New Drive-By Spam Infects Those Who Open Email -- No Attachment Needed

Discussion in 'Anti-Virus' started by Virus Guy, Jan 29, 2012.

  1. Virus Guy

    Virus Guy Guest

    I'm not sure if this story is about the some-what recent rash of spam
    containing links to blackhole exploits, or if this story is describing a
    new phenomena - something that auto-executes upon being rendered (not
    dependent on the user clicking an embedded link).

    Anyone know?

    I haven't seen anything like this in my recent spam.

    I can't believe that if this is indeed possible (automatic javascript
    processing upon message body being rendered in an e-mail) then why
    haven't we seen this years ago?

    What e-mail clients do this?

    ====================================

    http://www.darkreading.com/security/attacks-breaches/232500660/new-drive-by-spam-infects-those-who-open-email-no-attachment-needed.html

    New Drive-By Spam Infects Those Who Open Email
    No Attachment Needed

    Getting infected just got a whole lot easier, researchers say

    Jan 28, 2012
    By Tim Wilson
    Dark Reading

    Attackers have developed a new way to infect your PC through email --
    without forcing you to click on an attachment.

    According to researchers at eleven, a German security firm, the new
    drive-by spam automatically downloads malware when am email is opened in
    the email client. The user doesn't have to click on a link or open an
    attachment -- just opening the email is enough.

    "The new generation of email-borne malware consists of HTML e-mails
    which contain a JavaScript which automatically downloads malware when
    the email is opened," eleven says in a news release. "This is similar
    to so-called drive-by downloads, which infect a PC by opening an
    infected website in the browser."

    The current wave of drive-by spam contains the subject "Banking security
    update“ and has a sender address with the domain fdic.com. If the email
    client allows HTML emails to be displayed, the HTML code is immediately
    activated.

    The user only sees the note "Loading…Please wait," eleven says. In the
    meantime, the attempt is made to scan the PC and download malware.

    Aside from updating their anti-spam and anti-malware tools, users can
    fight the new attack by deactivating the display of HTML e-mails in
    their email client, eleven advises. They can choose the option of
    displaying emails in pure-text format only.
     
    Virus Guy, Jan 29, 2012
    #1
    1. Advertisements

  2. I suspect that they are misstating the events. I haven't heard of any
    new vulnerability that affects all e-mail clients that support HTML
    w/JavaScript.

    It is perfectly normal for HTML to be rendered upon opening the e-mail
    and also perfectly normal for embedded JS to execute. I'm thinking that
    the 'Socially Engineered' HTML/JS is what they are talking about as
    malware whereas it is actually only the 'come on' *show* and information
    collection routine.

    I could be wrong of course, but it smells like FUD so far.

    That URL that was posted here not too long ago had that
    "Loading...Please wait" message displayed while the javascript decoded
    the blob. You are probably right that they are talking about BlackHole.
     
    FromTheRafters, Jan 29, 2012
    #2
    1. Advertisements

  3. Its probably geared towards the idiots who can't handle an email client but use Webmail.
    In that case its quite possible.
     
    David H. Lipman, Jan 29, 2012
    #3
  4. Virus Guy

    Dustin Guest

    The email clients which happily render HTML could fall pray to this.
    Drive by downloads via email ... I don't understand how this is a new
    way to do something.
    Providing the email client renders html and processes javascript
    embedded in the html, yes. Mine doesn't. Yours *shouldn't*.
    Ahh! So it's not new, it's just finally! taking advantage of the very
    bad idea of html in email.
    As would be expected, it's executing javascript.
    html shouldn't have EVER been an option for email in the first place.
    And this! (Although many of us have sang this tune for years) is the
    result we all predicted. Seems we were right, it just took years longer
    than expected for somebody to do it.
     
    Dustin, Jan 29, 2012
    #4
  5. Virus Guy

    kurt wismer Guest

    finally? didn't bubbleboy break this ground years ago? perhaps not
    with javascript specifically, but it was taking advantage of html
    email to render so-called "active content".
     
    kurt wismer, Jan 29, 2012
    #5
  6. Yep, followed by Kakworm which did use JS.
     
    FromTheRafters, Jan 29, 2012
    #6
  7. Virus Guy

    Virus Guy Guest

    The win-98 systems I use at home and the systems I manage at $Dayjob
    have Office 2000 Premium (thanks to an old MSDN subscription) and the
    e-mail client used on all these systems is Outlook 2000 (currently
    v=SP3)

    Microsoft issued a security update for Outlook 98 back in March 2001:

    http://www.microsoft.com/download/en/details.aspx?id=20510

    It was later re-issued for Outlook 2000 in (I think) October 2001.

