The simplest way to completely avoid such attacks is to not use a web browser or HTML-enabled email client to read your email. Since many of these attacks do not depend on bugs in the email client software, they cannot be prevented through patches to the email client. If you use a web browser or HTML-aware email client, you will be vulnerable to these kinds of attacks.
Also, as the attack depends on the email client being able to execute scripted HTML rather than depending on the weaknesses of any particular operating system, these attacks are cross-platform. An HTML-enabled email client on a Macintosh is just as vulnerable to active-HTML email attacks as an HTML-enabled email client on Windows or Unix. The vulnerabilty will vary from system to system based on the email client rather than the operating system.
Note: it may be possible to configure your email client to turn off the interpretation of HTML code. See your program documentation for details.
Switching to a non-HTML-aware email client is not a realistic option for many people. An alternative is to filter out or alter the offending HTML code before the email client gets a chance to execute it.
The recently-announced Eudora email bug is an example of this attack, with the added flaw of executing the HTML scripts as a trusted user because they didn't come from a external website. Eudora has announced a fix for the local-user-context problem.
Note that this is the result of a bug in the program under attack. A properly written email client will not allow random strangers to run programs on your computer without your consent. Programs subject to buffer overflows are incorrectly written and must be patched to permanently correct the problem.
Buffer overflows in mail programs occur in handling the message headers and attachment headers, which is information the email client needs to process in order to know details about the message and what to do with it. The text in the body of the message, which is simply displayed on the screen and which is expected to be a large amount of text, is not used as the vehicle for buffer overflow attacks.
The recently-announced overflow bugs in Outlook, Outlook Express and Netscape Mail are examples of this. Patches for Outlook are available via the Microsoft security site. Netscape Mail versions 4.06 and later have had this bug fixed.
The message headers and attachment headers can be preprocessed by the mail server to limit their lengths to safe values. Doing this will prevent them being used to attack the email client.
These attacks are usually used to breach security by getting a trusted user to run a program that grants access to an untrusted user, or to cause damage such as attempting to erase all of the files on the victim's hard disk. Trojan Horses can also act to steal information or resources or implement a distributed attack, such as by distributing a program that attempts to steal passwords or other security information, or a program that mails itself around (a "worm") and also mailbombs a target (a worm with an attitude :).
For this attack to succeed the victim must take action to run the program that they've received.
This attack can be avoided simply by not running programs that have been received in email until they have been checked over, even if the program seems to be harmless and especially if it comes from someone you don't know well and trust.
Except...
Bugs in the email client may allow the attack message to automatically execute the Trojan Horse attachment without user intervention, through either the use of active HTML or buffer overflow exploits. This is an extremely dangerous scenario.
In an attempt to prevent this, the names of executable file attachments can be changed in such a way that the operating system no longer thinks they are executable (for example, by changing "EXPLOIT.EXE" to "EXPLOIT.DEFANGED-EXE". This will force the user to save and rename the file before it can be executed (giving them a chance to think about whether it should be executed), and it reduces the possibility that other exploits in the same message will be able to find and execute the Trojan Horse program automatically since the name has changed.
In addition, for known Trojan Horse programs the attachment format can be mangled in such a way that the email client no longer sees the attachment as an attachment. This will force the user to contact technical support to retrieve the attachment, and gives the system administrator a chance to examine it. Here is a list of recent Trojan Horse executables and documents, gleaned from bugtraq and Usenet newsgroup warnings:
path.xls
compu_ma.exe
list.doc
photos17.exe
happy99.exe
IBMls.exe
picture.exe
yahoo.exe
ie0199.exe
aol4free.com
Another channel for Trojan Horse attacks is via a data file for a program that provides a macro (programming) language, for example, modern high-powered word processors, spreadsheets, and user database tools.
If you cannot simply discard attachments that may put you at risk, it is recommended that you install anti-virus software (which detects and removes macro-language Trojan Horses) and that you always open data file attachments in the program's "do not automatically execute macros" mode (for example, by holding down the [SHIFT] key when double-clicking the attachment).
Note: Windows NT CMD.EXE apparently only assigns special meaning to the .BAT and .CMD extensions. It will happily run a .EXE-format program that's named, for instance, BLAH.GIF. It's unfortunate that CMD.EXE does not behave consistently with the graphical shell.
Also: if your system administrator (or someone claiming to be your system administrator) emails you a program and asks you to run it, immediately become very suspicious and verify the origin of the email by contacting your administrator directly.
Procmail is a program that processes email messages looking for particular information in the headers or body of each message, and takes actions based on what it finds. If you're familiar with the concept of "rules" as provided in many major user mail clients (such as the cc:Mail client), then you are already familiar with the concept of automatically processing email messages based on their content.
This page provides you with a procmail ruleset specifically designed to "sanitize" your email against these attacks.
Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40, A=procmail -Y -a $h -d $u
DROPPRIVS=YES
LOGFILE=$HOME/procmail.log
PATH="/usr/bin:$PATH"
SHELL=/bin/sh
POISONED_EXECUTABLES=/etc/procmail/poisoned
SECURITY_NOTIFY="postmaster, security-dude"
SECURITY_NOTIFY_VERBOSE="virus-checker"
SECURITY_QUARANTINE=/var/spool/mail/security
POISONED_SCORE=25
SCORE_HISTORY=/var/log/macro-scanner-scores
INCLUDERC=/etc/procmail/html-trap.procmail
LOGFILE=/dev/null
POISONED_EXECUTABLES=
SECURITY_NOTIFY=
SECURITY_NOTIFY_VERBOSE=
SECURITY_QUARANTINE=
Of course, if you've already got an /etc/procmailrc file you'll have to incorporate the INCLUDERC=/etc/procmail/html-trap.procmail call into what's already there.Notes about local policy:
This will create a file named procmail.log in the home directory of any user who receives mail. Your users should be instructed to periodically review and delete this file, or an administrative daemon should be set up to periodically collect statistics and delete the files or warn the user to do so. If you don't care to log the sanitizing messages and possible exploit warnings, then change the first logfile line to:
LOGFILE=/dev/nullNote that the DROPPRIVS at the beginning means the log file must be writable by the recipient.
