Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

New Drive-By Spam Infects Those Who Open Email -- No Attachment Needed

23 views
Skip to first unread message

Virus Guy

unread,
Jan 28, 2012, 11:08:10 PM1/28/12
to
I'm not sure if this story is about the some-what recent rash of spam
containing links to blackhole exploits, or if this story is describing a
new phenomena - something that auto-executes upon being rendered (not
dependent on the user clicking an embedded link).

Anyone know?

I haven't seen anything like this in my recent spam.

I can't believe that if this is indeed possible (automatic javascript
processing upon message body being rendered in an e-mail) then why
haven't we seen this years ago?

What e-mail clients do this?

====================================

http://www.darkreading.com/security/attacks-breaches/232500660/new-drive-by-spam-infects-those-who-open-email-no-attachment-needed.html

New Drive-By Spam Infects Those Who Open Email
No Attachment Needed

Getting infected just got a whole lot easier, researchers say

Jan 28, 2012
By Tim Wilson
Dark Reading

Attackers have developed a new way to infect your PC through email --
without forcing you to click on an attachment.

According to researchers at eleven, a German security firm, the new
drive-by spam automatically downloads malware when am email is opened in
the email client. The user doesn't have to click on a link or open an
attachment -- just opening the email is enough.

"The new generation of email-borne malware consists of HTML e-mails
which contain a JavaScript which automatically downloads malware when
the email is opened," eleven says in a news release. "This is similar
to so-called drive-by downloads, which infect a PC by opening an
infected website in the browser."

The current wave of drive-by spam contains the subject "Banking security
update“ and has a sender address with the domain fdic.com. If the email
client allows HTML emails to be displayed, the HTML code is immediately
activated.

The user only sees the note "Loading…Please wait," eleven says. In the
meantime, the attempt is made to scan the PC and download malware.

Aside from updating their anti-spam and anti-malware tools, users can
fight the new attack by deactivating the display of HTML e-mails in
their email client, eleven advises. They can choose the option of
displaying emails in pure-text format only.

FromTheRafters

unread,
Jan 28, 2012, 11:44:08 PM1/28/12
to
I suspect that they are misstating the events. I haven't heard of any
new vulnerability that affects all e-mail clients that support HTML
w/JavaScript.

It is perfectly normal for HTML to be rendered upon opening the e-mail
and also perfectly normal for embedded JS to execute. I'm thinking that
the 'Socially Engineered' HTML/JS is what they are talking about as
malware whereas it is actually only the 'come on' *show* and information
collection routine.

I could be wrong of course, but it smells like FUD so far.

That URL that was posted here not too long ago had that
"Loading...Please wait" message displayed while the javascript decoded
the blob. You are probably right that they are talking about BlackHole.

David H. Lipman

unread,
Jan 29, 2012, 12:04:29 AM1/29/12
to
From: "FromTheRafters" <err...@nomail.afraid.org>
Its probably geared towards the idiots who can't handle an email client but use Webmail.
In that case its quite possible.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Dustin

unread,
Jan 29, 2012, 12:16:45 AM1/29/12
to
Virus Guy <Vi...@Guy.com> wrote in news:4F24C62A...@Guy.com:

> I'm not sure if this story is about the some-what recent rash of spam
> containing links to blackhole exploits, or if this story is
> describing a new phenomena - something that auto-executes upon being
> rendered (not dependent on the user clicking an embedded link).
>
> Anyone know?

The email clients which happily render HTML could fall pray to this.
> Attackers have developed a new way to infect your PC through email --
> without forcing you to click on an attachment.

Drive by downloads via email ... I don't understand how this is a new
way to do something.

> According to researchers at eleven, a German security firm, the new
> drive-by spam automatically downloads malware when am email is opened
> in the email client. The user doesn't have to click on a link or
> open an attachment -- just opening the email is enough.

Providing the email client renders html and processes javascript
embedded in the html, yes. Mine doesn't. Yours *shouldn't*.

> "The new generation of email-borne malware consists of HTML e-mails
> which contain a JavaScript which automatically downloads malware when
> the email is opened," eleven says in a news release. "This is
> similar to so-called drive-by downloads, which infect a PC by opening
> an infected website in the browser."

Ahh! So it's not new, it's just finally! taking advantage of the very
bad idea of html in email.

> The current wave of drive-by spam contains the subject "Banking
> security update“ and has a sender address with the domain fdic.com.
> If the email client allows HTML emails to be displayed, the HTML code
> is immediately activated.

Yep.

> The user only sees the note "Loading…Please wait," eleven says. In
> the meantime, the attempt is made to scan the PC and download
> malware.

