
OS4 Zone
IRC Network
AmigaWorld Radio
Newsfeed
Top Members
Amiga Dealers
Information
About Us
FAQs
Advertise
Polls
Terms of Service
Search

IRC Channel

Who's Online
 81 guest(s) on-line.
 0 member(s) on-line.



You are an anonymous user.
Register Now!
 m0lebrain:  15 mins ago
 Britelite:  22 mins ago
 billt:  30 mins ago
 fryguy:  33 mins ago
 Jasper:  1 hr 10 mins ago
 amipal:  1 hr 18 mins ago
 Rob:  1 hr 24 mins ago
 Overflow:  1 hr 28 mins ago
 Trekiej:  1 hr 32 mins ago
 BSzili:  1 hr 35 mins ago

Miscellaneous News   Miscellaneous News : Trojan writers exploit Outlook to get around content filtering
   posted by Anonymous on 2-Feb-2003 18:09:43 (1476 reads)
Virus authors and Trojan writers are using fresh malware tricks to fool traditional content filtering packages, email security firm MessageLabs says.

A feature of Microsoft Outlook can be exploited to evade content filters and persuade an email recipient that an attachment is safe to open - even when it contains malicious code.



How the New Exploit Works

The exploit relies on especially crafted email headers, creating an attachment with three file-extensions. Standard email packages will not generate these headers; these emails must either be created by hand, or using hacker tools (many of which are freely available, MessageLabs warns).

The first extension (e.g. .jpg) is visible to the email user, and is intended to persuade them that the attachment is "safe". The final extension (also, for example, .jpg) is used by Microsoft Outlook to set the icon to represent the application for opening the attachment.

However, the unusual middle extension (.EXE) is used by Outlook to determine how to launch the attachment, therefore an .EXE file will be executed if a user double clicks on an infected attachment. Other examples may include .COM, .PIF, .SCR, or .VBS.

Clear and present danger

In the last week MessageLabs stopped more than 3,000 copies of a Trojan called Sadhound, which had been distributed using this trick. MessageLabs says it has stopped other emails containing this attack mechanism.

The company warns there are now many tools freely available to VX writers that can be used to assist them in fooling potential victims.

Many content filtering mechanisms block double extension attachments automatically.

But that doesn't necessarily happen with triple extensions, hence the risk that malware may get past content filters until virus signature updates are applied.

There is a workaround involving blocking file attachment with triple extensions or with very long filenames (another hallmark of the exploit) at email gateways.

Alex Shipp, a senior anti-virus technician at MessageLabs, advises admins to carefully check the rules of content filtering tools to see whether a rule blocking triple extensions can be added.

MessageLabs also advises end-users to be extra careful about opening attachments. In particular, users should check for the existence of the three dots in the filename that Outlook displays (another hallmark of the exploit).
    

Related Links
· More about Miscellaneous News



Most read story about Miscellaneous News
DiscreetFX Partners Makes an Urgent Appeal to the Amiga Community

Last news about Miscellaneous News
Antstream Retro Game Streaming Service
Printer Friendly Page  Send this Story to a Friend

PosterThread
L8-X 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 2-Feb-2003 18:22:45
#1 ]
Elite Member
Joined: 24-Dec-2002
Posts: 2630
From: Glasgow, UK

Time to ditch Outlook methinks!


_________________

 Status: Offline
Profile     Report this post  
DaveyD 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 2-Feb-2003 21:29:59
#2 ]
Team Member
Joined: 5-Jun-2002
Posts: 2731
From: Belfast, N.Ireland

and Windows


_________________
Join the Amigaworld.net Supporters Scheme and get your Supporter Tag

 Status: Offline
Profile     Report this post  
cyka 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 3-Feb-2003 9:33:00
#3 ]
Regular Member
Joined: 24-Jan-2003
Posts: 486
From: Back in the dales

i have never owned windows or outlook express so i'm ok for the time being. hehe Amigas are invincible to PC virus. hehe.


_________________
Dogs come when called, We cats take a messege and get back later - maybe!!!!

 Status: Offline
Profile     Report this post  
Adlib 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 3-Feb-2003 14:18:16
#4 ]
Cult Member
Joined: 12-Dec-2002
Posts: 792
From: England, United Kingdom

Ditch Outlook? Ditch Windows?
What do you mean??
Were using our Amigas right?


_________________

 Status: Offline
Profile     Report this post  
Anonymous 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 3-Feb-2003 14:21:25
# ]



As you may know, when/if a worm virus gets into your computer it heads straight for your email address book and sends itself to everyone in there, thus infecting all your friends and associates.

This trick won't keep the virus from getting into your computer, but it will stop it from using your address book to spread further, and it will alert you to the fact that the
worm has gotten into your system.

As you may know, when/if a worm virus gets into your computer it heads straight for your email address book and sends itself to everyone in there, thus infecting all your friends and associates.

This trick won't keep the virus from getting into your computer, but it will stop it from using your address book to spread further, and it will alert you to the fact that the
worm has gotten into your system. Here's what you do:

First: Open your address book and click on "new contact" or "new person" just as you would do if you were adding a new friend to your list of email addresses.

Second: In the window where you would type your friend's FIRST name, type in !000 (that's an exclamation mark followed by 3 zeros). In the window below where it prompts you to enter the new email address, type in WormAlert.

Third: Then complete everything by clicking add, enter, OK, etc.

Now, here's what you've done and why it works: the "name" !000 will be placed at the top of your address book as entry #1. This will be where the worm will start in an effort to send itself to all your friends. But when it tries to send itself to !000, it will be undeliverable because of the phony email address you entered (WormAlert). When the first attempt fails, because of the phony address, the worm goes no further and your friends will not be infected.

Here's the second great advantage of this method: If an email cannot be delivered, you will be notified of this in your InBox almost immediately. Hence, if you ever get an email telling you that an email addressed to WormAlert could not be delivered, you know right away that you have the worm virus in your system. You can then take steps to get rid of it.

TTFN

 
     Report this post  
agima 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 8-Jul-2004 21:01:14
#6 ]
Regular Member
Joined: 4-Feb-2004
Posts: 197
From: :morF

Windows is SOOO huge how in the world can anybody ever keep track of patch all the holes? Probably time to move away from MS if you really have a need for security or just don't want to reformatt you machine all the time.


_________________
AMIGA...Amiga...amiga...agima...agimA...AGIMA

 Status: Offline
Profile     Report this post  
[ home ][ about us ][ privacy ] [ forums ][ classifieds ] [ links ][ news archive ] [ link to us ][ user account ]
Copyright (C) 2000 - 2019 Amigaworld.net.
Amigaworld.net was originally founded by David Doyle