British e-mail provider has reported seeing a number of recent Trojan attacks exploiting a quirk in Outlook Express. The exploit has two features:

  • A fake extension structure intended to get around filtering software
  • A fake visible extension to trick people into opening an attachment by making it appear safe, when it actually contains a virus or another malicious payload

A successful attack normally depends on the use of some hacker tools that can generate specially crafted e-mail headers carrying an attachment with three file extensions. In fact, this isn’t a particularly new threat, and sophisticated hackers can hand code the headers. What makes it important now is the availability of online tools that make it easy to create these messages.

One extension is usually associated with an image, such as .jpg. This is visible to the user and is a social engineering attack to get them to open what looks like a safe attachment.

A second extension is an executable. Outlook Express uses this one to decide what to do with the attachment. The extension will usually be .exe, .pif, .vbs, or .scr.

The third extension is usually the same as the first and generates an innocent-looking icon for the attachment. Because there’s a “safe” extension to end the string, content filters may ignore the attachment and let it through. Even some filters that check for double extensions can be fooled by this triple extension structure.

The warning about the potential attacks from this triple-extension exploit comes from this bulletin from MessageLabs. The company reports that it has seen it used only to transmit Trojans so far, but it warns that the exploit could be used in a mass-mailing virus or worm that would bypass many corporate content filters.

Applicability–Outlook Express only
This exploit does not work in the full version of Outlook; it works only on Outlook Express. MessageLabs reports finding this vulnerability in Outlook Express versions 6.00.2800.1106 and but says it didn’t test other versions and that the exploit may be widespread.

Risk level–high
I rate this as a relatively high-risk vulnerability because the common use of content filters has led to a sense of complacency. Users tend to feel it is safe to open any attachment that gets through the network filters.

The exploit is especially risky because even a tech savvy user might be tempted to open an infected attachment that appears to be safe, both to the user and to the filter.

Mitigating factors
This exploit doesn’t work with Outlook, which is generally more appropriate in a business environment. Well-trained users who know that they shouldn’t open e-mail from strangers, especially when the message has an attachment, won’t be at risk.

The special e-mail header must be precisely formatted right down to the number and placement of blank spaces. Unfortunately, software is readily available on the Web to build the types of headers used in this attack. This means that the exploit is likely to become a favorite script kiddie attack, as more of them learn about the tools needed to execute this one.

Fix–user training
The only way you can prevent this form of attack is to either remove Outlook Express from systems or train users to follow strict guidelines when opening attachments.

Final word
Explaining this sort of obscure attack vector to users in some detail can go a long way toward getting them to understand the difficulty of protecting corporate networks and the reasons for certain IT policies. User training is a lot more effective when you can take the time to really explain the reasons why it is important to do certain things—in this case, being extra careful about attachments.

Simply telling users not to open attachments, or worse yet, trying to teach them to identify “safe” attachments by their extensions won’t make nearly as strong an impression as showing them how attackers can trick them even when they try to follow the rules about not opening executable attachments.

Of course, you may not have the time or permission from management to undertake this kind of training. In that case, you need to repeatedly reinforce the e-mail rules with memos from the IT department, especially just before holidays such as Valentine’s Day and Easter, which are likely to generate a flood of personal messages—and hacker e-mails masquerading as personal messages.