As would be expected, it's executing javascript.

> Aside from updating their anti-spam and anti-malware tools, users can
> fight the new attack by deactivating the display of HTML e-mails in
> their email client, eleven advises. They can choose the option of
> displaying emails in pure-text format only.

html shouldn't have EVER been an option for email in the first place.
And this! (Although many of us have sang this tune for years) is the
result we all predicted. Seems we were right, it just took years longer
than expected for somebody to do it.






--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

kurt wismer

unread,
Jan 29, 2012, 2:37:46 AM1/29/12
to
On Jan 29, 12:16 am, Dustin <bughunter.dus...@gmail.com> wrote:
> Virus Guy <Vi...@Guy.com> wrote innews:4F24C62A...@Guy.com:
[snip]
> > "The new generation of email-borne malware consists of HTML e-mails
> > which contain a JavaScript which automatically downloads malware when
> > the email is opened," eleven says in a news release.  "This is
> > similar to so-called drive-by downloads, which infect a PC by opening
> > an infected website in the browser."
>
> Ahh! So it's not new, it's just finally! taking advantage of the very
> bad idea of html in email.

finally? didn't bubbleboy break this ground years ago? perhaps not
with javascript specifically, but it was taking advantage of html
email to render so-called "active content".

Ant

unread,
Jan 29, 2012, 4:25:46 AM1/29/12
to
"Virus Guy" wrote:

> I can't believe that if this is indeed possible (automatic javascript
> processing upon message body being rendered in an e-mail)

It's always been possible with clients that render html.

> then why haven't we seen this years ago?

We have.

> What e-mail clients do this?

OE has always been able to do it. One of the first things you should
do when setting it up is make it operate in the restricted security
zone. Of course, you must ensure that this zone has active scripting
set to disabled. OE shares security zones with IE.

I suspect the authors are newbies and don't know what an email client
is, since every joe-user today uses web-mail which will default to
html with maximum attack surface enabled. Even if you told them to
use plain text they'd go "duh?".


FromTheRafters

unread,
Jan 29, 2012, 8:30:54 AM1/29/12
to
kurt wismer wrote:
> On Jan 29, 12:16 am, Dustin<bughunter.dus...@gmail.com> wrote:
>> Virus Guy<Vi...@Guy.com> wrote innews:4F24C62A...@Guy.com:
> [snip]
>>> "The new generation of email-borne malware consists of HTML e-mails
>>> which contain a JavaScript which automatically downloads malware when
>>> the email is opened," eleven says in a news release. "This is
>>> similar to so-called drive-by downloads, which infect a PC by opening
>>> an infected website in the browser."
>>
>> Ahh! So it's not new, it's just finally! taking advantage of the very
>> bad idea of html in email.
>
> finally? didn't bubbleboy break this ground years ago?

Yep.

> perhaps not
> with javascript specifically, but it was taking advantage of html
> email to render so-called "active content".

Yep, followed by Kakworm which did use JS.

Virus Guy

unread,
Jan 29, 2012, 10:03:21 AM1/29/12
to
Ant wrote:

> > then why haven't we seen this years ago?
>
> We have.
>
> > What e-mail clients do this?
>
> OE has always been able to do it.
> OE shares security zones with IE.

The win-98 systems I use at home and the systems I manage at $Dayjob
have Office 2000 Premium (thanks to an old MSDN subscription) and the
e-mail client used on all these systems is Outlook 2000 (currently
v=SP3)

Microsoft issued a security update for Outlook 98 back in March 2001:

http://www.microsoft.com/download/en/details.aspx?id=20510

It was later re-issued for Outlook 2000 in (I think) October 2001.

========
Microsoft has issued a Security Update that sets the Java Permissions
option for the Microsoft virtual server to "Disable Java" for the
Restricted sites zone only. This setting disables potentially malicious
Java code from running in an HTML-formatted e-mail message.
========

So I guess that's why it's been a non-issue for me all these years.

> since every joe-user today uses web-mail

And therein lies the problem for the hackers / spammers.

Is it not true that most web-mail providers will easily scan, detect and
disable (or flag) e-mail containing java script - thereby preventing
webmail users from ever seeing this code?

FromTheRafters

unread,
Jan 29, 2012, 10:11:41 AM1/29/12
to
Java != JavaScript.

Bear

unread,
Jan 29, 2012, 10:28:54 AM1/29/12
to
On 1/29/2012 9:11 AM, FromTheRafters wrote:
> Java != JavaScript

Am I missing something? I hope you don't mean they are the same.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

Virus Guy

unread,
Jan 29, 2012, 10:37:26 AM1/29/12
to
FromTheRafters wrote:

> Java != JavaScript.

