Threats, Countermeasures, and Common Sense in Internet Email Use

Abstract: Email works at the heart of many business entities and organizations, providing the
communications flow which is its lifeblood. From the earliest mainframe-based email systems such as ARPA's Q32 and the Compatible Time-Sharing System (CTSS) developed at MIT, the technology has played an important role in the development of what we now call the Internet. Messaging is crucial to modern communications; its use is a given in most business, government, and campus environments. Email can also provide a vector for destructive, annoying messages, and system
threats. Let's examine some common threats and common sense countermeasures which can help mitigate these threats.

Spam Control: Spam, or unsolicited commercial email, is the most visible threat, sapping up to 30 hours of annual productivity per year from the average business user. Spam can represent a civil liability to entities if it is determined that their systems are being used to transmit spam email. In addition, the possibility exists of civil damage suits against organizations not actively working to filter spam. Unfiltered sexual solicitations via email in the absence of due care on the part of the organization could be construed as permitting a hostile workplace and open the entity to liability.

Attempts at spam control can originate on the desktop and server. Attempts may be made to develop "kill filters" within email applications, but spammers are increasingly wise to filtering, utilizing obfruscated subject wording and graphics-based content as well as randomly generated MX record host addresses. Spam control applications which make use of spam signature filtering (filtering based on known spam content) are useful, but such applications must be updated regularly (like antivirus signature files), and new spam attacks lacking signatures will be overlooked. Filtering is not perfect, but does prevent some spam from reaching the desktop; care must be taken to fine tune such filters so as not to interfer with legitimate messages.

Viruses,Worms, Trojans, Scripting Exploits, and OS Exploits: Viruses (programs and code meant to be destructive to systems), worms (code meant to clog and prevent access to systems and networks), and Trojan Horses (programs and code meant to provide unauthorized access to systems) are routinely distributed via email. Code Red, MyDoom and Bagle/Beagle are only recent examples of malicious code distributed via or targeted at email and the email client/server environment. What these threats have historically had in common is the need for active intervention via the weakest link in system security, people, in order to spread. Times have changed; new threat classes have emerged, most notably the "Hybrid or Blended Threat". Once upon a time, viruses were just that; viruses. Worms had no intelligence; they were static code written to take advantage of a single avenue of attack. If that avenue was blocked, the worm could not be effective. Starting in 2000, worms, viruses, and Trojans have become increasingly smarter. For instance, a virus seeking to do damage may also contain a Trojan within its payload; the Trojan allows the computer to be accessed by an attacker or to be zombified for use in a DDoS (Distributed Denial of Service) attack. A worm which may previously have been limited to mass mailing propagation may now infect a sytem by seeking out open ports associated with certain known backdoors such as port 3127 for MyDoomA. As a result, the current stance against the blended threat will be part antivirus, part firewall, part intrusion detection/prevention, and part system hardening.

Common(simple payload) viruses and worms are of course still a threat. Antivirus vendors have done a respectable job in dealing with such threats, ensuring that signature files are regularly updated and made available to the public. Vendor teams work constantly to stay on top of emerging Mytob or Kelvir outbreaks, but occasionally a virus catches everyone offguard. The constant creation of new viral strains has been the genesis of new descriptive terminology in the field; "in the wild" refers to viruses that have taken on lives of their own, either through mutation or modification by other virus writers apart from the original creator. "Zero-Day Viruses" are code or exploits that arrive on the scene completely unknown and unanticipated by antivirus software providers; this code is typically the most destructive, since no signature exists to counter it. Heuristic antivirus programs seek to establish a baseline of known system behavior, either through a known operating system's footprint (known as operating characteristics) or as a learning process. Once the baseline is established, any activity outside this norm may be used to isolate and inform the user of a potential attack. The system can then delete or quarantine the offending file or files, or prevent the system from running any applications associated with it. While heuristic antivirus applications typically are less effective overall at countering viruses, they do have the advantage over signature-based solutions of offering a level of protection against unknown, or "Zero-Day" code. The best protection should be a hybrid, or combination of signature and heuristic (anomaly-based) protection, and many products offer the option to use both. Multiple scanning engines is another way to ensure the best possible outcome from contact with viruses, however, the enterprise will need to weigh the increased capital, maintenance, and training costs of more complex systems against their level of threat tolerance and proven benefit of such systems.

