|
Vulnerabilities: Trojan writers exploit Outlook to get around content filtering |
|
|
 
By John Leyden
Virus authors and Trojan writers are using fresh malware tricks to fool
traditional content filtering packages, email security firm MessageLabs says.
A feature of Microsoft Outlook can be exploited to evade content filters
and persuade an email recipient that an attachment is safe to open - even when
it contains malicious code.
How the New Exploit Works
The exploit relies on especially
crafted email headers, creating an attachment with three file-extensions.
Standard email packages will not generate these headers; these emails must
either be created by hand, or using hacker tools (many of which are freely
available, MessageLabs warns).
The first extension (e.g. .jpg) is
visible to the email user, and is intended to persuade them that the attachment
is "safe". The final extension (also, for example, .jpg) is used by Microsoft
Outlook to set the icon to represent the application for opening the attachment.
However, the unusual middle extension (.EXE) is used by Outlook to
determine how to launch the attachment, therefore an .EXE file will be
executed if a user double clicks on an infected attachment. Other examples may
include .COM, .PIF, .SCR, or .VBS.
Clear and present danger
In the last week MessageLabs stopped more than 3,000 copies of a Trojan
called Sadhound,
which had been distributed using this trick. MessageLabs says it has stopped
other emails containing this attack mechanism.
The company warns there
are now many tools freely available to VX writers that can be used to assist
them in fooling potential victims.
Many content filtering mechanisms
block double extension attachments automatically.
But that doesn't
necessarily happen with triple extensions, hence the risk that malware may get
past content filters until virus signature updates are applied.
There is
a workaround involving blocking file attachment with triple extensions or with
very long filenames (another hallmark of the exploit) at email gateways.
Article source and further details:  The Register
Note:
The above article since it's initial release had mis-identified Outlook for Outlook express. The re-edited article as taken from "The Register", can be found here.
*Microsoft Outlook is not at risk (contrary to first reports of the problem).
|
|
|
 |
| "Vulnerabilities: Trojan writers exploit Outlook to get around content filtering" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 5
Votes: 1
|
|
|
