You've probably received from acquaintances dozens of e-mail messages like the
following: "Hi, this is Bob. I'll be out of the office next week and
won't be checking my e-mail. If you need something, try me after that..."
and so forth.
Now imagine that you're checking your bank account online a few hours later.
Unbeknownst to you, your browser has been redirected
to a hacker site. The login screen looks exactly like your bank's, but the
form is silently transmitting your username and password to thieves.
You didn't open an attachment that came with the e-mail from "Bob." You
didn't even click a link in the message. By merely previewing the e-mail, a
program was planted on your PC that allows someone to quietly eavesdrop
when you log into almost any financial site.
That's the frightening hacker attack that
MessageLabs, a respected e-mail and virus monitoring
company, warns is just starting to make its way around the Internet.
The Most Inhospitable Hosts
Here's how the scam is said to work:
• Fan Mail From Some Friend.
Virus-infected PCs send out e-mails using names and addresses found on the
local hard drive. That's why the message you received seemed to be from
someone you know.
• Exploits Without Attachments.
Many viruses require that the victims open an e-mail attachment or
visit a malicious Web site. But the "phishing" exploit described above requires
none of this. Instead, the e-mail plants a program on your computer using a
built-in feature of Microsoft Windows called the Windows Scripting Host (WSH).
• Where You Go, You Know Not Where.
The hacker's program adds lines into an unrelated Windows document known as the
"Hosts" file. When you enter, for example, www.citibank.com in your browser,
the Hosts file can tell your browser to go instead to www-citibank.com, a
completely different site. The name of the hacker site may look slightly
different in your browser's address bar than the name of your legitimate
banking site, but many people don't notice such small details.
• It's A Numbers Game.
The hacker's look-alike site can't really log you into your online banking
account — but it doesn't have to. After you type your username and
password into the phony login screen, it will probably display a realistic
"error message" saying a bad password was entered. The hacker's program will
then deliver you to the real banking site, where your password this time
works fine.
Most people would assume they'd made a simple typographical error
on their first try and think nothing of it. But the thieves now know the right
username and password to your account because you entered them correctly
when using the hackers' look-alike screen.
Adopting Effective Counter-Measures
When reports started circulating last week about MessageLabs' warning, the
writers tended to suggest that end users should disable or uninstall the
Windows Scripting Host, without explaining what the feature does or how you
would get rid of it.
I'll go into that in a minute, but first take a deep breath. Don't panic. You
may already have defenses in place that make you immune to "phishing" attacks
of this new type.
The Windows Scripting Host exists to run programs called scripts, usually
VisualBasic or Jscript. Unfortunately, vulnerable browsers and e-mail programs
can be induced to run these scripts without any notice to you.
The key in that last sentence is "vulnerable" browsers and e-mail programs.
Your applications are not vulnerable if they categorize incoming e-mail
messages as part of the so-called "Restricted Zone." When restricted, such
messages cannot execute many kinds of potentially harmful files.
Microsoft's own Outlook XP and 2003 e-mail programs, for example, automatically
classify e-mail as part of this Restricted Zone. And you can add this
protection to older versions of Outlook by installing Mirosoft's
"E-Mail Security Update" on top of
Outlook 2000 and
Outlook 98.
In addition, Microsoft has released a patch for current versions of Windows
to give them immunity to the latest style of attack (more on that later).
Only users of Outlook 97 and older, therefore, would be susceptible to a
stealth attack, such as the one described above. If your company still uses
Outlook 97, you should immediately upgrade to a modern version of the program.
Bedtime For Windows Scripting Host
On the other hand, the fact that a powerful capability like Windows Scripting
Host was fully enabled by default in Windows, where it could be accessed
silently by an e-mail message, is the kind of boneheaded mistake that has made
the defense of Windows a nightmare for end users and network administrators
alike. (WSH is factory-installed in Windows 2000, Me, XP, and 2003 and is added
to Windows 95, 98, and NT when you install Internet Explorer 5 or higher.)
If you don't use or need the features of WSH, it's possible to disable it
to prevent it from running script files at any time.
There's a different procedure to disable WSH under different versions of
Windows, so I can't give you all the necessary instructions here. A good
step-by-step guide is provided on the
WSH page
of Sophos PLC, a security consulting firm.
If you're in a company of any size, however, there's a good chance that
scripts may play an important role in keeping your business going.
"A lot of corporations are using WSH to do systems management," says Jason
Chan, consulting services technical lead for security firm
Symantec Corp.
"To the extent that a corporation is doing these things, they're going to be
restricted in disabling this."
Chan cautions that Windows users who would otherwise be protected can expose
themselves to the risk of script attacks if they lower their security settings.
Configuring an e-mail program to consider e-mails as part of the Trusted Zone,
for example, can open the door to threats that otherwise would be turned away.
Besides using a modern e-mail program that refuses to run scripts, your company
gets a great deal of protection against phishing attacks by running the basic
security repertoire that every network should have. That includes a hardware
firewall or personal (software) firewall, an antivirus scanner, an antispam
filter, and a spyware remover. (Details on the best of these components,
which comprise what I call a "security baseline," are available in a
separate
article.)
Patching Windows Is Smarter Than Disabling WSH
MessageLabs has reportedly seen only about 30 copies of "silent e-mails"
around the world that seek to hijack users' Hosts files. Still, that could
easily be the leading edge of a wave of new and more virulent e-mails.
Such a wave of malignant messages might primarily affect only Windows 95 and 98
users. But there are enough of those users connected to the Internet that they
could seriously threaten corporate networks via the spam and denial-of-service
attacks the compromised machines could launch.
Maksym Schipka — a Ukrainian national who is a senior antivirus
researcher for MessageLabs in its Gloucester, England, office — says PC
users who've upgraded to the latest security patches for Windows within the
past four months are fully protected against the new "phishing" attack. In
addition, he says, Service Pack 2 for Windows XP, which was released last
August, closes the security hole.
"This problem was previously addressed by Microsoft to invalidate these
attempts," Schipka says. Of course, that still leaves at risk many PC users who
haven't upgraded to the latest software — but they're vulnerable to many
other problems besides the new Windows Scripting Host exploit. These users
should immediately run Windows Update (or use a commercial patch-management
program) to protect themselves against such threats.
Schipka wasn't immediately able to identify the specific Microsoft patch that
corrects the security vulnerability. Nor had MessageLabs at press time posted
on its Web site a technical bulletin about the new-style attack.
Conclusion
In my view, keeping your operating system and your security applications
freshly updated will do more to protect you from harm than disabling WSH will.
You've probably received from acquaintances dozens of e-mail messages like the
following: "Hi, this is Bob. I'll be out of the office next week and
won't be checking my e-mail. If you need something, try me after that..."
and so forth.
IE 7
Firefox 2.0
