Early this morning, a radio station rang me up wanting to know about the latest threat to internet users – a spammed-out malware attack that was hitting inboxes hard, infecting computers without the user having to open an attachment.
The hot security story, they said, had been brought to their attention by a report in the Daily Mail:
The Daily Mail quoted German security outfit Eleven, who had issued a press release a few days ago entitled “Warning: Driveby Spam Infects PCs When E-Mail Is Opened”.
According to Eleven’s press release:
"This driveby spam automatically downloads malware when the e-mail is opened in the e-mail client. Previous malware e-mails required the user to click on a link or open an attachment for the PC to be infected."
Sounds nasty, and reminded me of attacks we saw over ten years ago like VBS/Kakworm and VBS/BubbleBoy – so I asked our labs if we had seen any samples in our spam traps of what the Daily Mail and Eleven appeared to be talking about.
Sure enough, we found some examples of the malware attack which poses as an email from the Federal Deposit Insurance Corporation (FDIC) posing as an account suspension notice.
Examining the malware attack in Outlook Express
Here’s what it looks like if you receive the email in Outlook Express:
Hang on. That looks to me like a regular piece of spammed-out malware, requiring the user to knowingly open the attached file. I don’t see how that’s matching what Eleven and the Daily Mail are reporting.
In our tests, the malware did not get activated just by reading the email in Outlook Express. It was necessary to open the attachment in order to infect the computer.
Examining the malware attack in Thunderbird
A closer examination of the screenshot used in Eleven’s blog post, reveals that they examined the malware in Mozilla’s Thunderbird email client. So, let’s try examining an example of the malware campaign that way:
Aha! Things are slightly different this time. There is still an attached .HTM file which contains the malicious code, but Thunderbird is by default rendering the contents of that code (the “Loading… Please wait…” part) underneath the main message body inside the email pane.
But, in our tests, the malware did not get activated just by reading the email in Thunderbird.
Yes, part of the attachment was rendered, but the scripts which attempted to run exploit code from third party websites did not run.
In short, we still had to open the attachment to infect the PC.
That’s not to say that Eleven and the Daily Mail have got the story wrong, but rather that we have been unable to replicate the behaviour that they are describing.
And it did make us wonder whether perhaps some folks have been confused by Thunderbird’s partial rendering of the email attachment into believing that its malicious code was also being executed.
I’ll describe later in this article, how you can turn off the inline display of attachments in Thunderbird.
Regardless of whether the malware infects automatically or not, how can you protect your computer?
There are a number of ways in which Sophos’s products protect you against this threat. First of all, our anti-spam solutions intercepts the messages – preventing them from ever entering your inbox in the first place.
But if you aren’t defended by a decent anti-spam product, we also block the URL that the emails use to load the boobytrapped PDF and SWF content.
In addition, Sophos detects the attachment as Troj/JSRedir-EX, the exploited Flash content as Troj/SWFExp-AI and the boobytrapped PDFs as Troj/PDFEx-ET and Troj/PDFJS-UL.
So good protection is available. As always, computer users should ensure that their PDF readers, Flash players (and indeed Java installations) are up-to-date.
Java is particularly important, as that is the platform right now that is being most actively used as an infection vector across other exploit kits. And, sad to say, hardly anyone seems to bother updating Java.
You may also wish to re-evaluate your email client’s settings if it attempts to render attachments automatically.
Turning off inline attachments in Thunderbird
On a default installation of Thunderbird, automatic rendering of attachments is enabled. If the thought of that gives you the heebie-jeebies here’s how you turn it off.
Go to “Tools -> Options -> Advanced -> General” and press the “Config Editor” button.
You’ll be presented with a brief message warning you about dragons. Mozilla’s products do this whenever you’re about to get down-and-dirty into configuration options that it believes regular users normally shouldn’t be tinkering with.
Continuing, however, gives you the ability to alter one of Thunderbird’s settings.
If you change the value of mail.inline_attachments from true to false, Thunderbird will no longer try to render your attachments in the main message window.