Software

Prevent malware from spreading by e-mail links and attachments

There seems to be a run on e-mail induced malware lately. I'm concerned that not everyone understands why that is and more importantly how it happens. Let's see if we can fix that.

On many occasions, I mentioned that Web sites with embedded drive-by droppers were the malware-distribution method of choice. I may have been wrong in that assessment. It seems that e-mail as a malware delivery vehicle is getting a second wind.

Sidebar

I'm sure most of you are well aware of the following information, since you are taking the time to read a blog post about IT Security. Yet there are all sorts of people who aren't and if I may say there's precious little information available to clearly explain it to them.

That's my goal for this article. I have also prepared a PowerPoint presentation with the same information. Hopefully it will help stem the growing tide of computers infected from e-mail links or attachments. Also if you feel that I've missed something or need to explain it better, please let me know. I'd like this to be as clear and concise as possible.

E-mail and malware

E-mail attachments and links are popular methods for bad guys to install malware on computers. So it's important to understand what to do when you get an e-mail that has an attachment or link in the e-mail message body.

E-mail attachments

E-mail attachments are files that accompany e-mail messages. Attachments can be one of two things:

  • The actual file or document designated in the e-mail.
  • A copy of the expected attachment that has malware embedded in it.
E-mail links

E-mail links are the underlined phrases in e-mail messages that simplify going to a specified Web site. Clicking on a link can cause one of three things to happen:

  • The link opens the correct Web page referred to in the email.
  • The link activates a malware program embedded in the e-mail message.
  • The link is spoofed. It opens a Web page similar to the correct page, but with malware embedded in it.
Malware Malware is malicious software that's designed to infiltrate or cause damage to computer systems without the user's knowledge or permission. Viruses, worms, trojans, and spyware are all considered malware. Activating malware

E-mail malware requires user intervention to get started. It's that simple. The bad guys will try any method possible to entice you to open an attachment or click on a link. One of their favorite tricks is to pretend that the e-mail is from someone you know. That way you have no reason to be suspicious.

Spread to other computers

Once installed, the malware will immediately try to infect other computers by sending out e-mail messages with the same infected attachment to all the e-mail addresses it found on the newly-infected computer.

Those recipients will more than likely open the e-mail attachment as well, because it appears to be from someone they know. So it's not hard to see that this process will quickly overrun every computer on the network.

Outside contacts

This type of malware doesn't care whether it's sending the infected e-mail or e-mail attachment to another employee or an outside contact. I don't think I have to mention how detrimental it would be if a client's computer became infected after opening an attachment from you.

Not practical

That all makes sense, but what about all the e-mail messages containing attachments and/or links that are pertinent to the business. They can't just be deleted, so what other options are there?

Attachment work around

It's not convenient to do, but to be safe it's advisable to contact the party that sent the attachment and make sure they did intentionally send it to you. If that person's computer is infected, there's a good chance that they didn't even realize you received an e-mail message from them.

Active-link workaround

The bad guys are hoping that you will automatically click on e-mail links. Don't oblige them; use the following steps to prevent malware from being installed on your computer:

  • Make sure the link makes sense and isn't misspelled.
  • Copy and paste the link address into the Web browser instead of clicking on it.
  • Don't use the link and go to the Web site on your own accord (preferred method).
Final thoughts

The best way to avoid having your computer become a victim of malware sent by e-mail is to be cautious, alert to anything that's out of the ordinary, and follow as many of the above suggestions as possible.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

54 comments
deepsand
deepsand

a short primer on how to examine the Properties of links, and how to distinguish between the good, the bad & the ugly. Most users do not know and understand that there is a difference between the Anchor Tag that is displayed, and the URL actually referenced by the link.

