3

I am curious about infections via email and how likely it would be possible to get infected through just opening an email, in various situations.

I have been reading about people talking about 1x1 pixel images that could contain malware, or be a tracking pixel, as well as images in general containing malware, so I'm curious if it's possible to get malware from an included image in an email?

Since a lot of sites are using HTML markup, as well as images in email to be fancy, I am curious about those being used as attack vectors? I would assume email clients would put in protections for us users against this? From what I have read, email clients usually protect against execution of JS and other code in the email client, but I am curious about images, and how that plays a role if there is malicious code embedded, compared to just a script executing?

I am also curious about the possibility of infection if one were to use the option of "View Source" which I saw as an answer to this question.

https://superuser.com/questions/327224/how-can-i-safely-open-a-suspicious-email

It seems that in the "View Source" case we are just given a bunch of text, and the only way that we could be attacked is if there was a vulnerability in the actual viewing source mechanism which would execute malicious code?

I also post the above link because it is similar to my question, but it is older, and possibly lacking in new knowledge of vulnerabilities and such that have been found in the last bunch of years.

Community
  • 1
XaolingBao
  • 897
  • 2
  • 9
  • 21
  • _I'm curious if it's possible to get malware from an included image in an email?_ easy: no. – dandavis Jan 11 '17 at 03:21
  • It is a myth that host is infected just by opening an email. In earlier days Microsoft outlook used to allow HTML code in email which allowed attackers to run JavaScript code to infect your PC. So the malware attached with it also got executed. This vulnerability was fixed and now you get malware if you download and open the attachment and not by opening an email. – defalt Jan 11 '17 at 10:22
  • @AlanWatch thanks, but that means anyone still running an older version could still be affected? I actually know someone who is still running the Outlook 2000 client on their computer. I keep trying to get them to upgrade, but they don't want to. In reality, it's not a myth then that it happened, just doesn't happen in the newer more updated clients. – XaolingBao Jan 11 '17 at 14:00
  • The last version which was vulnerable to this attack was released 11yrs ago. It's not the fault of email services that people are still using outdated version. There was a flaw and that was fixed. Now you can't insert self-executing HTML code in an email. It'll do nothing. – defalt Jan 11 '17 at 16:02

3 Answers3

2

Emails are one of the many routes malware take/use to infect hosts. While it was more common in the previous years yonder with ILoveYou (see link below), and other such pieces, email is becoming less of an infection route because:

  • Less people use mail client software, and more use web based email (eg. Gmail).
  • Software and OS security has drastically improved.
  • Spam filters, and DKIM (along with other mail system improvements) mitigate risks.
  • People are more generally more aware of what happens when you open bad/unknown emails.

Still, it's used to some degree, especially with spear phishing and whaling attacks. Some attacks are sophisticated to use HTML code to attack the email client (which are popular in enterprises/corporations).

The critical part as other answers have brought up is that double extensions can trick users into thinking an attachment is safe to open. Again, this is on of the many parts that allowed ILoveYou to spread with ease.

It is more common place to see attachments within attachments. For example, you can place files inside a PDF file which can house other files. Some AVs do not scan these files, some do.

Depending on the operating system, malformed images can also be spread through emails, which allows code to be executed. You can see more about this in the last two links.

Easy ways to safe guard yourself from email malware:

  • View all emails as text. Some email clients support this.
  • A follow up is to request text-only emails. Reputable sites allow for this.
  • Do not open emails from unknown/unfamiliar emails, or emails sent at unexpected hours.
  • Ensure you use up to date email clients, or use online web based email.

https://en.wikipedia.org/wiki/ILOVEYOU

https://social.msdn.microsoft.com/Forums/vstudio/en-US/7010cefa-e596-45af-b193-40206451dd90/how-can-i-load-an-emf-file-into-wpf?forum=wpf

https://www.symantec.com/security_response/vulnerability.jsp?bid=30594

dark_st3alth
  • 3,052
  • 8
  • 23
1

Yes this is possible and fairly routinely used by malicious individuals. I work in IT Security profession so can answer from experience.

Two methods (among many others) to embed malware in images attached to emails are the double file extension and through steganography - hiding data within other data.

Double file extension trick

A malicious individual can use a double file extension with one file extension being an executable (Ex: .exe) and the other an image file extension (ex: .jpg) Windows will in most cases, display the file to user with only the .jpg file extension. The user thinking the file is an innocuous picture, clicks on the file, and executes the underlying executable. At this point, the payload of the malware executes.

Steganography

A malicious individual can embed tiny bits of malicious data within an otherwise benign image file with no outward changes being detectable by the end user. Malicious files distributed are often non - contiguous to increase evasion. One piece of embedded data can call other malicious payloads already on your computer.

Anthony
  • 1,736
  • 1
  • 12
  • 22
  • 1
    In your first example the user has to click an image though, or open the image right? It just cannot execute without that user interaction? In your second example you mention that the embedded data can call other payloads on the computer, but that means you would already need to be infected for that to happen, or the embedded data could also download additional payloads right? Can this happen just by viewing an image in a client though, or do both examples require user interaction? – XaolingBao Jan 11 '17 at 03:02
  • @XaolingBao The first requires user interaction via clicking or otherwise "activation" of the embedded executable so it can be interpreted by the host system – Anthony Jan 11 '17 at 03:33
1

The basic requirement for a malware infection is that an attacker/malware is able to execute code on your computer. This might be possible with default mechanisms intended for doing so: Javascript, executable attachments, etc.

But modern mail software is usually preventing from doing this because of a wide variety of abuse: Javascript is usually disabled and executing attachments is either disallowed or requires approving an alert message box.

Mail and mail clients became more and more complex over the years. Which is why they introduce an additional attack surface of exploiting vulnerabilities to execute code. For example if the HTML rendering engine is having a memory issue or the web interface of a webmailer is executing Javascript anyway. In this case it might be possible to execute code outside the intended possibilities.

Therefore running code by exploiting vulnerabilities in rendering engines (html, images, attachments) is not unusual. This might even happen before you view/click an email (as soon as it is received by and stored into your mail client).

Marc Ruef
  • 1,060
  • 5
  • 12