New Drive-By Spam Infects Those Who Open Email -- No Attachment Needed

[Virus Guy]

I'm not sure if this story is about the some-what recent rash of spam
containing links to blackhole exploits, or if this story is describing a
new phenomena - something that auto-executes upon being rendered (not
dependent on the user clicking an embedded link).

Anyone know?

I haven't seen anything like this in my recent spam.

I can't believe that if this is indeed possible (automatic javascript
processing upon message body being rendered in an e-mail) then why
haven't we seen this years ago?

What e-mail clients do this?

====================================

http://www.darkreading.com/security...hose-who-open-email-no-attachment-needed.html

New Drive-By Spam Infects Those Who Open Email
No Attachment Needed

Getting infected just got a whole lot easier, researchers say

Jan 28, 2012
By Tim Wilson
Dark Reading

Attackers have developed a new way to infect your PC through email --
without forcing you to click on an attachment.

According to researchers at eleven, a German security firm, the new
drive-by spam automatically downloads malware when am email is opened in
the email client. The user doesn't have to click on a link or open an
attachment -- just opening the email is enough.

"The new generation of email-borne malware consists of HTML e-mails
which contain a JavaScript which automatically downloads malware when
the email is opened," eleven says in a news release. "This is similar
to so-called drive-by downloads, which infect a PC by opening an
infected website in the browser."

The current wave of drive-by spam contains the subject "Banking security
update“ and has a sender address with the domain fdic.com. If the email
client allows HTML emails to be displayed, the HTML code is immediately
activated.

The user only sees the note "Loading…Please wait," eleven says. In the
meantime, the attempt is made to scan the PC and download malware.

Aside from updating their anti-spam and anti-malware tools, users can
fight the new attack by deactivating the display of HTML e-mails in
their email client, eleven advises. They can choose the option of
displaying emails in pure-text format only.

 

[FromTheRafters]

I'm not sure if this story is about the some-what recent rash of spam
containing links to blackhole exploits, or if this story is describing a
new phenomena - something that auto-executes upon being rendered (not
dependent on the user clicking an embedded link).

Anyone know?

I haven't seen anything like this in my recent spam.

I can't believe that if this is indeed possible (automatic javascript
processing upon message body being rendered in an e-mail) then why
haven't we seen this years ago?

What e-mail clients do this?

====================================

http://www.darkreading.com/security...hose-who-open-email-no-attachment-needed.html

New Drive-By Spam Infects Those Who Open Email
No Attachment Needed

Getting infected just got a whole lot easier, researchers say

Jan 28, 2012
By Tim Wilson
Dark Reading

Attackers have developed a new way to infect your PC through email --
without forcing you to click on an attachment.

According to researchers at eleven, a German security firm, the new
drive-by spam automatically downloads malware when am email is opened in
the email client. The user doesn't have to click on a link or open an
attachment -- just opening the email is enough.

"The new generation of email-borne malware consists of HTML e-mails
which contain a JavaScript which automatically downloads malware when
the email is opened," eleven says in a news release. "This is similar
to so-called drive-by downloads, which infect a PC by opening an
infected website in the browser."

The current wave of drive-by spam contains the subject "Banking security
update“ and has a sender address with the domain fdic.com. If the email
client allows HTML emails to be displayed, the HTML code is immediately
activated.

The user only sees the note "Loading…Please wait," eleven says. In the
meantime, the attempt is made to scan the PC and download malware.

Aside from updating their anti-spam and anti-malware tools, users can
fight the new attack by deactivating the display of HTML e-mails in
their email client, eleven advises. They can choose the option of
displaying emails in pure-text format only.

I suspect that they are misstating the events. I haven't heard of any
new vulnerability that affects all e-mail clients that support HTML
w/JavaScript.

It is perfectly normal for HTML to be rendered upon opening the e-mail
and also perfectly normal for embedded JS to execute. I'm thinking that
the 'Socially Engineered' HTML/JS is what they are talking about as
malware whereas it is actually only the 'come on' *show* and information
collection routine.

I could be wrong of course, but it smells like FUD so far.

That URL that was posted here not too long ago had that
"Loading...Please wait" message displayed while the javascript decoded
the blob. You are probably right that they are talking about BlackHole.

 

[David H. Lipman]

I suspect that they are misstating the events. I haven't heard of any new vulnerability
that affects all e-mail clients that support HTML w/JavaScript.

It is perfectly normal for HTML to be rendered upon opening the e-mail and also
perfectly normal for embedded JS to execute. I'm thinking that the 'Socially Engineered'
HTML/JS is what they are talking about as malware whereas it is actually only the 'come
on' *show* and information collection routine.