Can Java "code" be contained within the body of an e-mail message?

I thought that Java CODE can only be referenced by HTML content, not
included "in-line" with the content.

In other words, if I crafted an HTML document that included a reference
to run a piece of code (say, malware.exe), then the best I can do as a
hacker is package malware.exe as an attachment with the HTML document as
the spam-body and hope that the e-mail client will somehow unpack
malware.exe and launch it when the e-mail is viewed on the user's
machine.

Wouldn't java CODE also need to be packaged as an e-mail *attachment*,
whereas javaScript doesn't?

And how exactly does java CODE get called or executed in the first
place?

Isin't the common method to use java Script?

FromTheRafters

unread,
Jan 29, 2012, 10:41:41 AM1/29/12
to
Bear wrote:
> On 1/29/2012 9:11 AM, FromTheRafters wrote:
>> Java != JavaScript
>
> Am I missing something?

Yes.

> I hope you don't mean they are the same.

The token "!=" is the JavaScript comparison operator for the "not equal
to" logical statement. Not all readers will accept "≠".

FromTheRafters

unread,
Jan 29, 2012, 11:09:27 AM1/29/12
to
Virus Guy wrote:
> FromTheRafters wrote:
>
>> Java != JavaScript.
>
> Can Java "code" be contained within the body of an e-mail message?

It usually comes in a jar.:o)

JavaScript can come in an HTML container like <script>code goes
here</script>

> I thought that Java CODE can only be referenced by HTML content, not
> included "in-line" with the content.

When the browser (or other environment that supports it) encounters
JavaScript, it sends it to the interpreter. If Java is called, you have
to have the Java Runtime Environment and Java Virtual Machine to run the
code. Java jars (zip compressed) will have ".class" files which are
compiled from ".java" source code files.

JavaScript is a scripting language. Java is a full blown programming
language.

> In other words, if I crafted an HTML document that included a reference
> to run a piece of code (say, malware.exe), then the best I can do as a
> hacker is package malware.exe as an attachment with the HTML document as
> the spam-body and hope that the e-mail client will somehow unpack
> malware.exe and launch it when the e-mail is viewed on the user's
> machine.

That depends upon what you want "malware.exe" to do. Instead of
"malware.exe" lets just say you have some "payload" code. JavaScript,
even with its limited scope from within a browser's environment, can
deliver your payload. If what you want it to do is beyond that limited
scope, you need an exploit that extends that scope.

> Wouldn't java CODE also need to be packaged as an e-mail *attachment*,
> whereas javaScript doesn't?

The HTML container for Java will reference external class files whereas
the HTML container for JavaScript might actually house the code but it
could also reference an external ".js" file if desired.

> And how exactly does java CODE get called or executed in the first
> place?

This might help.
http://www.disordered.org/Java-QA.html

> Isin't the common method to use java Script?

Yes, JavaScript is very popular.

Bear

unread,
Jan 29, 2012, 11:11:18 AM1/29/12
to
I like that face:

"≠"

Virus Guy

unread,
Jan 29, 2012, 2:11:49 PM1/29/12
to
FromTheRafters wrote:

> > Can Java "code" be contained within the body of an e-mail message?
>
> It usually comes in a jar.
>
> JavaScript can come in an HTML container like <script>code goes
> here</script>

Ok, lets not talk about javaSCRIPT any more.

How can an e-mail be crafted to auto-run java CODE _without_ requiring
the user to "click" on any embedded links?

Bear

unread,
Jan 29, 2012, 2:18:39 PM1/29/12
to

Dustin

unread,
Jan 29, 2012, 4:06:08 PM1/29/12
to
Virus Guy <Vi...@Guy.com> wrote in news:4F2599F5...@Guy.com:
It would be poor judgement to Provide sPecifics on doing that.

Bear

unread,
Jan 29, 2012, 4:54:47 PM1/29/12
to
On 1/29/2012 3:06 PM, Dustin wrote:
> Virus Guy<Vi...@Guy.com> wrote in news:4F2599F5...@Guy.com:
>
>> FromTheRafters wrote:
>>
>>>> Can Java "code" be contained within the body of an e-mail message?
>>>
>>> It usually comes in a jar.
>>>
>>> JavaScript can come in an HTML container like<script>code goes
>>> here</script>
>>
>> Ok, lets not talk about javaSCRIPT any more.
>>
>> How can an e-mail be crafted to auto-run java CODE _without_ requiring
>> the user to "click" on any embedded links?
>
> It would be poor judgement to Provide sPecifics on doing that.
>
>
Dustin...it's all over the web!

