Potentional e-mail vulnerablity

Discussion in 'other security issues & news' started by Someone, Dec 6, 2010.

Thread Status:
Not open for further replies.
  1. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Can one get infected by malware if they simply open a html message with a malicious script? Would the script need to download the actual malware file separately or could the script be the actual malware? The reason i ask is I'm uncertain as to the usefulness of email scanners found in AV's.
    thanks
     
  2. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    yes
    they are useful but can eventually be beaten too. disable script in html emails and prevent it from dl content from the net, some email clients offer such fine tuniing
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    HTML in email messages and attachments is no different than that in a web page.

    The script would be the trigger to download the malware. Here is an example showing how reading HTML messages in Outlook Express can trigger malware to dowload:

    Outlook Express Security
    http://www.malwarehelp.org/securing-your-e-mail-client-outlookexpress1.html
    More common is using HTML attachments to an email message:

    Confirmed! Plug-and-Play Spammers Using Stolen Emails as Spam Templates
    http://www.redcondor.com/blog/?tag=html-malware

    HTML attachments – now with malware!
    http://blog.commtouch.com/cafe/email-security-news/html-attachments-–-now-with-malware/

    The principal limitation of scanners is that they need a signature to identify malware, meaning that there can be a window of opportunity (0-day) when the malware is undetected.

    Some scanners are pretty good at identifying malicious code/scripts in an email, but it seems to be hit and miss, from the analyses I've seen.

    Here is an example of a scanner catching something:

    HEUR/HTML.MALWARE
    http://forum.avira.com/wbb/index.php?page=Thread&threadID=70038


    The best preventative measure is to have the email client render in plain text by default. This way,

    1) no script in the message body can run, therefore,

    2) no attachments can be launched automatically by a script.

    ----
    rich
     
  4. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Thanks for the informative responses!
     
  5. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I have Sandboxie (Paid). I have my Outlook 2003 E-Mail "Forced" to an E-Mail sandbox. Also, I have DropRights plus Start/Run and Internet Access Restrictions which I feel should block an E-Mail malicious script from executing. Even if the malicious script executed, the sandbox should trap it.
     
Loading...
Thread Status:
Not open for further replies.