Strip at server level to avoid embarrassment

You would really think that people would learn. No sooner had people recovered from the Anna Kournikova virus attack in...

You would really think that people would learn. No sooner had people recovered from the Anna Kournikova virus attack in mid-February than they were duped again by the NakedWife virus which spread across the Internet in early March.

Allegedly initially spread from military users, the virus contained a message suggesting that the accompanying attachment was a picture of someone's missus in the raw.

If the recipient was stupid enough to open it, it sent a copy of itself to everyone in the unwitting users' Outlook address book and displayed a message, while deleting any files in the Windows and system directories with filename extensions including .DLL and .INI. That is really going to hurt.

You have to wonder how many PC users walked around with pale, sheepish faces in the first couple of weeks in March. No matter how much security policy is drummed into end users, the uneducated, forgetful or just plain stupid will continue to open attachments they find tempting.

One answer is to filter out potentially dangerous attachments at the server level, says Nick Galea, managing director of Malta-based anti-virus software company GFI.

Galea, who sells a product called Mail Essentials, says that trying to offload e-mail virus protection to the client is too risky. "VBS viruses should really be stopped at the server level," he argues. "Trying to tell the user not to open attachments is not a very good method. Plus, it is not only attachments."

HTML mail is another potential problem, he says, suggesting that viruses can be sent as embedded scripts. Some companies are already using HTML scripting to send back information on whether a mail has been read, he suggests, adding that this is just a short step to doing something more destructive.

One such example of destructive HTML-based code can be found at Georgi Guninski's security advisory Web site. It enables an HTML-based e-mail to execute programs with a simple set of Visual Basic for Applications (VBA) commands, which can enable the program to perform a variety of system functions.

A paper from GFI discusses some of the potential exploits that virus writers could use, many of which target Microsoft's Outlook product because of its popularity and its scripting support.

Another is the GMT Buffer Overflow problem, where virus writers can cause Outlook to execute arbitrary code by overflowing its buffer with an unusually long header message. Microsoft has released a patch for this problem. The problem with filtering mail at the server is that it can be a ham-fisted approach unless your program does it intelligently by parsing attachment code, which is very difficult to do.

Galea's product can quarantine e-mail with suspicious attachments, so that it can be checked before distribution to the end user, but this will incur an overhead in the IT department, as someone must be employed to sift through all attached mail manually. Galea's product also checks for script code in the message body, helping to thwart HTML viruses, although turning off users' scripting options within Outlook is another option.

IT managers can help stop viruses getting inside their organisation by educating users, but even the most IT-savvy employee will make the odd mistake every now and then. Backing up education with a filtering and analysis mechanism at the server level will protect your system from nasty pieces of code and your company from embarrassment.

Read more on Antivirus, firewall and IDS products