kurt wismer

unread,
Jan 29, 2012, 5:44:52 PM1/29/12
to
On Jan 29, 4:54 pm, Bear <bearbottoms1+...@gmail.com> wrote:
> On 1/29/2012 3:06 PM, Dustin wrote:
> > Virus Guy<Vi...@Guy.com>  wrote innews:4F2599F5...@Guy.com:
[snip]
> >> How can an e-mail be crafted to auto-run java CODE _without_ requiring
> >> the user to "click" on any embedded links?
>
> > It would be poor judgement to Provide sPecifics on doing that.
>
> Dustin...it's all over the web!

i don't doubt it, but... that doesn't mean the answer is easy to find.
if it were that easy, the question would never have needed to be asked.

Ant

unread,
Jan 29, 2012, 8:31:18 PM1/29/12
to
"Virus Guy" wrote:

> How can an e-mail be crafted to auto-run java CODE _without_ requiring
> the user to "click" on any embedded links?

Since we're talking about html mail, the same way as any active
content can be automatically run in web pages by using the appropriate
tags. Stuff like Java, Flash, Quicktime movies, sound and other media
will run without clicking if your security settings allow.

I just created an email with code to run a Java applet from my hard
disk (could have been a "http" link to a server rather than a "file"
link) and it ran when I opened the email once I took OE out of the
restricted zone.


Virus Guy

unread,
Jan 29, 2012, 10:01:03 PM1/29/12
to
Ant wrote:

> I just created an email with code to run a Java applet from my
> hard disk (could have been a "http" link to a server rather
> than a "file" link) and it ran when I opened the email once I
> took OE out of the restricted zone.

Why then do we see obfuscated javascript being used to "pull" java
applet code files from servers as part of an exploit technique?

Why not simply use OBJECT, EMBED or APPLET tags in html code to make a
direct reference to the malicious java code you want the user's computer
to download and run?

Bill

unread,
Jan 29, 2012, 10:24:55 PM1/29/12
to
Spam is no longer an issue to me. I simply filter my mail through
pobox.com and it cures the problem. The best spam filtering option
I've used in many years of being online.

Ant

unread,
Jan 30, 2012, 6:29:41 AM1/30/12
to
"Virus Guy" wrote

> Ant wrote:
>> I just created an email with code to run a Java applet from my
>> hard disk (could have been a "http" link to a server rather
>> than a "file" link) and it ran when I opened the email once I
>> took OE out of the restricted zone.
>
> Why then do we see obfuscated javascript being used to "pull" java
> applet code files from servers as part of an exploit technique?

It hides what they're doing and the domain from the casual observer.

> Why not simply use OBJECT, EMBED or APPLET tags in html code to make a
> direct reference to the malicious java code you want the user's computer
> to download and run?

That's what you see when the script is deobfuscated. Sometimes the
tags and link are not hidden. I've seen Blackole pages (main.php)
where the first reference to a Java applet is in the clear, followed
by all the other exploits in obfuscated script.


Bear

unread,
Jan 30, 2012, 8:42:38 AM1/30/12
to
I found it in .1 seconds

Virus Guy

unread,
Jan 30, 2012, 6:58:32 PM1/30/12
to
Ant wrote:

> > Why then do we see obfuscated javascript being used to "pull" java
> > applet code files from servers as part of an exploit technique?
>
> It hides what they're doing and the domain from the casual observer.
>
> > Why not simply use OBJECT, EMBED or APPLET tags in html code to make
> > a direct reference to the malicious java code you want the user's
> > computer to download and run?
>
> That's what you see when the script is deobfuscated. Sometimes the
> tags and link are not hidden. I've seen Blackole pages (main.php)
> where the first reference to a Java applet is in the clear, followed
> by all the other exploits in obfuscated script.

Are there usually different (separate) settings to disable javascript
AND disable java?

If so, aren't malware authors / spammers shooting themselves in the foot
by depending on javascript NOT being disabled on the target system?

Wouldn't they get further in their effort to exploit a target if they
bypassed the javascript stage and went directly to the java method?

Does anyone here have any further info on this apparently new spam
infection mechanism as described in the original post?

Ant

unread,
Jan 30, 2012, 9:11:25 PM1/30/12
to
"Virus Guy" wrote:

> Ant wrote:
>>> Why not simply use OBJECT, EMBED or APPLET tags in html code to make
>>> a direct reference to the malicious java code you want the user's
>>> computer to download and run?
>>
>> That's what you see when the script is deobfuscated. Sometimes the
>> tags and link are not hidden. I've seen Blackole pages (main.php)
>> where the first reference to a Java applet is in the clear, followed
>> by all the other exploits in obfuscated script.
>
> Are there usually different (separate) settings to disable javascript
> AND disable java?

