Government Security
Network Security Resources

Jump to content


Protecting Your Network Against Email Threats

- - - - - virus javascript tools scanning firewall cache worm infection
  • Please log in to reply
3 replies to this topic

#1 Kenny


    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 19 August 2003 - 03:43 AM

Protecting your network against email threats: How to block email viruses and attacks

Date: Jul 15, 2002
Section: Anti Virus
Author: GFI Software
Company: GFI Software

This white paper describes various methods used by email viruses and worms to penetrate a protected network. Such methods include attachment files containing harmful code, social engineering attacks, crafted MIME headers, malicious use of HTML Script and similar technologies. A URL is provided where you can test whether your email system is vulnerable to threats like these. This document also examines the ways through which email can be sanitized and filtered of malicious code using GFI’s email content/exploit checking and anti-virus solution based on Microsoft's virus scanning API (VS API), GFI MailSecurity for Exchange/SMTP.

Email threats: a constant danger!

The widespread adoption of email through the years has been accompanied by the development of malicious code, that is, email viruses and attacks. Email has provided hackers and crackers with an easy way to distribute harmful content to the internal network. Corporate LANs have been breached by worms and viruses, as well as by crackers, through the use of email. Hackers can easily circumvent the protection offered by a firewall by tunneling through the email protocol. A typical firewall cannot protect against such email attacks, because it simply does not analyse email and its contents.

Because email messages can include file attachments, hackers can send infected files and hope that the recipient will open them, as happened with Melissa and Manwella. This method makes use of social engineering to urge the end user to run the file. Yet, other methods exist which allow a skilled and possibly malevolent cracker to inject code through email and run custom-made applications automatically while the end user reads the email text. Such problems have been around since the use of HTML in email and have been exploited by notorious worms such as the KaK worm, BubbleBoy virus or the more recent Nimda.

Although anti-virus products can catch many viruses and worms, hackers are able to dodge such protection by producing their own customized code. This can result in dangerous threats penetrating the corporate network through lesser known methods and through bypassing anti-virus protection and other traditional anti-hacker protection. The threat posed by hackers to the internal network is huge, as internal network security is low to ensure usability.

Methods used to attack your email system

Attachments with malicious content

Melissa and LoveLetter were among the first viri to illustrate the problem with email attachments and trust. They made use of the trust that exists between friends or colleagues. Imagine receiving an attachment from a friend who asks you to open it. This is what happens with Melissa, AnnaKournikova, SirCam and several other similar email worms. Upon running, such worms usually proceed to send themselves out to email addresses from the victim's address book, previous emails, web pages caches to the local machine and similar methods.

Virus writers place much emphasis on getting the victim to run the attachment. Therefore they make use of different attractive attachment names, such as SexPic.cmd and me.pif.

As administrators seek to block dangerous email attachments through the recognition of well-known extensions, virus writers use other extensions to circumvent such protection. Executable (.exe) files are renamed to .bat and .cmd plus a whole list of other extensions and will still run and successfully infect target users.

Many users try to avoid infection from email viruses by only double-clicking on files with certain extensions, such as JPG and MPG. However, some viruses, such as the AnnaKournikova worm, make use of multiple extensions to try trick the user into running the file. The AnnaKournikova virus was transmitted via an email attachment named 'AnnaKournikova.jpg.vbs' which dupes recipients into believing that that they are receiving a harmless JPG image of the famous tennis star, rather than a Visual Basic Script containing infectious code.

Frequently, hackers try to penetrate networks by sending an attachment that looks like a Flash movie, which, while displaying some cute animation, simultaneously runs commands in the background to steal your passwords and give the cracker access to your network.

To further entice the victim to run such an attachment, some hackers use common vulnerabilities such as the Class ID (CLSID) extension of the application to be run. This method allows these crackers to hide the actual extension of the file, thereby concealing the fact that cleanfile.jpg is actually a nasty HTA (HTML application) file. This method currently also circumvents various email content filtering solutions which make use of simple file checking methods, thus enabling the hacker to reach the target user easier.

Attachments in email are probably still the number one threat, and the methods described here are well-known in the virus-writing community.

Emails with malformed MIME headers

The Nimda worm took the Internet by surprise, circumventing many email security tools and breaking into servers and corporate networks as well as infecting the home user. This worm uses a flaw within Outlook Express and Internet Explorer to spread through email. Although this worm did not only spread through email, this technology contributed much to its success in infecting as many hosts as possible. Several corporate networks had a problem with disinfecting their machines from this dangerous code.

The trick in Nimda is that it runs automatically on computers having a vulnerable version of Internet Explorer or Outlook Express. As these are basically installed on every Windows system, most users who received the worm through email were infected with ease. This exploit makes use of a malformed MIME header, which tells Outlook Express that the attached infectious file is a WAV file. This allows the worm to be automatically executed. This poses a large email security problem, as user intervention to open infected files is not required.

