Does spammed out malware attack exploit Mozilla Thunderbird 'feature'?

Filed Under: Featured, Malware, Spam

Early this morning, a radio station rang me up wanting to know about the latest threat to internet users - a spammed-out malware attack that was hitting inboxes hard, infecting computers without the user having to open an attachment.

The hot security story, they said, had been brought to their attention by a report in the Daily Mail:

Daily Mail headline

The Daily Mail quoted German security outfit Eleven, who had issued a press release a few days ago entitled "Warning: Driveby Spam Infects PCs When E-Mail Is Opened".

According to Eleven's press release:

"This driveby spam automatically downloads malware when the e-mail is opened in the e-mail client. Previous malware e-mails required the user to click on a link or open an attachment for the PC to be infected."

Sounds nasty, and reminded me of attacks we saw over ten years ago like VBS/Kakworm and VBS/BubbleBoy - so I asked our labs if we had seen any samples in our spam traps of what the Daily Mail and Eleven appeared to be talking about.

Sure enough, we found some examples of the malware attack which poses as an email from the Federal Deposit Insurance Corporation (FDIC) posing as an account suspension notice.

Examining the malware attack in Outlook Express
Here's what it looks like if you receive the email in Outlook Express:

Malicious email in Outlook Express

Hang on. That looks to me like a regular piece of spammed-out malware, requiring the user to knowingly open the attached file. I don't see how that's matching what Eleven and the Daily Mail are reporting.

In our tests, the malware did not get activated just by reading the email in Outlook Express. It was necessary to open the attachment in order to infect the computer.

Examining the malware attack in Thunderbird
A closer examination of the screenshot used in Eleven's blog post, reveals that they examined the malware in Mozilla's Thunderbird email client. So, let's try examining an example of the malware campaign that way:

Malicious email in Thunderbird

Aha! Things are slightly different this time. There is still an attached .HTM file which contains the malicious code, but Thunderbird is by default rendering the contents of that code (the "Loading... Please wait..." part) underneath the main message body inside the email pane.

ThunderbirdBut, in our tests, the malware did not get activated just by reading the email in Thunderbird.

Yes, part of the attachment was rendered, but the scripts which attempted to run exploit code from third party websites did not run.

In short, we still had to open the attachment to infect the PC.

That's not to say that Eleven and the Daily Mail have got the story wrong, but rather that we have been unable to replicate the behaviour that they are describing.

And it did make us wonder whether perhaps some folks have been confused by Thunderbird's partial rendering of the email attachment into believing that its malicious code was also being executed.

I'll describe later in this article, how you can turn off the inline display of attachments in Thunderbird.

Regardless of whether the malware infects automatically or not, how can you protect your computer?
There are a number of ways in which Sophos's products protect you against this threat. First of all, our anti-spam solutions intercepts the messages - preventing them from ever entering your inbox in the first place.

But if you aren't defended by a decent anti-spam product, we also block the URL that the emails use to load the boobytrapped PDF and SWF content.

In addition, Sophos detects the attachment as Troj/JSRedir-EX, the exploited Flash content as Troj/SWFExp-AI and the boobytrapped PDFs as Troj/PDFEx-ET and Troj/PDFJS-UL.

So good protection is available. As always, computer users should ensure that their PDF readers, Flash players (and indeed Java installations) are up-to-date.

Java is particularly important, as that is the platform right now that is being most actively used as an infection vector across other exploit kits. And, sad to say, hardly anyone seems to bother updating Java.

You may also wish to re-evaluate your email client's settings if it attempts to render attachments automatically.

Turning off inline attachments in Thunderbird
On a default installation of Thunderbird, automatic rendering of attachments is enabled. If the thought of that gives you the heebie-jeebies here's how you turn it off.

Go to "Tools -> Options -> Advanced -> General" and press the "Config Editor" button.

Press the Config Editor button

You'll be presented with a brief message warning you about dragons. Mozilla's products do this whenever you're about to get down-and-dirty into configuration options that it believes regular users normally shouldn't be tinkering with.

Here be dragons

Continuing, however, gives you the ability to alter one of Thunderbird's settings.

Config option for mail.inline_attachments

If you change the value of mail.inline_attachments from true to false, Thunderbird will no longer try to render your attachments in the main message window.

, ,

You might like

10 Responses to Does spammed out malware attack exploit Mozilla Thunderbird 'feature'?

  1. How about un-checking the View->Display Attachments Inline? I believe this toggle the value.

  2. Heather · 1152 days ago

    Did you not get infected because your version of Firefox was running noScript?

  3. How about using the "view as HTML" option of Gmail? Will that protect you against the malware rendering?

  4. David Harley · 1152 days ago

    Nicely spotted, Graham. :) I've just cited you for a press statement for one of our partners: hopefully the hat tip won't be removed...

  5. MusicmanDJ · 1152 days ago

    I love the "here be dragons" warning. Double click is all it took. Keep up the great work!

  6. Caleb Miller · 1151 days ago

    I use Cocoon - a plug-in for Firefox that not only acts as a proxy, but also as anti-malware.

  7. I hate to post typo fixes to general comments, but "load the boobytapped PDF and SWF content." should read "load the boobytrapped PDF and SWF content."

  8. Nigel · 1151 days ago

    For those using the SeaMonkey suite's Mail & Newsgroups application, there's no access to the config editor through Preferences (or Options, in the Windows version). But you can still turn off the inline display of attachments by opening a browser window, typing about:config in the address bar, and pressing the Enter key. That will open the configuration editor, and then you can follow the instructions in the article from there.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and, and circle him on Google Plus for regular updates.