exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

preventing.worms

preventing.worms
Posted May 17, 2000
Authored by Woody Thrower, Stan Burnett, Gary Wahlquist | Site www2.axent.com

Prevent Current and Future E-Mail Worms.

tags | worm
SHA-256 | b1751241071df22894da713215dce7423eeb70171bb6e5eafc67ab315fb54b15

preventing.worms

Change Mirror Download
Prevent Current and Future E-Mail Worms
http://www2.axent.com/swat/News/Advisory.asp?id=2000-044

By Woody Thrower, Stan Burnett, and Gary Wahlquist - AXENT Technologies


The recent ILOVEYOU worm and its many variants (see CERT Advisory:
http://www.cert.org/advisories/CA-2000-04.html) have reminded the world
of the dangers of malicious E-mail file attachments. Earlier, Bubbleboy
(http://www.zdnet.com/zdnn/stories/news/0,4586,2390778,00.html)
demonstrated that it is possible for E-mail to automatically execute
malicious code, even without the user opening an attachment.

The malicious possibilities of scripted E-mail are virtually unlimited.
While Microsoft has released an update
(http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm)
to fix the specific scripting vulnerabilities exploited by Bubbleboy,
other scripting vulnerabilities can be expected in the future. Indeed,
new scripting vulnerabilities continue to be discovered. Take a look at
what the next generation of worms might look like in a recent ZDNET
article, Mere Child's Play:
http://www.zdnet.co.uk/news/2000/18/ns-15326.html.

In spite of the latest Microsoft patches, insecurely configured Outlook
98, Outlook Express 5, and Outlook 2000 are still vulnerable to attacks.
For example, JavaScript can be embedded in E-mail sent to these clients
that automatically opens a browser window to a URL specified by the
sender. Using this method, attackers could submit form data on your
behalf, or load web pages to exploit vulnerabilities not directly
exploitable via E-mail. This vulnerability can also be used in
conjunction with the newly discovered cookie leak in Internet Explorer
(http://www.peacefire.org/security/iecookies/) that allows malicious web
sites to collect cookies from other sites. Cookies are often used as a
form of authentication, or contain other sensitive information. If you
are using the current default configuration for Outlook 98, Outlook
Express 5, or Outlook 2000, an attacker could steal your cookies simply
by sending you E-mail.

Combined with self-replication as performed by the ILOVEYOU worm, these
vulnerabilities are truly disturbing. One unimaginative but dangerous
possibility is a self-replicating distributed denial-of-service (DDoS)
agent. Previous DDoS attacks have involved dozens, or maybe hundreds of
systems. Imagine being bombarded by a denial-of-service attack from
every ILOVEYOU victim.

A troubling, underlying issue with E-mail security is that some products
install powerful scripting capabilities by default. Most people do not
want or need scripting support in E-mail. The majority of users do not
need or want Microsoft's Windows Scripting Host enabled. Very few people
need the ability to run VBScripts by double-clicking.


Countermeasures

AXENT recommends the following countermeasures for a significantly safer
E-mail environment.

* Disable E-mail scripting in Outlook/Outlook Express.

Vulnerabilities in the default configuration of Outlook 98, Outlook
Express 5, and Outlook 2000 make systems susceptible to serious
compromise simply by viewing E-mail (without opening any
attachments). Protect yourself by reconfiguring Outlook 98, Outlook
Express 5, and Outlook 2000 as described in the pages listed below.
Note: Outlook 97 does not appear to support scripting in e-mail, and
is therefore not vulnerable.

Outlook 98: http://www2.axent.com/swat/News/mailsecurity/O98.html
Outlook Express 5: http://www2.axent.com/swat/News/mailsecurity/OE5.html
Outlook 2000: http://www2.axent.com/swat/News/mailsecurity/O2000.html

* Disable Windows Scripting Host.

Windows Scripting Host (WSH) can be used legitimately to automate
tasks when using the Windows operating system, but it can also be
exploited by worms such as ILOVEYOU and Bubbleboy. Though some users
with legitimate scripting needs may choose not to disable WSH,
disabling Windows Scripting Host will virtually eliminate the
possibility of accidentally executing a malicious .VBS file.

Instructions: http://www2.axent.com/swat/News/disableWSH.html

* Remove the VBS (Visual Basic Script) file extension from the
Registered File Types list.

The ILOVEYOU variety of worm requires that your system have the VBS
extension "registered" in order to spread. If this association is
removed, users cannot execute VBScripts by double-clicking the
script. Remove the VBS extension from "Registered file types" for a
more secure system. If necessary, users can still run legitimate
VBScripts using the Wscript.exe program. Note: Other file types (such
as .REG files) can also be dangerous, and can be removed from the
Registered File Types list for a more secure system.

Instructions: http://www2.axent.com/swat/News/disableVBS.html

* Install Microsoft fixes.

Install the Microsoft update that fixes the scriptlet.typelib/Eyedog
vulnerabilities (these vulnerabilities allow Bubbleboy and other
worms to work). AXENT also recommends that you install two additional
E-mail related fixes: "Active Setup Control" Vulnerability and "File
Access URL" Vulnerability. Check the Microsoft Security Advisor
(http://www.microsoft.com/security/default.asp) regularly for
Bulletins and fixes to other vulnerabilities that are published
weekly.

scriptlet.typelib/Eyedog update:
http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm

Active Setup Control update:
http://www.microsoft.com/technet/security/bulletin/ms99-048.asp

File Access URL update:
http://www.microsoft.com/technet/security/bulletin/ms99-049.asp

* Filter out scripts, binary executables, batch files, etc. sent as
E-mail attachments.

It is unlikely that many people in your organization need to be
exchanging code by E-mail. Those who do can simply send a compressed
copy to avoid being filtered.

* Continue to exercise extreme caution with file attachments.

Don't open unexpected attachments from trusted sources until you
confirm that they actually sent them. Never open attachments from
suspicious or unknown sources.


Resources

* Mere Child's Play (ZDNET article on the future of worm attacks)
http://www.zdnet.co.uk/news/2000/18/ns-15326.html

* Frequently Asked Questions About Malicious Web Scripts Redirected by
Web Sites
http://www.cert.org/tech_tips/malicious_code_FAQ.html

* CERT Advisory CA-2000-04 Love Letter Worm
http://www.cert.org/advisories/CA-2000-04.html

* 'Bubbleboy' Virus Propagates on Web
http://www.zdnet.com/zdnn/stories/news/0,4586,2390778,00.html

* Microsoft Update to Correct the 'scriptlet.typelib/Eyedog'
Vulnerabilities
http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm

* Microsoft Security Program: Microsoft Security Bulletin (MS99-032)
http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

* Microsoft Security Program: Frequently Asked Questions: Microsoft
Security Bulletin (MS99-032)
http://www.microsoft.com/technet/security/bulletin/fq99-032.asp

* Microsoft Security Advisory Home Page
http://www.microsoft.com/security/default.asp
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close