cquirke
cquirke

Forget "from someone you know" as the meaningless nonsense that is - all you "know" is that it's from that computer, but that doesn't tell you if any human intention was involved. As you say, most malware finds both To: and From: addresses on infected PCs, so not only will it usually be "from someone you know" but actually be sent from a PC other than that in the From: header. Instead, do the Turing Test; was this sent by a human, or some bot code? That cuts the risk down to intrafile infectors, such as those old Word macro viruses. Be brutal: If a lazy human doesn't bother to prove they are human, you can call them and explain all this the first time. After that, delete their junk unread - if they're too lazy to type, then you can be too lazy to read or respond. By the same token, don't send files without meaningful message text to prove you're human and to account for each attached file (so the recipient can spot "companion" files dropped by malware). There are two particular risk factors with this Turing Test filtering. The first is automated attachment sends, e.g. accounting apps that spawn .PDF email and "easy" photo software bundled with cameras that reduces pictures in size and generates generic textless emails with these attached. The second are dumb-ass blustery managers who effectively train underlings to "open" attachments that come without Turing-proof text. These are the bozos that send blank emails with attached .ppt or .doc and expect you to "open" these unquestioningly, because they are "from the boss". The other aspect of all this, is to reduce the exposure of email addresses to spam and malware harvesting. Use BCC: for multiple recipients, but make sure recipients know there are multiple unlisted co-readers. If your email app has a 'feature' to automatically add addresses to the address book, turn that off. Those two steps alone can do a lot to shrink spam and emaul attackment exposure.

dixon
dixon

...I routinely do is to right-click on an email and hit 'properties' and 'details' before opening it. That quickly shows you where the email really came from, and where the links really point to.

pramodanm
pramodanm

How to find if some computer in network is affected by a malaware and sending spam mails out?

lund
lund

Many years ago I got a tip to put an email address like, say, "!0000" (name) and "abcdefgh@ijklmnop.qrs" (email) in the Contacts list. It will sit at the top of the list and stop any process that tries to send something to the whole list. Does this (still?) hold true? Has anybody heard about it?

ultimitloozer
ultimitloozer

You should probably spell out the fact that the link may look like a web address, but the underlying link that would be followed does not have to be the same address. Many users believe they must always be the same. Some mail apps allow you to see the underlying link address by simply hovering over the link, i.e. Outlook 2007. Also, if they want to use the copy-and-paste method, they should not mistakenly use Copy Hyperlink in the Outlook context menu which copies what the link really is, not what it may appear to be.

Michael Kassner
Michael Kassner

I've run into many situations where it was very difficult to explain why e-mail attachments and links are a way for malware to get installed on a computer. Especially to the users who just want it to work and not be bothered by all the underlying details. So, I've put together this document and PowerPoint presentation to help in that regard. Please check it out and see if there's anything I missed or should add.

Michael Kassner
Michael Kassner

Still, the human user factor seems almost insurmountable. You mentioned managers, I agree. I also have seen that attitude propagate throughout the organization and where does that leave you.

Michael Kassner
Michael Kassner

I wish more Web-based email hosts would provide that information.

Michael Kassner
Michael Kassner

I had so forgotten about that. That did work nicely awhile ago. I have no idea if it's still relevant. I'll ask some of my mentors.

seanferd
seanferd

But that is assuming you've already been infected. It still seems to help, but who knows if there are malware systems out there that will try the entire address book anyway? Best bet is to keep the computer defended, and scan regularly with a variety of tools to ensure there is no malware on your system.

santeewelding
santeewelding

Instructions to compute a transcendental number to its last digit.

Datacommguy
Datacommguy

There's a good point here, one that I often try to pass on to users and customers, and one which Michael could have included in his tips on evaluating links. In Outlook, Outlook Express, and other email clients, simply moving the cursor over a displayed link in an email (without clicking) will show whether the displayed link is what it appears to be or something entirely different. Any difference should be a waving red flag. And one other thing: There are several browser add-ons which evaluate links for you and let you know if they're accepted as safe. McAfee's Siteadvisor and WOT come to mind. Siteadvisor warns you with color coded check marks or dialog boxes (but you do have to look at them) and WOT will even block access (if you excitedly click anyway) with a warning pop-up which allows you to stop there or override the warning. Neither is perfect of course, but they do help to highlight the known bad guys.

Michael Kassner
Michael Kassner

I guess I should went into more detail as to what spoofed meant. Thanks for the thoughts.

Michael Kassner
Michael Kassner

If there are any additions or changes that you feel might help, please let me know.

jemorris
jemorris

your average user. On the next to last page I would do each of your bullet points in a different color for slightly more visual impact. They kind of run together with the white lettering on a med-light blue background and I think it would stick in a person's mind better by seperating them with other light bright colors. The other suggestions I saw here about referencing an attachment is a great idea. A good prelude to this presentation would be one covering the basics of MalWare in general. Most people's computers I have cleaned up recently still think that the majority of malware comes from pimply-faced teens/young adults greatly lacking in social skills and always from an email rather than general surfing on the web. I try to explain that most of this crud comes from organized crime and non-friendly foreign govt's, the next question is always "what can they possibly gain from this?". Something I'm not sure if it would fit into this presentation would be, if you're going to forward something on clean up all the previous "fwd"s. Remove those old addresses because that's where most current viruses pull the addresses from, not so much to send an infected attachment but to send SPAM too. Thanks for the excellant article Michael!

