UNCLASSIFIED

E
EE
E-
--
-mail Security in the Wake
mail Security in the Wake mail Security in the Wake
mail Security in the Wake of Recent Malicious Code
of Recent Malicious Code of Recent Malicious Code
of Recent Malicious Code
Incidents
IncidentsIncidents
Incidents By: Trent Pitsenbarger
and

Paul Bartock
of the

Systems and Network Attack Center (SNAC)
is not meant to replace well-structured policy or sound judgment. Furthermore
this guide does not address site-specific configuration issues. Care must be
taken when implementing this guide to address local operational and policy
concerns.

SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT SHALL THE
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Please keep track of the latest security patches and advisories at the
Microsoft security bulletin page at
/>.

This document contains possible recommended settings for the system
Registry. You can severely impair or disable a Windows NT System with
incorrect changes or accidental deletions when using a Registry editor
(Regedt32.exe or Regedit.exe) to change the system configuration. Currently,
there is no “undo” command for deletions within the Registry. Registry editor
prompts you to confirm the deletions if “Confirm on Delete” is selected from the
options menu. When you delete a key, the message does not include the name
of the key you are deleting. Therefore, check your selection carefully before

Countermeasure 9c – Securing the System Directories ............................................ 14
Automation........................................................................................................................ 14
Overview ....................................................................................................................... 14
Location of Some Relevant Registry Settings............................................................... 16
Further Information........................................................................................................... 17
Appendix A - Summary of the ILOVEYOU Worm Actions............................................ 18
Appendix B – Windows 95/98 Countermeasures ............................................................. 20
Changes ............................................................................................................................. 21

5
Introduction
The recent spate of malicious code based attacks, most recently exemplified by the
ILOVEYOU worm, has highlighted the propensity of modern e-mail systems to provide a
ready conduit for malicious code delivery. The Microsoft family of e-mail clients has
proven to be a particularly attractive target for malicious code writers, primarily due to
their widespread usage and their rich programming model.

While there have been numerous malicious code payloads that have targeted the
Microsoft environment, three standout given their impact or the varying approaches they
utilized. The Melissa virus delivered its destructive payload via a Word document
attachment. Upon opening the attachment, the malicious code was designed to launch
automatically. The BubbleBoy virus was the first to execute upon simply previewing the
message – it was not necessary to open an attachment or to take any further action for the
code to execute. BubbleBoy was developed using script embedded in the body of the e-
mail message that executed as the message was rendered for viewing by the client.
Finally, the recent ILOVEYOU worm was similar in concept to the Melissa virus in that
it was transported as an e-mail attachment. In this case the attachment was not disguised
as an innocuous Word document, but instead the attachment was a Visual Basic Script
(.vbs) file that, upon launching, is interpreted and ran by the Windows Scripting Host
(WSH).

patch improves the security of the clients by blocking file attachments that could contain
malicious code. Attachments that present the greatest threat – referred to as “Level 1”
attachments in the Microsoft lexicon -- are stripped from incoming messages and from all
previously saved messages. The patch and a complete listing of the file types that are
considered Level 1 are provided at .

This patch handles what is defined as “Level 2” attachments in a different manner. Level
2 attachments are not blocked, but instead the user is required to save them to the hard
disk before executing. This is intended to cause the user to pause before acting and not
just absent-mindedly launch a potentially malicious attachment. By default, no file types
are included in Level 2; however, the administrator can define the files types that should
be included in Level 2 as well as modify the file types defined as Level 1. There is a very
notable caveat on the ability to modify the Level 1 and Level 2 definitions – this can only
be done for users connecting to an Exchange server and who are not using .pst files for
storage of mail messages
1
. This ability to modify the Level 1 and Level 2 definitions can
be used to enforce local security polices. For example, one could use these features to
add .doc files (Word documents) to the Level 1 file list.

The patch also controls programmatic access to the Outlook address book via the Outlook
Object model and Collaborative Data Objects (CDO) as a countermeasure against
malicious code that replicates by auto-forwarding itself to a user’s contacts and provides
protection against malicious embedded objects and scripts. A complete description and
installation instructions are provided at the office update URL provided above.

Note that this patch only works with Outlook 98 and Outlook 2000 – there is no similar
patch available for earlier versions of Outlook or Outlook Express.
• Internet zone: By default, this zone contains anything that is not on the computer
or an intranet, or assigned to any other zone. The default security level for the
Internet zone is “medium”.

A plethora of security related settings can be configured for each of these zones.
Microsoft has canned policies defined as low, medium-low, medium, and high which the
user can select or alternately the user can tailor the settings to his or her specific needs.

Outlook utilizes these zones in that the user can select which of two zones -- the Internet
zone or the Restricted zone -- Outlook messages fall into. The settings for the selected
zone are then applied by Outlook to all messages.

It is recommended to select the Restricted zone. To do so, select Tools/Options and the
Security tab. Select Restricted sites from the zone drop-down box.

Set the settings for the Restricted zone as recommended below by selecting Zone Settings
and clicking on Custom Level. Note that changes made here will also apply to the
Restricted zone when web surfing with Internet Explorer. These recommendations apply
specifically to Internet Explorer 5.5; the options available under Internet Explorer 5.0 and
4.0 are similar but do not include all of the settings
2
.

• Download signed ActiveX controls - DISABLE
• Download unsigned ActiveX controls - DISABLE
• Initialize and script ActiveX controls not marked as safe - DISABLE
• Run ActiveX controls and plug-ins - DISABLE
• Script ActiveX controls marked safe for scripting - DISABLE
• Allow cookies that are stored on your computer – DISABLE



Note once again that these settings are shared with the Internet Explorer browser and web
pages typically DO incorporate the kinds of features which are disabled via these settings.
While this could represent an operational impact, keep in mind that the Restricted zone is
intended to include those sites that are not trusted - one should restrict what those sites
can do and in fact these recommended settings are only slightly more restrictive than the
default settings for this zone.

These settings will counter known attacks that use active content contained within the
body of e-mail messages such as the BubbleBoy virus.
Countermeasure 3 – Changing File Associations or Disabling WSH
The e-mail security patch described in Countermeasure 1 will offer protection against the
ILOVEYOU worm and similar kinds of executable content in Outlook 98 and Outlook
2000. Unfortunately, there is no similar patch available for Outlook Express. A level of
protection can be achieved in Outlook Express environments by changing the default
action associated with potentially dangerous file types. The ILOVEYOU worm is
propagated as a Visual Basic Script file (.vbs) which, upon launch by an unwitting
recipient, is interpreted by the Windows Scripting Host. An effective countermeasure
against this kind of attack is to change the default action that occurs when a user launches