    ========
    Microsoft has issued a Security Update that sets the Java Permissions
    option for the Microsoft virtual server to "Disable Java" for the
    Restricted sites zone only. This setting disables potentially malicious
    Java code from running in an HTML-formatted e-mail message.
    ========

    So I guess that's why it's been a non-issue for me all these years.
    And therein lies the problem for the hackers / spammers.

    Is it not true that most web-mail providers will easily scan, detect and
    disable (or flag) e-mail containing java script - thereby preventing
    webmail users from ever seeing this code?
     
    Virus Guy, Jan 29, 2012
    #7
  8. Java != JavaScript.
     
    FromTheRafters, Jan 29, 2012
    #8
  9. Virus Guy

    Bear Guest

    Am I missing something? I hope you don't mean they are the same.
     
    Bear, Jan 29, 2012
    #9
  10. Virus Guy

    Virus Guy Guest

    Can Java "code" be contained within the body of an e-mail message?

    I thought that Java CODE can only be referenced by HTML content, not
    included "in-line" with the content.

    In other words, if I crafted an HTML document that included a reference
    to run a piece of code (say, malware.exe), then the best I can do as a
    hacker is package malware.exe as an attachment with the HTML document as
    the spam-body and hope that the e-mail client will somehow unpack
    malware.exe and launch it when the e-mail is viewed on the user's
    machine.

    Wouldn't java CODE also need to be packaged as an e-mail *attachment*,
    whereas javaScript doesn't?

    And how exactly does java CODE get called or executed in the first
    place?

    Isin't the common method to use java Script?
     
    Virus Guy, Jan 29, 2012
    #10
  11. The token "!=" is the JavaScript comparison operator for the "not equal
    to" logical statement. Not all readers will accept "≠".
     
    FromTheRafters, Jan 29, 2012
    #11
  12. It usually comes in a jar.:eek:)

    JavaScript can come in an HTML container like <script>code goes
    When the browser (or other environment that supports it) encounters
    JavaScript, it sends it to the interpreter. If Java is called, you have
    to have the Java Runtime Environment and Java Virtual Machine to run the
    code. Java jars (zip compressed) will have ".class" files which are
    compiled from ".java" source code files.

    JavaScript is a scripting language. Java is a full blown programming
    language.
    That depends upon what you want "malware.exe" to do. Instead of
    "malware.exe" lets just say you have some "payload" code. JavaScript,
    even with its limited scope from within a browser's environment, can
    deliver your payload. If what you want it to do is beyond that limited
    scope, you need an exploit that extends that scope.
    The HTML container for Java will reference external class files whereas
    the HTML container for JavaScript might actually house the code but it
    could also reference an external ".js" file if desired.
    This might help.
    http://www.disordered.org/Java-QA.html
    Yes, JavaScript is very popular.
     
    FromTheRafters, Jan 29, 2012
    #12
  13. Virus Guy

    Bear Guest

    I like that face:

    "≠"
     
    Bear, Jan 29, 2012
    #13
  14. Virus Guy

    Virus Guy Guest

    Ok, lets not talk about javaSCRIPT any more.

    How can an e-mail be crafted to auto-run java CODE _without_ requiring
    the user to "click" on any embedded links?
     
    Virus Guy, Jan 29, 2012
    #14
  15. Virus Guy

    Bear Guest

    http://www.technicalinfo.net/papers/CSS.html
     
    Bear, Jan 29, 2012
    #15
  16. Virus Guy

    Dustin Guest

    It would be poor judgement to Provide sPecifics on doing that.
     
    Dustin, Jan 29, 2012
    #16
  17. Virus Guy

    Bear Guest

    Dustin...it's all over the web!
     
    Bear, Jan 29, 2012
    #17
  18. Virus Guy

    kurt wismer Guest

    i don't doubt it, but... that doesn't mean the answer is easy to find.
    if it were that easy, the question would never have needed to be asked.
     
    kurt wismer, Jan 29, 2012
    #18
  19. Virus Guy

    Virus Guy Guest

    Why then do we see obfuscated javascript being used to "pull" java
    applet code files from servers as part of an exploit technique?

    Why not simply use OBJECT, EMBED or APPLET tags in html code to make a
    direct reference to the malicious java code you want the user's computer
    to download and run?
     
    Virus Guy, Jan 30, 2012
    #19
  20. Virus Guy

    Bill Guest

    Spam is no longer an issue to me. I simply filter my mail through
    pobox.com and it cures the problem. The best spam filtering option
    I've used in many years of being online.
     
    Bill, Jan 30, 2012
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.