blackmonoffive
blackmonoffive

I find haveIng live scan on helps. I use Woot in my browser and have had a sight not open via Woot as well as my security suite.

seanferd
seanferd

I think you are right: 'Tis the season. Folks need to be educated or reminded about safe email practices in regards to malware. The PPTX should be handy. (It looks good.) For your part two, as well as pointing out how to check links, perhaps suggest not opening attachments from within the email client at all, but drag them off or detach them entirely and scan them. It takes all of two seconds, even if you use more than one anti-malware product (say, the AV & MBAM). Personally, I've never opened attachments within the email client (originally, it was just the way I worked), but some people will insist on doing it that way. It is a "problem" if they can't - I've noticed this due to the "zone"-related behavior of the newer MS products (good on MS!). Aside - you've been rather prolific lately Michael, it seems to me. :) Cheers!

grax
grax

Nothing new but always worth being reminded lest we become complacent. Use email scanners to check all incoming messages. AVG(Free) works for me. When I send attachments I always refer to it in my message, including the name of the file. I encourage others to do the same. Hot links are more problematic but add-ons like Netcraft ToolBar (FF3) and others mentioned by Michael might help. Of course, using a more secure OS might also be an option........... don't let's go there!

jemorris
jemorris

I'm about to install an HP Procurve "smart" switch. It was highly recommended by a couple of folks I know who have one. I'll let you know how that works out!!!

santeewelding
santeewelding

If syxguns knows that many who know how to write, then maybe he needs to be more careful.

syxguns
syxguns

I believe that was something that was used in 2001. Basically it would not stop the maleware from spreading, but it would send you a, "Message not received" e-mail. What that basically boils down to is that your infected machine may have sent infected messages to your entire address book. Best to get your machine fixed quick and then send an e-mail to your entire address book on how to get their machine fixed!! :)

lund
lund

Sure! It should be applied only as an additional safety measure. BTW, "I should went into..." sounds strange to me. May I suggest "I should have gone into..."?

santeewelding
santeewelding

Take to heart what the wizards tell you, and expand upon it.

Michael Kassner
Michael Kassner

I was trying to be very basic in this first article. You would not believe the rift between the people who just use and those that know. I've tried to get really detailed and 5 minutes into the seminar, I saw nothing but glazed-over eyes. So, keep the ideas coming, I'll assemble them and have a part two. Thanks.

syxguns
syxguns

[b]quote by jemorris[/b][i] if you're going to forward something on clean up all the previous "fwd"s. Remove those old addresses because that's where most current viruses pull the addresses from, not so much to send an infected attachment but to send SPAM too.[/i] Edit: why does the [quote] tag not work on this forum? I would like to add a comment on to this. If you are sending a message to multiple addresses, then use the BCC (Blind Carbon Copy) line instead of the To: line. By doing this you will not reveal other e-mail recipients address to others. If you are using an e-mail provider such as yahoo, msn, etc. and you are not sure where or how to use the BCC line, then do a search for it and they will tell you. :)

Michael Kassner
Michael Kassner

Give more information about those applications, please. I'm not familiar with them.

Michael Kassner
Michael Kassner

Pulling attachments out really won't make much difference, unless the AV isn't set to scan files on opening, right? I like the idea of scanning with MBAM though. Also I can't get users to save and scan. They just look at me like I'm stupid. (Well, maybe rightly so) I've been trying to get a few articles out. I hope that they have been useful.

Michael Kassner
Michael Kassner

I would have mentioned this in my original article: "When I send attachments I always refer to it in my message, including the name of the file. I encourage others to do the same." That's a very effective indicator almost like a captcha. Thank you for mentioning it.

jemorris
jemorris

of malware. You are correct! I was going to reply but you nailed it in a nutshell!

seanferd
seanferd

"I should went into..."? Not sure where I wrote that. Not only strange-sounding, but wrong, indeed.

santeewelding
santeewelding

Could be I am the only one extant, one who paid attention to wizards early on, but I don't think so.

