SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
The IT Agenda: Battling Targeted Trojan Spoofing
While e-mail and antispam vendors try to fix SMTP, we must take action ourselves. Here's what you can do.
July 16, 2004
3 Min Read
How do I know? I performed a proof-of-concept test on some spam-protected targets to see how easily I could invade them by sending malicious HTML, and it worked well, even at reasonably security-paranoid corporate networks, like a Manhattan-based international law firm and a Georgia bank. Here's my five-step process (for technical details and the script, see feldman.org/smtp):
1. Procure targeted e-mail addresses by the type of "negative acknowledgement" spammers use. Once you know the names of VIPs, send probe messages to all permutations of those names (jfeldman, feldmanj, jonathan. feldman and so on) until you no longer get a bounce message; no bounce means it's a valid address.
2. Identify an article of interest to the targeted business. In my bank test, for instance, I used one from Forbes.
3. Craft a message with a spoofed but correct user e-mail address in the "From" field--the CEO's a good choice. Address the "To" field to other correct e-mail addresses, one at a time, so each user thinks the message is personal.
4. Put a spoofed URL in the body of the message, just as the Wallon virus or Osama Trojan did. This fake URL appears to point to the article but may point to a page containing the latest "day 0" IE exploit with the power to take over the user's machine.5. Redirect the user to the original article.
After taking these steps, I just sat back and watched the clicks roll in as users clamored to read the article from the CEO. Terrifying, isn't it?
Forget the FUD Factor
Before you run to the data center to unplug your mail server, let me assure you there are ways to fight targeted Trojan spoofing. One potential solution is to require trusted SMTP servers to use secure digital signatures, like Yahoo's DomainKeys. But that's no silver bullet. If history is any guide, it will take time, multiple trust-architecture choices and design simplicity before any spam-buster standard becomes ubiquitous. Moreover, what happens when a mail host with a certification path all the way up to, say, VeriSign, is compromised?
And even if trusted SMTP servers do prove effective against Trojan spam in the long run, how do we fight today's battle? While e-mail and antispam vendors try to fix SMTP, we must take action ourselves. Here are some ideas:
Consider a filtering HTTP proxy with pattern-matching capability, like BlueCoat's SG appliances, which helps admins react to an exploit almost as quickly as the problem hits BugTraq.
Lock down outbound connections to "default deny." This means allowing only outbound TCP/80 traffic from designated servers and proxies, so back-connect Trojans can't connect.
Consider designating internal ACLs as default deny--you'll have to decide if rejecting all but specified traffic is right for you based on the complexity of your network.
Evaluate behavior-based protective agents from Cisco Systems, Finjan Software and others. However, deploying these agents requires a significant commitment of time and money because it involves app profiling.
Use desktop management tools to lock down your users' IE settings.
Teach your users to recognize potentially dangerous messages, and train them to be vigilant. They're your troops in the war on Trojan terrorism.
Jonathan Feldman is director of professional services for Entre Solutions, an infrastructure consulting company based in Savannah, Ga. Write to him at [email protected].
Read more about:
2004You May Also Like
More Insights