I could be wrong of course, but it smells like FUD so far.

That URL that was posted here not too long ago had that "Loading...Please wait" message
displayed while the javascript decoded the blob. You are probably right that they are
talking about BlackHole.

Its probably geared towards the idiots who can't handle an email client but use Webmail.
In that case its quite possible.

 

[Dustin]

I'm not sure if this story is about the some-what recent rash of spam
containing links to blackhole exploits, or if this story is
describing a new phenomena - something that auto-executes upon being
rendered (not dependent on the user clicking an embedded link).

Anyone know?

The email clients which happily render HTML could fall pray to this.

Attackers have developed a new way to infect your PC through email --
without forcing you to click on an attachment.

Drive by downloads via email ... I don't understand how this is a new
way to do something.

According to researchers at eleven, a German security firm, the new
drive-by spam automatically downloads malware when am email is opened
in the email client. The user doesn't have to click on a link or
open an attachment -- just opening the email is enough.

Providing the email client renders html and processes javascript
embedded in the html, yes. Mine doesn't. Yours *shouldn't*.

"The new generation of email-borne malware consists of HTML e-mails
which contain a JavaScript which automatically downloads malware when
the email is opened," eleven says in a news release. "This is
similar to so-called drive-by downloads, which infect a PC by opening
an infected website in the browser."

Ahh! So it's not new, it's just finally! taking advantage of the very
bad idea of html in email.

The current wave of drive-by spam contains the subject "Banking
security update“ and has a sender address with the domain fdic.com.
If the email client allows HTML emails to be displayed, the HTML code
is immediately activated.
Yep.

The user only sees the note "Loading…Please wait," eleven says. In
the meantime, the attempt is made to scan the PC and download
malware.

As would be expected, it's executing javascript.

Aside from updating their anti-spam and anti-malware tools, users can
fight the new attack by deactivating the display of HTML e-mails in
their email client, eleven advises. They can choose the option of
displaying emails in pure-text format only.

html shouldn't have EVER been an option for email in the first place.
And this! (Although many of us have sang this tune for years) is the
result we all predicted. Seems we were right, it just took years longer
than expected for somebody to do it.

 

[kurt wismer]

Ahh! So it's not new, it's just finally! taking advantage of the very
bad idea of html in email.

finally? didn't bubbleboy break this ground years ago? perhaps not
with javascript specifically, but it was taking advantage of html
email to render so-called "active content".

 

[FromTheRafters]

finally? didn't bubbleboy break this ground years ago?
Yep.

perhaps not
with javascript specifically, but it was taking advantage of html
email to render so-called "active content".

Yep, followed by Kakworm which did use JS.

 

[Virus Guy]

We have.


OE has always been able to do it.
OE shares security zones with IE.

The win-98 systems I use at home and the systems I manage at $Dayjob
have Office 2000 Premium (thanks to an old MSDN subscription) and the
e-mail client used on all these systems is Outlook 2000 (currently
v=SP3)

Microsoft issued a security update for Outlook 98 back in March 2001:

http://www.microsoft.com/download/en/details.aspx?id=20510

It was later re-issued for Outlook 2000 in (I think) October 2001.

========
Microsoft has issued a Security Update that sets the Java Permissions
option for the Microsoft virtual server to "Disable Java" for the
Restricted sites zone only. This setting disables potentially malicious
Java code from running in an HTML-formatted e-mail message.
========

So I guess that's why it's been a non-issue for me all these years.

since every joe-user today uses web-mail

And therein lies the problem for the hackers / spammers.

Is it not true that most web-mail providers will easily scan, detect and
disable (or flag) e-mail containing java script - thereby preventing
webmail users from ever seeing this code?

 

[FromTheRafters]

The win-98 systems I use at home and the systems I manage at $Dayjob
have Office 2000 Premium (thanks to an old MSDN subscription) and the
e-mail client used on all these systems is Outlook 2000 (currently
v=SP3)

Microsoft issued a security update for Outlook 98 back in March 2001:

http://www.microsoft.com/download/en/details.aspx?id=20510

It was later re-issued for Outlook 2000 in (I think) October 2001.

========
Microsoft has issued a Security Update that sets the Java Permissions
option for the Microsoft virtual server to "Disable Java" for the
Restricted sites zone only. This setting disables potentially malicious
Java code from running in an HTML-formatted e-mail message.
========

So I guess that's why it's been a non-issue for me all these years.


And therein lies the problem for the hackers / spammers.

