Protecting your Email from Viruses and Other MalWare

by [Published on 5 June 2003 / Last Updated on 5 June 2003]

Virus writers, who used to spread their virtual “diseases” via infected floppies and network shares, have seized the opportunity posed by email programs that support attached files, HTML messages, and embedded scripts to send viruses and other malicious software (called “malware”) to hundreds or thousands of people with just a few keystrokes. In this article, we will look at how email viruses work and what you can do to protect your computer and network from them.

Once upon a time, email was considered to be a pretty safe communication medium. For those still using PINE or some other text-only mail client, it still is. But for the rest of us, who want to take advantage of all the advanced features of modern email client software, opening an email message can be a scary experience.

Virus writers, who used to spread their virtual “diseases” via infected floppies and network shares, have seized the opportunity posed by email programs that support attached files, HTML messages, and embedded scripts to send viruses and other malicious software (called “malware”) to hundreds or thousands of people with just a few keystrokes. In this article, we will look at how email viruses work and what you can do to protect your computer and network from them.

How Email Viruses Work

There are a couple of different ways that viruses can invade your computer through your email box. One of the most publicized is through attachments. If you open an executable file that’s attached to a mail message, the program runs and the virus does its dirty work – in some cases not only doing damage on your own machine but also using your address book to mail copies of itself to everyone with whom you correspond. These infected messages will appear to be from you, even though you weren’t even aware that they were sent. That’s why you should always be wary of mail with attachments, even when it comes from someone you know and trust. Viruses that work this way include the infamous Melissa virus, Klez, and others.

Avoiding attachment viruses would seem to be easy: just don’t open attachments. However, it’s not always that simple. Many of us whose work depends on collaborating with others across the Internet need to exchange attachments. If you do, common sense precautions should prevail. Note the file type before opening an attachment. Executables are most likely to be dangerous, but virus writers use tricks such as appending multiple file extensions to fool you into thinking a file is something it’s not. Because the Windows Explorer and some software programs don’t show common extensions by default, a file named letter.txt.exe will appear to be an innocuous text file when it’s really a program file.

Because the problem of viruses in attachments is so prevalent, Microsoft has written recent versions of Outlook (2002 and above) to automatically block executable file types (.exe, .bat, .com, .lnk, .scr, .vbs and many others). This feature is also added to Outlook 2000 when you apply Service Pack 2 or to Outlook 98 when you apply the Outlook Email Security Update. Unfortunately, this creates a situation where the cure may be worse than the disease if you really need to send and receive those types of files. If so, there are several ways to work around this problem.

The simplest method is to just rename the file with a different extension (for example, rename program.exe to program.txt) and tell the person to whom you’re sending it to rename it to the original name after downloading it.

In Outlook 2002, you can edit the Registry to modify the file types that are blocked. There are several third-party utilities that will let you do the same thing without directly editing the Registry; these include Outlook Permissions Add-in from MRH Technolgoy Group, DetachXP from McDaniel Development and the Xenos Outlook Security Extension

Note that attachment blocking is optional in Outlook Express, and Outlook Web Access does not include attachment blocking. So another way to get your attachments is to use OWA (if you’re in an Exchange environment) or import your messages into OE from Outlook.

Don’t assume that you’re okay if the only attachments you open are document files. Word documents can contain macros (small programs) that can execute malicious commands. These are called macro viruses. You can protect yourself by setting the Macro Security level in Word (accessed via Tools | Options | Security tab) to medium or high. High disables all unsigned macros, and medium prompts you before running a macro, as shown in Figure A.

Figure A: Set Macro Security in Word to medium or high to protect from macro viruses

You can’t assume your mail is safe just because you don’t get attachments, either. Viruses can also be embedded in the mail message itself. This isn’t possible in a plain text message, but the most popular mail clients today (Outlook, OE, Eudora) support HTML mail so you can use stationery, embed pictures and sound, and so forth. An HTML message can contain scripts (programs) that execute viruses. This is one reason many mailing lists block HTML mail (another is bandwidth usage).

The latest version of Outlook (2003), now in beta testing, finally allows users to block HTML mail. This is a continuation of a trend that started in Outlook 2002 (XP), when Microsoft started blocking external content (files grabbed from outside servers) in the preview pane. To convert incoming HTML to plain text in Outlook 2000, you can use VBA code. In Outlook 2002, you can use the Rules Wizard’s “run a script” action to call a VBA subroutine to perform this conversion (instructions for both of these methods may be found here).

Rich text can also be exploited to send unauthorized messages, and even plain text messages can contain URLs that may take you to web sites where scripts run and disseminate viruses.

Protective Measures you can Take

Most viruses are operating system specific (that is, viruses that run on Windows often don’t affect Linux or Macintosh computers, and vice versa) and many are also specific to certain email clients. The first step in protecting your computer from email viruses is to apply all service packs and security updates, both those for your OS and those for your email software. Because the mail client may interact with the browser when reading HTML mail, you should also apply the latest updates to Internet Explorer.

Your mail client should be configured so that ActiveX and Java scripts won’t run automatically. In Outlook and OE, this is done through the settings for the Restricted Sites security zone (Tools | Options | Security). Choose Custom Level and scroll through the list of options, and set the option button for each ActiveX or scripting setting to either “disable” or “prompt,” as shown in Figure B.

Figure B: Disabling ActiveX and scripting in Outlook (or requiring a prompt) will prevent these components from executing automatically

If you use Eudora, in Tools |  Options | Viewing Mail, you should disable “allow executables in HTML content.” For Netscape Mail, in Edit | Preferences, Advanced Category, uncheck “enable Javascript for Mail and News.”

The next step is to install a good anti-virus or email security program. Although an AV program will help, it may not be enough to protect a mission-critical network. In that case, a more comprehensive “email firewall” such as GFi MailSecurity for Exchange can check mail content as well as checking for viruses. Remember that new viruses are being created daily, so any virus software will need to have its definition files updated regularly.

Summary

How vulnerable is your network to email viruses and attacks? You can visit the Email Security Testing Zone at GFI’s web site to find out. Email is truly the “killer app” of the 21st century – businesses and individuals depend on electronic mail for quick, easy, reliable communication. However, your email system is a point of vulnerability that can exploited to invade your system and network. Viruses can destroy data, damage system files that are necessary to run your operating system and applications, and even bring down the entire network through denial of service attacks. If this weren’t enough, these viruses can use your address books to spread themselves further. If you use email, you need to take steps to ensure that you’re protected against viruses, Trojans and other malicious software that can be transmitted via email – without compromising the email features you need to communicate effectively. In this article, we’ve provided an overview of email security issues and pointers to solutions that may be right for your computer and network.

Advertisement

Featured Links