Michael Kassner
Michael Kassner

Hello, Douglas Sounds like you have been there and done that as well. Can you please let me know what you think would be more details? I'm working on a second part to this, that does expresses more details. I just feel that I'm either preaching to the choir or to those that just want the titles.

douglaswlloyd
douglaswlloyd

This is just what I need to share with our users. But more detail is needed. Michael is correct - most just want to do their jobs and not learn anything more. Trying to teach them what NOT to do has proven the most effective for us, but they don't always remember. Too much info and they tune you out. If you can boil down the salient points, then scare them with lots of adjectives and pictures, you could probably sell this presentation instead of sharing it.

jemorris
jemorris

Also found Chad Perrin's "10+ reasons why people write viruses" which is also good.

jemorris
jemorris

I found that when I was browsing some of the security related whitepapers. You know that list that shows up just below the current article that you're trying to download, I found several good ones the other day. I'm trying to talk my boss into letting me show this presentation at the end of one of our regular company meetings. I also took a copy and removed the main background color and then added some color (TR Blue?) to the main body text and saved as a PDF so I can print it out when needed and not use so much ink. I know some of the terminology will be over some peoples heads but for the most part I think it will help them understand better why we're always stressing diligence on keeping up-to-date protection. If you're interested I can email you the pdf copy, it is a bit large but I can't seem to make it any smaller without losing signifcant quality.

deepsand
deepsand

The opening and inventorying of contents can then be properly witnessed if and when needed.

Michael Kassner
Michael Kassner

I'll let my attorney friend know what you said, but I'm going to side with him for now. I guess I forgot to mention that I don't open those letters, they are stored in a safety deposit box.

deepsand
deepsand

Sending to a different e-mail address, like sending to a different postal address, proves only that something was sent to that [b]particular[/b] address; it does not serve as proof of its having been sent to any other address. The server saved "Sent" copy serves to prove the sender, the recipients, and the contents of the missive. BTW, with respect to items physically mailed to yourself, any proof re. the contents disappears once opened, unless the opening and contents are witnessed & authenticated by a witness legally empowered to vouch for such.

Michael Kassner
Michael Kassner

The fact that I send it to a different e-mail address of mine. For some reason that makes a difference legally.

deepsand
deepsand

It is not the case where you move something about, but rather that your mail server date/time stamps the message, and then places a copy in your Sent folder. Using snail mail as an analogy, it is the equivalent of having the Post Office automatically making a copy of your outgoing mail, and placing such in a special mail box for you. With respect to e-mail, using the auto-save function actually provides you with [b]more[/b] verifiable information than does sending a copy to yourself. The auto-saved copy will show all of the [b]BCC recipients[/b], whereas the copy sent to yourself will not.

Michael Kassner
Michael Kassner

I send it to a different e-mail address. I was told by a legal friend that doing so is on better legal grounds for having officially done something. Kind of like sending your self a copy of a memo and leave it in the sealed envelope to verify that you indeed completed the task. Anal , I guess, but that's me.

deepsand
deepsand

I know that there was a time when the absence of such function was all too common; but, I've not seen that in quite some time. I configure all e-mail systems that I use, as well as those of client. to automatically save a copy to the "Sent" folder. With storage space no longer being an issue, 'tis better to be safe than sorry.

Michael Kassner
Michael Kassner

I realize it doesn't make sense, but it's what I do. Kind of like training the mind so as to not goof up when there are more than one. Also, since I use Web-based email, so I always add myself to BCC, It's a check that the the e-mail got to server and I have a copy for proof of sending.

deepsand
deepsand

What is gained by using BCC for a single recipient? BTW, some e-mail systems allow for a blank "To" field as long as there is at least one valid address in the CC/BCC fields.

Michael Kassner
Michael Kassner

Your comments to my list. Thank you. I use the BCC tip all the time, sending the e-mail to myself. That's even the case if it's just to one person.

seanferd
seanferd

But I've seen, plenty of times, where the resident scanning engine detected nothing, but a manually instigated scan did. Why? I don't know. But I don't think you can right-click an attached item and scan it, so I suggest copying or detaching it to a directory such as the Desktop to do this. That way, it is also available to any other scanners that do not have a resident engine always running (by design, choice, or necessity). As for scanning on opening, I guess I'd rather scan first before attempting to execute anything. As your users migrate to the newer Windows releases, especially if using IE, they may not be able to open attachments (or files over the internet) without saving first. I've seen some users who want to do these things, but cannot without messing with IE security settings. (Then again, IT departments may deploy images with these settings changed, but fie on them. ;) )