Happy Trails Computer Club

home > security > overview > attack vectors > attachments
Part 1. Understand the Hazards of Email Attachments
More computers are attacked by email attachments than by all other agents combined. The purpose of this page -- Part 1 -- is to expose the hazards of attachments, so that you'll know what to look for. Part 2. Handle Attachments Safely describes the initial part of the process for working with attachments. Part 3. Handle Files Safely takes the process further and describes how to work safely with the files themselves.

Part 1. Hazards of email attachments -- overview

Cardinal rule: "Never open an email attachment on the first date." -- Fred Langa.
  1. Be suspicious of any attachment you were not expecting -- even though it's from someone you know.
  2. Be doubly suspicious of attachments that have been forwarded to you -- even by someone you know.
  3. Be paranoid about attachments from anyone you don't know.

In the 1st case, a virus could have sent the attachment. It would have "spoofed" the "From" address with your friend's email address. You clearly have no idea about where the file originally came from in the 2nd case. And it's easy to see there's at least a slightly ulterior motive, if not a downright nasty one, in the 3rd case.

Attachments, and the messages that carry them, get more diabolical all the time. It seems to be a game to find new ways to fool people. Even seasoned computer users get taken in, or have clicked the mouse when they didn't intend to. There are even ways to include hostile code in digital music, images or videos.

Most malicious payloads are delivered as attachments. They've have more "success" than all other attack vectors combined. If you never, ever opened an email attachment, they wouldn't be a hazard to you at all. But that's not the real world. Sooner or later you're going to want to open one. That's when you need the page on handling attachments safely.

Examples:

1. A reasonable sounding message makes an urgent offer to scan your computer for the latest worm in the news. When you open the attachment, the first thing it actually does is disable your antivirus program and firewall. Then it installs the worm it claimed to be scanning for. Finally it reports that your computer is free of the worm. Now the worm uses your computer to send the same bogus message to more victims. Nice!

2. Your friend emails you a cute attachment with the file name "kitty.exe". In their message, they tell you they've tried it themselves, it's really cute, and it's "OK to open". You check with your friend, and yes indeed, he or she did send it, and they assure you "it doesn't have a virus." Trouble is, it contains a delayed action Trojan-horse along with the cute kitty. When you open it, the kitty does something cute, but the Trojan is all installed on your computer. You and your friend will not find out about the Trojan until later, if ever.

3. An email arrives that appears to come from Microsoft. The Microsoft heading and icons are genuine. The message contains a sincere and urgent plea for you to patch your copy of Windows immediately. The file to install the patch with is conveniently attached. Trouble is, when you open the attachment, it terminates your antivirus program and firewall, and then does other things so that you can't remove it. Next it asks you to enter your email username and password. Guess what the perpetrator does with this information after you click "Submit". Microsoft provides a guideline for determining if a message "from" them is genuine.

4. Attackers often disguise malicious attachments by using double extensions, for example, "message.txt.lnk" or "picture.gif.vbe". Unless you've changed your Windows configuration though, *.lnk, *.vbe and several other extensions are always hidden. The file names that you see are just "message.txt" or "picture.gif". Those files -- *.txt and *.gif files -- seem safe enough. Windows knows they are *.lnk or *.vbe files though, not text or picture files at all. When you "open" them though, Windows blindly does exactly what the attacker had in mind, and the damage is done.

5. Demonstration: It's only a myth that non-executable files are always safe. It's easy to hide malicious content in music or video files. Download and run example.mp3 to see a convincing but perfectly safe demonstration of this. (*.mp3 is a popular music file format.) That is... if you trust me. Nothing dramatic happens, but there's more going on than just the music, eh? You'll need to have Windows Media Player installed, and be online to see the results. This is just an example. I'm sure there's a lot of brigands and bandits figuring out how to plant hostile content in more file types.

What's a person to do?

Now that I've convinced you that opening attachments is dangerous sport, what can you do about the ones you decide you really want to open? Go on to the next page to find out.

more attachment hazards > attacked by worms 
| 1. hazards of attachments | 2. handle attachments safely | 3. handle files safely |
"Don't open e-mail attachments from strangers, don't use Outlook, don't put salt in your eye." -- Netsurfer Digest
club stuff
help
topics
computers
software
hardware
internet
security
overview
   lost? > index
attack vectors
   attachments
   deception
   email
   hackers
   web sites
   worms
defenses
   #  2  3
safe settings
   system
   browser
   email client
safe practices
   patching
   email
   attachments
   surfing
   file handling
defense tools
   malware
   antivirus
   anti-trojan
   firewalls
defense tests
privacy
resources