Trojans may arrive in the same manner as viruses and worms (email vector), but the potential for damage is more acute. Trojans can attempt to open a backdoor for attackers to steal enterprise data and records (such as those for which organizations are liable under HIPAA, SOX, and GLB).

Backdoors may serve as an entry for port-aware viruses and worms. Attachment scanning (a method of decontructing, assessing, and threat-rating attachments) as well as blocking executable files ltogether at the mail gateway (including quarantine of executables in compressed files) will do much to mitigate threats from Trojan/backdoor infections. Firewalls should be directed to examine and/or proxy all outbound traffic to look for connection to certain well-known Trojan ports . This will not only stop the server from reaching it's client, but firewall log analysis should reveal the Trojan to administrators.



Are scripting and OS exploits better than viruses? What could be better than an exploit that uses one's own operating system? Scripting and OS exploits are the auto-immune diseases of computing; they can prey on our native tongue (in Microsoft, all COM objects including Visual Basic and ActiveX), or our very structure (such as the the lsass Windows service code vulnerability that made the Sasser worm so destructive) . Scripting exploits (aka malicious mobile code, malcode, etc) are nothing new; Wassu, Melissa, and Loveletter were all Visual Basic-based scripts. The reason scripting exploits have changed is because they are relatively easy to filter (block .VBS at the mail gateway) or block (removing the Windows Scripting Host program from the enterprise image will prevent Visual Basic scripts from executing). Antivirus vendors saw blocking scripts as rather routine due to well-known extensions and language syntax; attackers needed a new way. Rather than send a script attachment, attackers have now found it easier to get users to click on HTML-embedded links in emails. The local HTML link may itself contain the script, or may point to a malicious server capable of dropping a Trojan or worm or forcing script execution on the user machine. Next-gen script attack methods point up the need for real-time script exploit detection and analysis for email. OS exploits have similarities (they exploit the system's default approach to executing code), but are different. Known buffer overflows such as MyDoom.AG, AH, or AI (offering priviledged code execution), malformed URLs or malcode injection (webmail DoS due to inability to handle bad requests), and other OS exploits have been problems in the past, particularly with Microsoft. Mitigation of OS exploits is a matter of timely system patching (desktop and server) as well as quarantine and
code-stripping at the mail gateway.

UsingSecure System Configuration and Evoking Security Policy: Security policy implementation, including secure system configuration and training can help mitigate threats from email-borne code. For rank-and-file desktop users, email clients can and should be locked down on the enterprise computing image to prevent email from being received as HTML, and the auto-open/auto-execute function of Microsoft mail clients should be disabled. File MIME types should always be shown for mail attachments and within Windows Explorer; this allows users to use what they have learned through the enterprise security awareness program. The Netsky and Lovegate infections utilized double extensions (win_longhorn.doc.exe, for example) to fool users into opening or saving the file. Double extensions also rely on the Microsoft default convention of hiding extensions for known file types.

Finally, users should be made aware of what actions constitute non-business use of email systems through communication of enterprise security policy. The policy should address legitimate uses, abuse such as launching spam or sending or receiving hatemail or pornography using enterprise resources, and penalties for doing so. The policy should also contain guidelines for safe use of the system. Training will reinforce policy resulting in a better informed user base and a safer network.

Summary:
As one might expect, threats are changing. Attackers are more slippery than ever, constantly on the lookout for the latest weak link to exploit. The weakest link in security has always been people. The weakest link in people had always been lack of knowledge and emotionalized responses. We in security would like to change that; we want everyone to know that , well, yes, you CAN be infected just through visiting a webpage. The purpose should never be to create fear; people who are genuinely afraid don't act. In fact they do just the opposite; they ignore the problem for as long as they can. This puts such users behind the eightball; once momentum is lost it is difficult to regain. Security professionals seek to encourage vigilance; initially the enterprise will of necessity be in a defensive stance.

Ultimately, organizations will take an offensive security stance; useful and efficient tools will combine with user knowledge, hardened systems and networks, and strong legislation to provide us with the Internet we deserve.