MIME headers specify things such as the subject line, date or filename. In the history of Outlook Express, the date and filename fields were previously discovered to be vulnerable to buffer overflow attacks. By specifying a long and well-crafted string, a skilled hacker could execute arbitrary code on the target machines. Such vulnerabilities are prone to exploitation for penetrating remote networks or for delivery of viruses and worms.

HTML mail with embedded scripts

Nowadays, all email clients can send and receive HTML mail. HTML mail can include scripts and Active Content, for example JavaScript and ActiveX controls, which can allow programs or code to be executed on the client machine.

Outlook and other products use Internet Explorer components to display HTML email, meaning they inherit the security vulnerabilities found in Internet Explorer. These vulnerabilities can be exploited by email to hack into corporate networks, disseminate dangerous worms, and enable the execution of system functions such as reading, writing and deleting files. Viruses that use HTML email to circumvent security measures and infect computers include the Kak worm, BubbleBoy and HapTime.

Viruses based on HTML scripts have the added danger of being able to run automatically when the malicious mail is opened. They do not rely on attachments; therefore the attachment filters found in anti-virus software are useless in combating unknown HTML script viruses.

The BadTrans.B virus, for example, combines an email exploit with HTML to propagate, using HTML to launch an attachment automatically once the email is received.

Test if your email system is vulnerable to these methods!

You can easily test whether your email system is vulnerable to any of the threats described above: GFI has set up a testing zone that enables you to see how well protected your email system is against emails that contain .vbs attachments, CLSID file names, malformed MIME headers and ActiveX exploits. The tests available on this zone are safe and do not do anything dangerous - they simply detect whether your email system is safeguarded against a number of email-borne threats.

Try the tests at:

Be sure to visit this page regularly: GFI Security Labs is constantly researching email threats and will add new vulnerability tests to those currently available.

Protect against these threats with GFI MailSecurity

GFI MailSecurity for Exchange/SMTP protects against the methods described above through the content filtering, attachment checking and virus scanning of all incoming and outgoing emails at server level. GFI MailSecurity’s key features include multiple virus engines, for better protection; email content and attachment checking, to quarantine dangerous emails; an exploit shield, to disable Windows/Office exploits launched via email; and an email threats engine, to analyse & defuse HTML scripts, .exe files & more.

Virus scanning

While traditional virus scanners operate on the desktop machine, GFI MailSecurity blocks viruses at server level, meaning that network users behind GFI MailSecurity never get to see a virus. GFI MailSecurity is unique in that it allows you to use multiple virus engines to protect your company from virus threats. GFI MailSecurity comes bundled with the Norman Virus Control and BitDefender anti-virus engines and supports automatic updating of signature files. The McAfee virus engine is also available as an optional extra.

Virus scanning is a widely accepted way of catching known viruses and worms. However, when a new virus outbreak occurs, traditional virus scanners are usually slow to issue signatures against these new threats. But the protection provided by GFI MailSecurity is multi-layered and is not just limited to virus scanning.

Attachment checking

GFI MailSecurity can also block suspicious or dubious file types that could contain dangerous content, such as *.exe, *.vbs and other files. GFI's security research team keeps an updated list of executable attachment types, which is used to capture future and unknown viruses and worms as well as existing ones. GFI MailSecurity also performs Class ID (CLSID) extension checking, which allows it to easily catch would-be attacks that are based on this method. This adds an important level of security to the virus scanning and attachment checking components in GFI MailSecurity.

HTML Active Content removal

While JavaScript and similar technologies are much used on HTTP (hypertext transfer protocol), these have little use in email. GFI MailSecurity can easily protect against these threats through its patented HTML script defuser, which analyses HTML email for HTML scripts and Active Content. The HTML script defuser disables any scripts it finds and forwards the now harmless email to the recipient, including formatting and images.

For more information about GFI MailSecurity for Exchange/SMTP, please visit
Kenny aka ComSec

Please read the Forum Rules !!!


#2 Guest_Maffuster_*

  • Guests

Posted 13 January 2004 - 10:46 AM

I personally prefer Antigen from Sybari.

It doesn't have some of the more "advanced' functions, but it can scan each e-mail through 6 different AV engines...we've never seen a virus come through yet!

#3 tikbalang



  • Members
  • 122 posts

Posted 10 February 2004 - 10:00 PM

I personally prefer Antigen from Sybari.

It doesn't have some of the more "advanced' functions, but it can scan each e-mail through 6 different AV engines...we've never seen a virus come through yet!

i agree, we used it for a year now and we're not planning on changing it.

#4 FLW



  • Members
  • 164 posts

Posted 30 November 2005 - 01:09 PM

I personally prefer Antigen from Sybari.

It doesn't have some of the more "advanced' functions, but it can scan each e-mail through 6 different AV engines...we've never seen a virus come through yet!

i agree, we used it for a year now and we're not planning on changing it.

Sybari is now MS since about June of '05. As of the moment they still use there old name but will fall the fate of all eaten by Bill sooner or later.
Thanks, Dan O.

Also tagged with one or more of these keywords: virus, javascript, tools, scanning, firewall, cache, worm, infection