E-mail doesn't have to be opened to release virus
May 13, 1999
by Deborah Radcliff
(IDG) -- "Suppose it's possible to send an e-mail containing a hidden construct," said an information security director. "And when the user opens that e-mail, the construct will run without the user ever knowing anything."
Imagine those constructs can do anything their creator wants them to: Secretly copy and download proprietary information, delete the BIOS or reformat your machine.
It's real. The security director, who asked for anonymity, was talking about Russian New Year with a twist.
Discovered in January, Russian New Year exploits the Microsoft Excel CALL functions used to call other Excel functions such as create, write, close, execute and sum.
So what's the twist? Originally, the only way to contract the virus was to visit a Web page and click an HTML link. Now, Russian New Year can be sent via mass mail programs, with the link embedded or as an attachment. Newer browser programs will automatically execute CALL to fetch the embedded document or prepare to open the attachment -- so the e-mail recipient needn't even open the e-mail to get infected.
"Russian New Year is a way of attacking you without you knowing you've been attacked. It really does this," said Ira Winkler, president of Severna Park, Md.-based Information Security Advisors Group and author of Corporate Espionage (Prima Publishing, 1997).
The good news: There are no known reports of Russian New Year attacks on enterprises. And that's why most folks just don't want to talk about it -- they're afraid of letting the cat out of the bag. "If Russian New Year wasn't publicized, people might not exploit it. On the other hand, there are a lot of users who are vulnerable," Winkler said.
Now the bad news. The hack is so subtle, it's likely that if they have been hit, security administrators don't know it. Excel spreadsheets, for example, could be easily and secretly copied to a browser, according to an April 17 alert issued by Finjan Software Ltd., an Israel-based maker of mobile code security software (www.finjan.com/rny/rny1.cfm).
Under certain conditions, users wouldn't have to manually open HTML attachments or click on embedded links to let the attack in.
"Russian New Year gives attackers the ability to deliver any payload they want," said Penny Leavy, Finjan's senior vice president of global marketing. "Your antivirus software won't catch this. Your firewall won't catch this."
More bad news: The attack is difficult to prevent. Microsoft Corp. has patches, but only for Excel 97. If your users are running Excel 95, you must first upgrade them to Office 97, then load service releases 1 and 2, then load the patch -- which pretty much kills the CALL function altogether.
"Until vendors configure Web browsers to not allow embedded Excel CALL functions, this problem really can't be fixed unless you cancel your Excel CALL functions," Winkler said. Unfortunately, "some people ... use the CALL function all the time," he added.
Financial services firms, for example, rely on CALL to import data from their enterprise resource planning software databases into spreadsheets, Leavy said.
The simplest fix is education. Remind users not to open HTML attachments or click embedded links in e-mail files unless they explicitly trust the source, Winkler said. But there's another possible diabolical twist, he adds: If New Year is teamed up with the mass-mailing technology behind the recent Melissa virus, the e-mail will appear to come from a trusted source.
Leavy suggests raising browser-security levels and configuring dialog boxes to send alerts when a program or a Web site is set to call other functions.
Because there's no simple way to block Russian New Year, Winkler advises information technology managers to ask, "Is the benefit of using CALL functions worth more than the potential risk of using them?"
Radcliff is a freelance writer in the San Francisco area. Her Internet address is firstname.lastname@example.org.
White House Web site back online
RELATED IDG.net STORIES:
Disgruntled employees: The newest kind of hacker
Finjan Software: Russian New Year Attack
|Back to the top
© 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.