For the past few years, drive-by downloads have been the bane of computer-security professionals. These malicious Trojans lurk inside seemingly innocuous Web pages and try to infect any browser that visits them. If a user doesn't have strong anti-virus software installed on his PC, he'll be immediately infected just by looking at the Web page.
Now this "instant-infection" threat has moved to an even more dangerous forum: email. A new class of drive-by email messages has been discovered that infect users who simply view a message, or possibly just glance at it in a preview window.
"The new generation of e-mail-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware when the e-mail is opened," reads a press release by the Berlin-based email security company Eleven.
Until now, malware infection via email has involved action on the part of the user, who is deceived into opening a malicious attachment or clicking on a malicious link. This HTML-based exploit removes that step by having the JavaScript do it instead.
Many email messages, especially those sent by online retailers, are full of HTML — Web-based coding that allow images, formatted text and even movies to be displayed in the body of the messages. But because those messages have essentially become mini-Web pages, they are vulnerable to the same sort of exploits that plague websites.
Eleven said this new threat has been spotted in emails that pretend to come from the Federal Deposit Insurance Corporation, the U.S. government's insurance plan for consumer bank deposits. The subject heading is "Banking security update," but it's likely that variants on that theme are in the works.
The U.S. security giant Symantec spotted a very similar fake FDIC email message with the subject line "Update for your banking account." It carried the malicious HTML file as an attachment. It's not clear whether that message was an earlier version of the one Eleven found, or the same one viewed through an email client that had HTML rendering disabled.
Disabling HTML rendering in incoming email messages is indeed the best and most simple defense against this new threat, whether you're using a stand-alone email application like Microsoft Outlook or a Web-based service like Gmail.
Unfortunately, while you can usually send messages in plain text, it's not always easy or even possible to get incoming messages to display that way.
We found that it can be done in Outlook 2007 via Tools —> Trust Center —> E-mail Security —> Read all standard mail in plain text. Earlier versions of Outlook use Tools —> Options —> Read —> Read all messages in plain text.
Gmail automatically displays all email in the intermediate Rich Text format, which enables text formatting and links but disables images. (It's not clear whether JavaScript commands would be active in Rich Text.) Yahoo! Mail users can get the same result by going to Options —> Mail Options —> Spam —> Initially block all images. Neither Webmail service seemed to have a plain-text display option.
Apple Mail users can block loading of images hosted on remote Web servers by going to Preferences —> Viewing —> uncheck Display remote images in HTML messages, which would theoretically block a remote JavaScript-directed download. (The malicious message that Eleven found affects Windows PCs only.)
As always, your final line of defense against drive-by downloads, whether from a Web page or an email message, is to install a robust anti-virus application and make sure it's always on and updated.