If you wish to block specific executable and document attachments, create a text file containing one filename per line, with no leading spaces or comments, and set the variable POISONED_EXECUTABLES to point at that file before calling html-trap.procmail. See above for a recommended list of filenames of known trojans. Note: wildcards in this file will not work. Sorry.
If you wish to be notified when the filter traps poisoned attachments, set SECURITY_NOTIFY and/or SECURITY_NOTIFY_VERBOSE to a comma-delimited list of email addresses to notify. The SECURITY_NOTIFY_VERBOSE recipients will receive a full copy of the message, the SECURITY_NOTIFY recipents will only receive the headers.
If you wish to quarantine poisoned messages, set SECURITY_QUARANTINE to the file you wish to save the message in. This will prevent delivery to the original addressees. It is suggested that you set PROCMAIL_NOTIFY if you set PROCMAIL_QUARANTINE as this will remind you to check the quarantine file.
Note that the DROPPRIVS at the beginning means that the security quarantine file must be writable by users. If this is a problem, you may want to try setting the quarantine filename to /dev/null and rely on SECURITY_NOTIFY_VERBOSE to keep a copy of the original message.
The sanitizer implements a scanner which checks Microsoft document and worksheet attachments for macros that appear to be trying to do dangerous things. Depending on what the macros in a document or worksheet try to do, you may see false positives (safe documents being marked as dangerous). The score at which an attachment is considered "poisoned" may be set via POISONED_SCORE. If not given, it defaults to 10. The minimum POISONED_SCORE is 5.
If you wish to completely disable macro scanning, set DISABLE_MACRO_CHECK to any value. If you wish to scan and save the scores to do profiling but not mark any attachments as "poisoned", you can either set SCORE_ONLY to any value (not recommended), or set POISONED_SCORE to a very high value (100-200 is recommended - this will trap currently known exploits while giving you a chance to profile). Set SCORE_HISTORY to the name of the file to save scores in (with the same DROPPRIVS caveats as the other log files).
Suggestions for what to consider dangerous in a macro are welcome, as are samples of infected documents.
sendmail your-email-name < saved-file-name
04/02/99 Scanning of Word documents and Excel worksheets for possibly hostile macros seems to work acceptably well, so I'm going to release it. Note that this does not scan for variant-specific strings, so there aren't any "signature files" involved, but this means that it is possible to get false positives on complex macros. You may want to profile for a while before turning on macro-based attachment poisoning.
03/30/99 Well, it's just beginning, folks. Somebody's ported Melissa to Excel (search for "Papa Virus" if you want details). I've added "path.xls" to the list of suggested trojans, but that is only a stopgap.
03/29/99 It is possible for Word infected with a different virus to save .DOC-format files when told to "Save as" .RTF, so it's now possible to specify .RTF extensions in the poisoned list.
Also, fixed a bug in VERBOSE notification. D'oh!
03/27/99 Thanks to Melissa you can now add .DOC, .DOT, .XLS and .XLW filenames to the poisoned-executables list. Documents will be trapped, but the filenames won't be mangled. And here's a procmail filter rule that may detect and isolate worm emails, based upon the signature posted to bugtraq:
:0 H
* ^Subject:.*Important Message From
{
:0 B
* Here is that document you asked for
* don't show anyone else
* name=.*\.do[ct]
{
LOG='REJECT Possible "Melissa" Microsoft Word macro worm: '
:0
security-quarantine
}
}
This filter is now included in the sanitizer. See the notes in the installation instructions above for configuring your site policy. Note that this solution is *not* robust and will probably not catch any Melissa variants.
03/20/99 Another bugtraq announcement of a Eudora buffer-overflow bug in attachment filename handling, affecting versions 4.1 and 4.2 beta. If you're running the sanitizer you should be safe.
03/06/99 Added the ability to trap on specific executable attachment names and mangle the attachment formatting so that reformatting is necessary to extract the attachment from the message. This was done in response to the Happy99.exe worm, but filenames to trap are specified in a configuration file, making extension of this simple.
If you get "Word too long" errors, try adding "SHELL=/bin/sh" or "SHELL=/bin/ksh" to /etc/procmailrc just before the call to html-trap.procmail - csh can't handle a command-line argument the size of the Perl script that's in the filter.
Do not put html-trap.procmail into /etc/procmailrcs/ as implied by the procmail man page. You'll get security errors from Perl about -e and setuid scripts if you do this. You may also have problems with filtering mail sent to root for this reason.
It looks like this perl script can be a bit of a memory hog on some systems. If you start getting "Out of memory" errors in your procmail log file, try adding
ulimit -d 15000;just before the perl -p -e in the MIME-sanitizing rule:
:0 fwYou might also have to increase the hard memory limit originally set for sendmail.
| ulimit -d 15000; perl -p -e ' #\
I can be contacted at <jhardin@wolfenet.com> - you could also visit my home page.