The Microsoft MIME email bug or Why the Klez Virus/Worm Spreads So Quickly -------------------------------------------------------------------------- I've slightly edited the following newsgroup conversation, for brevity, clarity, and spam resistance (I added the ".nospam"s). -DAB -------------------------------------------------------------------------- Path: news.grc.com!. From: kyte Newsgroups: grc.security Subject: Re: "virus avoidance advice" web page Date: Fri, 26 Apr 2002 08:45:26 +1000 Message-ID: References: Poster: [203.220.105.215] (25 Apr 2002 22:45:51 GMT) Non-Authenticated User User-Agent: Forte Agent 1.9/32.560 Xref: news.grc.com grc.security:48220 On Thu, 25 Apr 2002 16:06:33 -0500, "Razz" wrote: >Don't ever open files or attachements from strangers. >Don't open files or files or attachements from friends unless you are >expecting it and they tell you in the email exactly what the attachement is. not opening attachments used to be a choice. if you have the preview window active then it often is not these days (thats how Klez.G and Klez.H are gaining momentum) I generally try to get people to consider a change from OE or Outlook, and in any case, to not have the preview window active. -------------------------------------------------------------------------- Path: news.grc.com!. From: Kevin McAleavey Newsgroups: grc.security Subject: Re: "virus avoidance advice" web page Date: Thu, 25 Apr 2002 21:17:48 -0400 Message-ID: <3CC8AABC.EC92BF35@nsclean.com> References: Poster: [209.23.10.63] (26 Apr 2002 01:16:33 GMT) Non-Authenticated User User-Agent: Mozilla 4.77 [en] (Win95; U) Xref: news.grc.com grc.security:48230 Actually, the FOROUX (called "Klez.G,H,I, or J" by the AV's because there's text that mentions it as a repair for Klez.E) uses something even more insidious (although it'll also execute by the method you mention) ... we've had a bunch of folks in our face here because McAfoo claims that it runs by "scripting" ... If you look at the headers of a live copy, the answer to how it gets in and autoruns is right there ... use of an attachment using an invalid header as HTML ... viz: Content-Type: text/html; Content-Transfer-Encoding: quoted-printable Content-Type: audio/x-midi; <---- ding ding ding ding! name=see.bat Content-Transfer-Encoding: base64 Content-ID: "Content-Type" as "audio/x-midi" tells the email or browser which supports HTML mail that the file is a MIDI music file. Since these are not normally "executable" (it's a music data file) then the browser or email program will "play it" automatically. Microsoft's stuff doesn't check to see if it REALLY IS a MIDI file and thus it is executed, expecting a "file association" to bring up the player and play the MIDI file which is actually the virus. Microsoft failed in their design to VALIDATE the data type before running it and that's how it propagates. Has NOTHING to do with scripting, it's an "association-based file execution exploit" ... now the bad news - Microsoft FIXED this over 6 months ago with patches for Internet Explorer (which also covers email since HTML-based email uses the underlying browser to do its thing) ... [with] no patches though, the exploit still works. kyte wrote: > not opening attachments used to be a choice. if you have the preview > window active then it often is not these days (thats how Klez.G and > Klez.H are gaining momentum) > > I generally try to get people to consider a change from OE or Outlook, > and in any case, to not have the preview window active. -- NSClean Privacy Software division Privacy Software Corporation http://www.nsclean.com kevinmca@nsclean.com.nospam -------------------------------------------------------------------------- Path: news.grc.com!. From: "reader" Newsgroups: grc.security Subject: Re: "virus avoidance advice" web page Date: Fri, 26 Apr 2002 07:49:34 +0100 Message-ID: References: <3CC8AABC.EC92BF35@nsclean.com> Poster: [217.135.165.122] (26 Apr 2002 06:50:37 GMT) Non-Authenticated User X-No-Archive: yes Archive: no User-Agent: Microsoft Outlook Express 5.50.4807.1700 Xref: news.grc.com grc.security:48257 Kevin, ... [did] the SB MS01-020 patch fix this vulnerability? ... Microsoft's SB MS01-020 says: "Would IE always execute the attachment? No. IE would only execute the attachment if File Downloads were enabled in the Security Zone that the e-mail was opened in. However, File Downloads are enabled in all zones by default." -------------------------------------------------------------------------- Path: news.grc.com!. From: Kevin McAleavey Newsgroups: grc.security Subject: Re: "virus avoidance advice" web page Date: Fri, 26 Apr 2002 03:11:29 -0400 Message-ID: <3CC8FDA1.889BC224@nsclean.com> References: <3CC8AABC.EC92BF35@nsclean.com> Poster: [209.23.9.233] (26 Apr 2002 07:10:15 GMT) Non-Authenticated User User-Agent: Mozilla 4.77 [en] (Win95; U) Xref: news.grc.com grc.security:48260 Well HOWDY, stranger! (inlined) reader wrote: > Kevin, ... [did] the SB MS01-020 patch fix this vulnerability? ... To avoid the "truth squads" I'll merely say I don't know WHICH patch they took care of that in ... Microsoft has a notorious habit of patching something and then somehow undoing it in a later patch. That all said, let's ASSUME that this one WAS INDEED PATCHED. Ask yourself though how many people have downloaded patches, watched their machine hose up, reinstall Windows. Patches? Whoops! They gone. And many don't go back and fetch those patches once they get the machine working again ... no joke. As paranoid and attentive as people are here and other security sites about all this, the vast