Click Here
home features news forums classifieds faqs links search
5621 members 
Amiga Q&A /  Free for All /  Emulation /  Gaming / (Latest Posts)
Login

Nickname

Password

Lost Password?

Don't have an account yet?
Register now!

Support Amigaworld.net
Your support is needed and is appreciated as Amigaworld.net is primarily dependent upon the support of its users.
Donate

Menu
Main sections
Home
Features
News
Forums
Classifieds
Links
Downloads
Extras
OS4 Zone
IRC Network
AmigaWorld Radio
Newsfeed
Top Members
Amiga Dealers
Information
About Us
FAQs
Advertise
Polls
Terms of Service
Search

IRC Channel
Server: irc.amigaworld.net
Channel: #Amigaworld
Channel Policy and Guidelines

(Uses JAVA Applet and Port 1024)
Visit the Chatroom Website

Who's Online
 53 guest(s) on-line.
 1 member(s) on-line.


 eliyahu

You are an anonymous user.
Register Now!
 eliyahu:  30 secs ago
 OlafS25:  7 mins ago
 megol:  17 mins ago
 portarinos:  22 mins ago
 thellier:  22 mins ago
 AmeegaGuy:  33 mins ago
 bison:  36 mins ago
 m0lebrain:  1 hr 27 mins ago
 L8Knight:  1 hr 28 mins ago
 mdr:  1 hr 31 mins ago

Miscellaneous News   Miscellaneous News : Trojan writers exploit Outlook to get around content filtering
   posted by Anonymous on 2-Feb-2003 18:09:43 (1459 reads)
Virus authors and Trojan writers are using fresh malware tricks to fool traditional content filtering packages, email security firm MessageLabs says.

A feature of Microsoft Outlook can be exploited to evade content filters and persuade an email recipient that an attachment is safe to open - even when it contains malicious code.



How the New Exploit Works

The exploit relies on especially crafted email headers, creating an attachment with three file-extensions. Standard email packages will not generate these headers; these emails must either be created by hand, or using hacker tools (many of which are freely available, MessageLabs warns).

The first extension (e.g. .jpg) is visible to the email user, and is intended to persuade them that the attachment is "safe". The final extension (also, for example, .jpg) is used by Microsoft Outlook to set the icon to represent the application for opening the attachment.

However, the unusual middle extension (.EXE) is used by Outlook to determine how to launch the attachment, therefore an .EXE file will be executed if a user double clicks on an infected attachment. Other examples may include .COM, .PIF, .SCR, or .VBS.

Clear and present danger

In the last week MessageLabs stopped more than 3,000 copies of a Trojan called Sadhound, which had been distributed using this trick. MessageLabs says it has stopped other emails containing this attack mechanism.

The company warns there are now many tools freely available to VX writers that can be used to assist them in fooling potential victims.

Many content filtering mechanisms block double extension attachments automatically.

But that doesn't necessarily happen with triple extensions, hence the risk that malware may get past content filters until virus signature updates are applied.

There is a workaround involving blocking file attachment with triple extensions or with very long filenames (another hallmark of the exploit) at email gateways.

Alex Shipp, a senior anti-virus technician at MessageLabs, advises admins to carefully check the rules of content filtering tools to see whether a rule blocking triple extensions can be added.

MessageLabs also advises end-users to be extra careful about opening attachments. In particular, users should check for the existence of the three dots in the filename that Outlook displays (another hallmark of the exploit).
    

Related Links
· More about Miscellaneous News



Most read story about Miscellaneous News
DiscreetFX Partners Makes an Urgent Appeal to the Amiga Community

Last news about Miscellaneous News
New PDF magazines from NAF
Printer Friendly Page  Send this Story to a Friend

PosterThread
L8-X 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 2-Feb-2003 18:22:45
#1 ]
Elite Member
Joined: 24-Dec-2002
Posts: 2630
From: Glasgow, UK

Time to ditch Outlook methinks!

 Status: Offline
Profile     Report this post  
DaveyD 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 2-Feb-2003 21:29:59
#2 ]
Team Member
Joined: 5-Jun-2002
Posts: 2731
From: Belfast, N.Ireland

and Windows

 Status: Offline
Profile     Report this post  
cyka 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 3-Feb-2003 9:33:00
#3 ]
Regular Member
Joined: 24-Jan-2003
Posts: 486
From: Back in the dales

i have never owned windows or outlook express so i'm ok for the time being. hehe Amigas are invincible to PC virus. hehe.

 Status: Offline
Profile     Report this post  
Adlib 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 3-Feb-2003 14:18:16
#4 ]
Cult Member
Joined: 12-Dec-2002
Posts: 792
From: England, United Kingdom

Ditch Outlook? Ditch Windows?
What do you mean??
Were using our Amigas right?

 Status: Offline
Profile     Report this post  
Anonymous 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 3-Feb-2003 14:21:25
# ]



As you may know, when/if a worm virus gets into your computer it heads straight for your email address book and sends itself to everyone in there, thus infecting all your friends and associates.

This trick won't keep the virus from getting into your computer, but it will stop it from using your address book to spread further, and it will alert you to the fact that the
worm has gotten into your system.

As you may know, when/if a worm virus gets into your computer it heads straight for your email address book and sends itself to everyone in there, thus infecting all your friends and associates.

This trick won't keep the virus from getting into your computer, but it will stop it from using your address book to spread further, and it will alert you to the fact that the
worm has gotten into your system. Here's what you do:

First: Open your address book and click on "new contact" or "new person" just as you would do if you were adding a new friend to your list of email addresses.

Second: In the window where you would type your friend's FIRST name, type in !000 (that's an exclamation mark followed by 3 zeros). In the window below where it prompts you to enter the new email address, type in WormAlert.

Third: Then complete everything by clicking add, enter, OK, etc.

Now, here's what you've done and why it works: the "name" !000 will be placed at the top of your address book as entry #1. This will be where the worm will start in an effort to send itself to all your friends. But when it tries to send itself to !000, it will be undeliverable because of the phony email address you entered (WormAlert). When the first attempt fails, because of the phony address, the worm goes no further and your friends will not be infected.

Here's the second great advantage of this method: If an email cannot be delivered, you will be notified of this in your InBox almost immediately. Hence, if you ever get an email telling you that an email addressed to WormAlert could not be delivered, you know right away that you have the worm virus in your system. You can then take steps to get rid of it.

TTFN

 
     Report this post  
agima 
Re: Trojan writers exploit Outlook to get around content fil
Posted on 8-Jul-2004 20:01:14
#6 ]
Regular Member
Joined: 4-Feb-2004
Posts: 197
From: :morF

Windows is SOOO huge how in the world can anybody ever keep track of patch all the holes? Probably time to move away from MS if you really have a need for security or just don't want to reformatt you machine all the time.

 Status: Offline
Profile     Report this post  
[ home ][ about us ][ privacy ] [ forums ][ classifieds ] [ links ][ news archive ] [ link to us ][ user account ]
Copyright 2000 - 2017 Amigaworld.net.

Amigaworld.net was originally founded by David Doyle