Yes, in IE. You should know this. The two technologies are unrelated.

> If so, aren't malware authors / spammers shooting themselves in the foot
> by depending on javascript NOT being disabled on the target system?

Most, if not all, of the mainstream web sites visited by the average
user contain javascript. I expect many would not function properly
with it disabled. The average user will have javascript enabled.

> Wouldn't they get further in their effort to exploit a target if they
> bypassed the javascript stage and went directly to the java method?

They sometimes do, as in the Blackhole example I gave above. That used
applet tags directly.

> Does anyone here have any further info on this apparently new spam
> infection mechanism as described in the original post?

The article you cited is vague with no technical details. They're
commenting on work done by German researchers which I haven't seen. It
looks like nothing new, as I and others have indicated. Javascript is
not dangerous in itself; the fact that what it's doing can be hidden
with obfuscation and its ability to drive plugins and ActiveX controls
with vulnerabilities (exploitable bugs) are the problem. Now if they
had found a bug in a particular javascript (really ECMAScript)
implementaion, that would be noteworthy.


Dustin

unread,
Jan 30, 2012, 10:34:34 PM1/30/12
to
Bear <bearbott...@gmail.com> wrote in news:4f25c02d$0$284$14726298
@news.sunsite.dk:

> On 1/29/2012 3:06 PM, Dustin wrote:
>> Virus Guy<Vi...@Guy.com> wrote in news:4F2599F5...@Guy.com:
>>
>>> FromTheRafters wrote:
>>>
>>>>> Can Java "code" be contained within the body of an e-mail message?
>>>>
>>>> It usually comes in a jar.
>>>>
>>>> JavaScript can come in an HTML container like<script>code goes
>>>> here</script>
>>>
>>> Ok, lets not talk about javaSCRIPT any more.
>>>
>>> How can an e-mail be crafted to auto-run java CODE _without_
requiring
>>> the user to "click" on any embedded links?
>>
>> It would be poor judgement to Provide sPecifics on doing that.
>>
>>
> Dustin...it's all over the web!
>

As are bomb making instructions. As a professional however it wouldnt be
appropriate for me to either post malicious code samples or provide you
a specific local to get it.

Dustin

unread,
Jan 30, 2012, 10:45:32 PM1/30/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f26822e$0$287$1472...@news.sunsite.dk:

> On 1/29/2012 2:44 PM, kurt wismer wrote:
>> On Jan 29, 4:54 pm, Bear<bearbottoms1+...@gmail.com> wrote:
>>> On 1/29/2012 3:06 PM, Dustin wrote:
>>>> Virus Guy<Vi...@Guy.com> wrote
>>>> innews:4F2599F5...@Guy.com:
>> [snip]
>>>>> How can an e-mail be crafted to auto-run java CODE _without_
>>>>> requiring the user to "click" on any embedded links?
>>>
>>>> It would be poor judgement to Provide sPecifics on doing that.
>>>
>>> Dustin...it's all over the web!
>>
>> i don't doubt it, but... that doesn't mean the answer is easy to
>> find. if it were that easy, the question would never have needed to
>> be asked.
>
> I found it in .1 seconds
>

and happily posted it. putting potentially harmful code samples in the
hands of those who dont grasp the concepts to handle it safely. its
irresponsible imo. virusguy has demonstrated that hes not in a position
to study malicious code without risk to his and other systems.

it doesnt help to reduce the malware issue when stupid things like this
are done. rather, it contributes to more 0wned systems and unnecessary
network traffic we all eventually pay for.

I dont support censorship but i do think some information shouldnt be
provided unless/until said person has a clear and thorough understanding
of the pros and cons. You wouldnt let a 5year old play with a loaded
pistol. When hes older and understands! is when he can safely handle
said pistol.

I hope you take this post as intended, As its taken me over ten minutes
(I broke my right hand sat night) to type this left handed only. :(. I
mean no ill will and im not trying to seem like an arrogant prick but
malware is not a joke and shouldnt be taken lightly.

Bear Bottoms

unread,
Jan 31, 2012, 5:55:02 AM1/31/12
to
Dustin <bughunte...@gmail.com> wrote in
news:Xns9FEAE935C35E4HHI2948AJD832@no:
We all travel at our own risks. I appreciate your view though I disagree
with it...fair enough.

One thing about the www...it virtually eliminated those secrets. Better
to be guided by professionals IMO. Teach to fish.

0 new messages