When e-mail first began as a simple text-only command-line application to
exchange simple messages between computer engineers it had not occurred to
anyone that one day billions of messages would be flying around the globe or that a
good percentage of those messages would contain a file attachment of some sort.
When the Internet exploded in the early 1990s and e-mail became a mainstream
form of communication, file attachments soon emerged as a standard part of many
messages as well. For personal e-mail, users found it a quick and simple way to share
pictures of grandchildren with parents across the country or the world. For businesses
it became a competitive advantage to be able to send a business proposal or
the latest financial figures as a document or spreadsheet file attachment to an e-mail.
It didn’t take long for that competitive advantage to become a business necessity
and for file attachments to become a requirement for conducting business. Fax
machines quickly became glorified paper weights as businesses found e-mail file
attachments to be faster and more reliable than faxing.
For personal e-mail messages, the use of file attachments grew rapidly as well.
Users found that they could not only attach graphic images such as photographs, but
could attach files such as small movies and documents with jokes, and even share
entire programs with friends and family.
It is an unfortunate fact when it comes to malware and malicious computer
activity that often what was intended as a feature can also be exploited and used
against you. If a file attachment can be sent with a program you can click to execute
and perform some function, there is nothing stopping a malicious developer from
creating one that executes and performs a malicious function.
For the most part, the success of file attachments as a means of propagating malware
depends on what is called “social engineering.” Basically, the author of the malicious
e-mail has to compel the recipient to open the file attachment in some way.
One of the first ways used to persuade recipients to open malicious e-mail
attachments was by appealing to the user’s curiosity.The Anna Kournikova virus
claimed to contain a picture of the photogenic tennis star, but opening the attachment
simply infected the computer.
This social engineering was quickly followed by disguising the e-mail to
appear to come from someone the user knows. Ostensibly, a user is more likely to
trust a message from his Uncle George or a coworker he eats lunch with than he
is a message from a complete stranger. Malware developers began by programming
their viruses to send themselves out to the addresses in the address book from the
e-mail program of the infected computer. Using this method of propagation led to
a fairly high rate of success in ensuring that the infected e-mail went to people
who personally knew the owner of the infected computer and would therefore be
more likely to trust the message.
Eventually users started to get wise to the idea that even a message from a
trusted friend might be suspicious. Some companies educated their users and tried to
condition them not to open certain types of file attachments because they might
execute a malicious program. But, non-executable programs such as a TXT, or text,
files were considered to be safe.
Then one day someone received an e-mail from a friend with the Subject line
“ILoveYou” and a message attachment called “Love-Letter-For-You.txt”… or so
they thought.Without stopping to consider the fact that their Windows operating
system was configured not to show known file extensions, therefore the “txt” should
not be visible, they double-clicked on the attachment to open it and found themselves
infected with the LoveLetter virus.
In actuality, the file attachment was called “Love-Letter-For-You.txt.vbs” which
capitalized on the Windows “feature” that hides known file extensions and exploited
the acceptance of TXT files as being safe. LoveLetter was an excellent example of both social engineering and using “features” for malicious purposes.
Although antivirus software is continually updated to detect these new threats as
they are created, it is still a reactive form of defense. Malware still gets past antivirus
software and entices users to execute infected file attachments before the antivirus
software is updated.To prevent these infections and to try to ensure that users do not
even have an opportunity to execute malicious attachments, administrators began filtering
certain attachment types regardless of whether they actually contained malicious
code or not.
This is one of the most prevalent methods for proactively protecting the network
from potentially malicious executable file attachments, or file attachments that
will run a program or perform commands if they are opened. As the list of blocked
file types grows, malware developers simply find some other executable file types to
spread malware and the cycle continues.
Initially, this sort of proactive attachment blocking was reserved for corporate
networks with administrators that knew how to build their own custom filters.
Eventually, some e-mail client software began to block potentially malicious attachments
as well. Starting with Outlook 2003, Microsoft began to block a lengthy list of
attachment types that might potentially contain malicious code.
Blocking file attachments that are known to be executable and therefore may
pose a risk from a security perspective is a move in the right direction, but it too is
somewhat reactive. Although it is more proactive to block a given file attachment
type by default, most administrators and mail filters don’t add a file type to the list
of blocked types until after it has been used by some malware. In my opinion, all
file attachments should be blocked by default and then the administrator or user
should have to designate which types they will allow rather than the other way
around.
It has been a fairly common practice in recent years to block all executable file
attachments but to allow archive file types, specifically ZIP files from the popular
compression program WinZip.The logic was that some users might be tricked
through social engineering to double-click an executable file attachment, but
surely if they had to first uncompress the archive file and then double-click the
executable file it contained, that users would have enough sense not to do so
unless they knew exactly what the file attachment was for and trusted the sender
of the e-mail message.
Some administrators even went so far as to block ZIP file attachments unless
they were password protected to try to ensure that even users who might fall for
social engineering requiring them to first open a ZIP file before executing the file
attachment would have to go through the additional step of supplying a password to do so. Surely no user would go so far as to not only execute a file attachment they
know nothing about and that came from an untrusted source, but to also first extract
it from a compressed archive that requires a password.
Well, early 2004 proved those theories wrong.With a vengeance. New malware
dubbed Bagel and Netsky hit the Internet. Rather than trying to overwhelm the
user with social engineering in the message, they each had exceptionally short, rather
cryptic messages that simply said things like “the details are in the attachment.” Both
of these malware threats used ZIP file attachments and yet people still opened the
ZIP file and executed the enclosed attachment and propagated the viruses. In fact,
some versions of these threats even used password-protected ZIP files with the password
included in the body of the message and users still opened the attachments and
became infected.
Although some users have been told for years to never open a file attachment
unless they not only trust the sender, but also know exactly what the file attachment
is and why the sender sent it to them, there are a vast number of home users who
simply don’t know. It’s like going to the wrong side of town late at night with no
“street smarts” and no concept of the risks and threats that exist.
The “wrong” side of town can be relatively safe as long as you understand the
risks and threats and how to avoid them. Using the Internet and e-mail is the same
way. Getting a new computer and jumping straight onto the Internet without taking
some security precautions is like driving without brakes or skydiving without a parachute. As long as there are file attachments though, the bottom line is that the
responsibility falls on you, the user, to exercise an appropriate amount of caution and
common sense before choosing to open or execute them.