majority of people with computers (many corporate IT people no less) simply do NOT keep up with any of this. They load up their machine and remain forever oblivious (cheap shot alert! "No wonder AOL is number one!") ... > SB MS01-020: > "Would IE always execute the attachment? > No. IE would only execute the attachment if File Downloads were enabled in > the Security Zone that the e-mail was opened in. However, File Downloads are > enabled in all zones by default." You know that, I know that, thousands who visit here know that. Alas, all it takes is one unhappy box to send this thing around and around. After all, we STILL have MAGISTR making the rounds after how long? :) What I pointed out there though is just ONE method by which FAROUX (now known as "son of Klez") makes the rounds ... there are others. Morons who click on the attachment setting it free on their machine, other morons who run their machine with the preview pane and others who make you wonder how they remember to breathe. My own motivation for mentioning that though is we've seen it here (we deliberately keep a number of our lab rats THOROUGHLY unpatched to play "let's see what happens" when we set trojans loose) and what got me off on that tangent in the first place was having folks who downloaded our HTAstop freebie writing angry email to US demanding an explanation of how "Klez" got on their computer when they installed our HTA script stopper. One of the unhappy was kind enough to forward us an OFFICIAL notice from McAfee that "Klez spreads through scripting" and therefore our HTAstop program failed to do its job. Analysis on McAfee's level (I actually saw this on their site when I checked it out myself) is scary ... so figured I'd do a little "damage control" and also help folks set themselves straight on just how crafty a piece of work Faroux really is (that's what the author called this thingy internally) and its methods of getting past the innocent. But yeah, if you keep up with your patches and shut stuff off and don't click on attachments without expecting them first, then you're pretty safe. Unfortunately, there's a lot of people in the world who click and set these things loose ... even after all the warnings ... and a patched machine doesn't STAY patched if you reload and then don't repatch. If there was to be ANY positive outcome from MS-DOJ 1.0 (the antitrust thing) it would have been a requirement for Microsoft to replace their CDROMs with everything FIXED to EVERY SINGLE CUSTOMER before discontinuing a version of Windows. That'd fix their asses. In fact I got a personal hoot out of Billy's threats that sanctioning Windows for its criminal behavior would result in Billy pulling Windows off the market. Promises, promises. Heh. Moo! :) -- NSClean Privacy Software division Privacy Software Corporation http://www.nsclean.com kevinmca@nsclean.com.nospam -------------------------------------------------------------------------- Path: news.grc.com!. From: Kevin McAleavey Newsgroups: grc.security Subject: Re: "virus avoidance advice" web page Date: Fri, 26 Apr 2002 03:21:18 -0400 Message-ID: <3CC8FFEE.78C9C211@nsclean.com> References: <3CC8AABC.EC92BF35@nsclean.com> <3CC8FDA1.889BC224@nsclean.com> Poster: [209.23.9.233] (26 Apr 2002 07:20:16 GMT) Non-Authenticated User User-Agent: Mozilla 4.77 [en] (Win95; U) Xref: news.grc.com grc.security:48261 While I was off on my little tirade, forgot to make my own MAIN point about McAfee's "diagnosis" ... scripting is one method that it DOESN'T use ... it's that "file association" bug ... Klez is set so that IF you use HTML email and you DON'T have the fix (assuming that it is fixed, I'll assume it is) that association of the executable VIRUS being a "MIDI" file will cause Windows to RUN it ... now any browser half its salt will look at the attachment, determine that it ISN'T a MIDI file and refuse to run it. Aiyee does (did, whatever) ... no excuse for an embedded HTML object that isn't what it says it is to be executed, patches or not ... Netscape won't run it. Just wanted to make that point. Hardly "Trustworthy computing" if this hole is still out there ready to serve the "evil doers" ... :) Kevin McAleavey wrote: > What I pointed out there though is just ONE method by which FAROUX (now > known as "son of Klez") makes the rounds ... there are others. Morons who > click on the attachment setting it free on their machine, other morons who > run their machine with the preview pane and others who make you wonder how > they remember to breathe. -- NSClean Privacy Software division Privacy Software Corporation http://www.nsclean.com kevinmca@nsclean.com.nospam -------------------------------------------------------------------------- Path: news.grc.com!. From: "reader" Newsgroups: grc.security Subject: Re: "virus avoidance advice" web page Date: Fri, 26 Apr 2002 09:10:23 +0100 Message-ID: References: <3CC8AABC.EC92BF35@nsclean.com> <3CC8FDA1.889BC224@nsclean.com> Poster: [217.135.181.54] (26 Apr 2002 08:11:57 GMT) Non-Authenticated User X-No-Archive: yes Archive: no User-Agent: Microsoft Outlook Express 5.50.4807.1700 Xref: news.grc.com grc.security:48264 Kevin McAleavey wrote... > Well HOWDY, stranger! (inlined) Howdy yerself... you bat-wielding-insomniac. <...