Is it not true that most web-mail providers will easily scan, detect and
disable (or flag) e-mail containing java script - thereby preventing
webmail users from ever seeing this code?

Java != JavaScript.

 

[Bear]

Java != JavaScript

Am I missing something? I hope you don't mean they are the same.

 

[Virus Guy]

Java != JavaScript.

Can Java "code" be contained within the body of an e-mail message?

I thought that Java CODE can only be referenced by HTML content, not
included "in-line" with the content.

In other words, if I crafted an HTML document that included a reference
to run a piece of code (say, malware.exe), then the best I can do as a
hacker is package malware.exe as an attachment with the HTML document as
the spam-body and hope that the e-mail client will somehow unpack
malware.exe and launch it when the e-mail is viewed on the user's
machine.

Wouldn't java CODE also need to be packaged as an e-mail *attachment*,
whereas javaScript doesn't?

And how exactly does java CODE get called or executed in the first
place?

Isin't the common method to use java Script?

 

[FromTheRafters]

Am I missing something?
Yes.

I hope you don't mean they are the same.

The token "!=" is the JavaScript comparison operator for the "not equal
to" logical statement. Not all readers will accept "≠".

 

[FromTheRafters]

Can Java "code" be contained within the body of an e-mail message?

It usually comes in a jar.)

JavaScript can come in an HTML container like <script>code goes

I thought that Java CODE can only be referenced by HTML content, not
included "in-line" with the content.

When the browser (or other environment that supports it) encounters
JavaScript, it sends it to the interpreter. If Java is called, you have
to have the Java Runtime Environment and Java Virtual Machine to run the
code. Java jars (zip compressed) will have ".class" files which are
compiled from ".java" source code files.

JavaScript is a scripting language. Java is a full blown programming
language.

In other words, if I crafted an HTML document that included a reference
to run a piece of code (say, malware.exe), then the best I can do as a
hacker is package malware.exe as an attachment with the HTML document as
the spam-body and hope that the e-mail client will somehow unpack
malware.exe and launch it when the e-mail is viewed on the user's
machine.

That depends upon what you want "malware.exe" to do. Instead of
"malware.exe" lets just say you have some "payload" code. JavaScript,
even with its limited scope from within a browser's environment, can
deliver your payload. If what you want it to do is beyond that limited
scope, you need an exploit that extends that scope.

Wouldn't java CODE also need to be packaged as an e-mail *attachment*,
whereas javaScript doesn't?

The HTML container for Java will reference external class files whereas
the HTML container for JavaScript might actually house the code but it
could also reference an external ".js" file if desired.

And how exactly does java CODE get called or executed in the first
place?

This might help.
http://www.disordered.org/Java-QA.html

Isin't the common method to use java Script?

Yes, JavaScript is very popular.

 

[Bear]

The token "!=" is the JavaScript comparison operator for the "not equal
to" logical statement. Not all readers will accept "≠".

I like that face:

"≠"

 

[Virus Guy]

It usually comes in a jar.

JavaScript can come in an HTML container like <script>code goes
here</script>

Ok, lets not talk about javaSCRIPT any more.

How can an e-mail be crafted to auto-run java CODE _without_ requiring
the user to "click" on any embedded links?

 

[Bear]

Ok, lets not talk about javaSCRIPT any more.

How can an e-mail be crafted to auto-run java CODE _without_ requiring
the user to "click" on any embedded links?

http://www.technicalinfo.net/papers/CSS.html

 

[Dustin]

Ok, lets not talk about javaSCRIPT any more.

How can an e-mail be crafted to auto-run java CODE _without_ requiring
the user to "click" on any embedded links?

It would be poor judgement to Provide sPecifics on doing that.

 

[Bear]

It would be poor judgement to Provide sPecifics on doing that.

Dustin...it's all over the web!

 

[kurt wismer]

Dustin...it's all over the web!

i don't doubt it, but... that doesn't mean the answer is easy to find.
if it were that easy, the question would never have needed to be asked.

 

[Virus Guy]

I just created an email with code to run a Java applet from my
hard disk (could have been a "http" link to a server rather
than a "file" link) and it ran when I opened the email once I
took OE out of the restricted zone.

Why then do we see obfuscated javascript being used to "pull" java
applet code files from servers as part of an exploit technique?

Why not simply use OBJECT, EMBED or APPLET tags in html code to make a
direct reference to the malicious java code you want the user's computer
to download and run?

 

[Bill]

Spam is no longer an issue to me. I simply filter my mail through
pobox.com and it cures the problem. The best spam filtering option
I've used in many years of being online.