> > To avoid the "truth squads" I'll merely say I don't know WHICH patch they > took care of that in ... Microsoft has a notorious habit of patching > something and then somehow undoing it in a later patch. I only mentioned that particular SB because it was linked from a ZDNet article and, after reading through it again, appeared to address the specific method you detailed - apart from the fact that M$ say the attachments it deals with in the SB are "an executable attachment whose MIME type is incorrectly given as one of several unusual types." audio/x-midi... unusual? Oh well. > That all said, let's ASSUME that this one WAS INDEED PATCHED. Ask yourself > though how many people have downloaded patches, watched their machine hose > up, reinstall Windows. Patches? Whoops! They gone. And many don't go back > and fetch those patches once they get the machine working again ... no > joke. Unfortunately I can believe it. > As paranoid and attentive as people are here and other security sites > about all this, the vast majority of people with computers (many corporate > IT people no less) simply do NOT keep up with any of this. They load up > their machine and remain forever oblivious (cheap shot alert! "No wonder > AOL is number one!") ... Yeah. I know it's a never-ending task to keep up with all the updates and patches that are issued, especially if a company has lots of different manufacturer's products on their systems, but isn't that what they're paid for? I'll be asking at my library, the next time I visit, what their head office's reply was. I won't really be surprised if they didn't even bother passing on the question. <...> > What I pointed out there though is just ONE method by which FAROUX (now > known as "son of Klez") makes the rounds ... there are others. Morons who > click on the attachment setting it free on their machine, other morons who > run their machine with the preview pane and others who make you wonder how > they remember to breathe. Does this multiple-infection-method indicate that the virus writers are having to take into account that users (the ones who don't have to remember to get up in the morning) are probably becoming more aware of really simple ways in which they can protect themselves? > My own motivation for mentioning that though is we've seen it here (we > deliberately keep a number of our lab rats THOROUGHLY unpatched to play > "let's see what happens" when we set trojans loose) It's the only way to play. ;-) > and what got me off on that tangent in the first place was having folks > who downloaded our HTAstop freebie writing angry email to US demanding an > explanation of how "Klez" got on their computer when they installed our > HTA script stopper. So you're saying they went to the trouble of downloading and running your free HTAstop, but didn't bother to download and run M$'s free security updates? I could understand, of course, if they are running pre-IE5.01 IE as M$ don't offer support any longer, as they said "Previous versions are no longer supported and may or may not be affected by this vulnerability." which is a major get-out clause on their part. They *must* know if earlier versions are vulnerable and only use this boilerplate excuse so that users *have* to "upgrade" their programs. I know you're in the software business, but I have problems when manufacturers abandon their products, even when they know there's a problem with them, in the name of "progress". Yet another example of computer-related products having their own set of rules. > One of the unhappy was kind enough to forward us an OFFICIAL notice from > McAfee that "Klez spreads through scripting" and therefore our HTAstop > program failed to do its job. Analysis on McAfee's level (I actually saw > this on their site when I checked it out myself) is scary ... so figured > I'd do a little "damage control" and also help folks set themselves > straight on just how crafty a piece of work Faroux really is (that's what > the author called this thingy internally) and its methods of getting past > the innocent. It is worrying, and doesn't instil much confidence in anti-virus/trojan vendors, when a major player like McAfee can't even get it right. I hope your Mr, Miss and Mrs Angry contact McAfee direct and ask awkward questions. ;-) > But yeah, if you keep up with your patches and shut stuff off and don't > click on attachments without expecting them first, then you're pretty > safe. Unfortunately, there's a lot of people in the world who click and > set these things loose ... even after all the warnings ... and a patched > machine doesn't STAY patched if you reload and then don't repatch. Yeah, unfortunately there are still too many of them about. Ooooh... click... ooooh... click... ooooh... click... oh dear. > If there was to be ANY positive outcome from MS-DOJ 1.0 (the antitrust > thing) it would have been a requirement for Microsoft to replace their > CDROMs with everything FIXED to EVERY SINGLE CUSTOMER before discontinuing > a version of Windows. Back to software being unique in not having any responsibilities once it leaves the factory gates. > That'd fix their asses. In fact I got a personal hoot out of Billy's > threats that sanctioning Windows for its criminal behavior would result in > Billy pulling Windows off the market. Promises, promises. Heh. A poker player he ain't. > Moo! :) baa! ;-) ========================================================================== -------------------------------------------------------------------------- From: exim-users@yahoogroups.com Delivered-To: mailing list exim-users@yahoogroups.com . . . Date: Fri, 26 Apr 2002 14:47:31 -0500 From: "Steve Drees" Subject: RE: [Exim] Regex gurus - KLEZ All of the klez I'm trapping have a Content-Type of audio/x-midi or audio/x-wav -------------------------------------------------------------------------- ==========================================================================