With the popularization and importance of security education, especially the security education, anti-virus software and personal firewall are strictly required for personal computers. The virus library and system vulnerability patches are also updated in a timely manner. For most computers, the risks of computer system security risks are effectively reduced, and the chances of successful active attacks by intruders are greatly reduced. However, due to the popularity of the network, many families and organizations have the conditions to access the Internet, watching personal Email has become part of your life. Email attacks have become one of the main means of network attacks, especially those with malicious viruses, webpage Trojans, specially crafted Trojans, and email Trojans exploiting software vulnerabilities, when users open and read emails, Trojans infect the system and can be spread through mobile storage devices. Therefore, email security has become an important and urgent issue in the security field.
There are two main ways to send and receive emails. One is to directly use the Web Mail server, and the other is to use a separate Email client software, such as Outlook and Foxmail, jia peiwu gave some methods for handling Foxmail infected emails, and Jiang hualong analyzed anti-spam principles and technical means. At present, there are few studies on the attack principles and implementation principles of email Trojans.
1. Email Security Risk Analysis
1.1 Software hazards
The perfect software is not yet available, and any software has defects, but the harm Degree of such defects is different. The mail server that provides the mail service and the client that receives the mail have more or less defects.
(1) defects in the email software
So far, security vulnerabilities have been found in the Mail server software, Mail clients, and Web Mail servers on the market. Other user email vulnerabilities, Elm vulnerabilities, Mail Security for Domino Email relay vulnerabilities, and The Bat! Password protection bypass, Outlook Express Vulnerability, 263 quickmail WinBox vulnerability, and Foxmail password bypass vulnerability. Attackers can easily obtain the Email address and username and password after controlling computers with these vulnerabilities. If there is an Email address book, you can also obtain the Email addresses of other people you contact. There are also some email client vulnerabilities. Intruders can construct special-format emails and implant trojan programs in the emails. As long as there is no patch, the user will execute the trojan program as soon as the email is opened, high security risks.
(2) configuration of mail server software and client software
The email server software and client software may also cause high security risks due to improper configuration. For example, the Cedric email reader skin configuration script has the Remote File Inclusion Vulnerability. Many administrators are not familiar with the email server configuration. When setting up an email server platform, they only need to use or be able to use it. They do not need to use it securely and reliably. Therefore, they are only set to be usable during configuration, it has not been tested for mailbox Security penetration, so the security risk is extremely high.
1.2 email Trojan hazards
A normal email, no matter how the user operates, is safe. The security risk often comes from an abnormal email. Currently, mail attacks are combined with social engineering methods, on the surface, emails sent are no different from normal emails and are not easy to identify. These emails are often sent using the following methods.
(1) webpage Trojans. The email format is a webpage file. Viewing emails can only be opened in html format. These webpages mainly use vulnerabilities such as IE. When you open these emails, the trojan program will be downloaded at the specified address and executed in the background.
(2) Application Software Security Vulnerability Trojan. These emails often contain an attachment. The attachment may be an exe file type, or a file type such as doc, pdf, xls, and ppt, intruders construct special formats to bind trojan software to files or software. When users open these files, they will directly execute the trojan program. There is also a more concealed method, which replaces the trojan software with the downloader. The downloader is a trojan software downloaded to a specified site, which is not a virus software. When users view files, first, the downloader is executed, and then the downloader downloads and executes the trojan software. Anti-Virus Software regards the downloader as a normal software and does not scan and kill the software. This method is concealed, Trojan survival rate, and extremely high security risk.
(3) Information Leakage hazards. Users must provide Email addresses and other related information when registering BBS forums, blogs, and related services of some companies, some companies and individuals sell their email addresses for commercial purposes to make profits. Such personal information leakage may pose security risks, that is, personal registration information is not blocked on the Internet. Any user can view and search for it. Google and other search engines can obtain more detailed information, which is extremely harmful.
1.3 System Security Risks
The range of system security risks is large. Improper use of the system during installation, configuration, and later use may cause security risks. For example, downloading and executing software without security check, the system has undisclosed vulnerabilities. These security risks are extremely high and cannot be easily prevented. They can only be reduced through standardized training and strengthening system management.
2. Email Trojan Technology
2.1 webpage Trojan Technology
Web Trojan is a popular Trojan technology in recent years. Its principle is to exploit the vulnerabilities of IE itself or Windows Components (generally Buffer Overflow) attackers can execute arbitrary commands (Web Trojans execute download Trojans and hide execution commands). Common Vulnerabilities are mostly caused by IE and malformed files (such as malformed ANI and Word documents, IE will automatically call the default link to open, resulting in overflow), program components (using java to call vulnerable components to execute commands ), its core code is to use the vbs script to download and execute the trojan program. Early webpage Trojans mainly contained two files: html webpage files and trojan files. If the browser has a vulnerability in the operating system, the trojan program is automatically executed when accessing the webpage file. Due to anti-virus software detection and removal, later webpage Trojans began to use the framework webpage. For example, if the Framework webpage is embedded in a normal webpage, because the width and height of the Framework webpage are both 0, therefore, there is no visual exception on the webpage and it is not easy to detect. Later, JavaScript, JavaScript deformation encryption, css, Java, and image camouflage methods were used to convert and deform the framework webpage code, making it more difficult to be detected and killed by anti-virus software.
On the one hand, intruders place webpage trojans on personal websites, commercial websites, and portal websites to control personal computers, steal personal accounts, and sell traffic for commercial benefits; in addition, these webpage Trojans are also made into webpage files and a large number of spam mails are sent. If the recipient accidentally opens the webpage file, the computer will infect and spread the trojan virus, which poses a high security risk.
2.2 file bundling Technology
The core logic of the file bundle is to append B .exeto the end of a.exe. when a.exeis executed, B .exe is also executed. The early file bundling technology was relatively simple, and the file bundle was easy to be scanned and killed. Later, it gradually emerged that file Bundle by using resources, and the resources in PE files can be arbitrary data, put the trojan program into the resource, execute the normal program, and then release the trojan program.
In the email Trojan, the bundle Trojan attack is the most common attack method. It is relatively direct. As long as you open the bundled files in the email, the trojan program will be executed. The following types of bundled files are common:
(1) application installation file. Such executable files are often disguised as installation files with a setup icon.
(2) Ebook files. An Ebook is an executable file that generates an executable file by compiling html and other files.
(3) Flash files. There are two types of Flash files, one is executable Flash files, you can view Flash files directly at runtime, and the other is files ending with .swf, which need to be played by a separate Flash playback software.
The core of file bundling is to bind a normal file with a Trojan file. When bundling, the file icon will be modified to prevent such files from being opened to control the computer or spread viruses.
2.3 Application Software vulnerability Exploitation Technology
The trojan program created by exploiting application software vulnerabilities is difficult to identify and has the highest risk. Word, PowerPoint, Excel, Adobe Reader, and superstar book browsers in Office software all have high-risk security vulnerabilities. These files are widely used in daily Office work, the trojan generated by exploiting the vulnerabilities of the application software is no different from the normal file. When the user opens the trojan, the trojan program is executed and the normal file is opened. Intruders often use application software vulnerabilities to create Trojans and send these seemingly normal files to the attacker via email. Once the attacker opens the files in the email, the probability of virus infection is very high.
3. Email Security Prevention
3.1 email server security defense
The most basic security of the mail server is to ensure the security of the operating system. Because the operating system security is relatively large, this article mainly discusses mail security on the premise of operating system security, the following measures are recommended for system security:
(1) promptly update OS vulnerability patches.
(2) install anti-virus software and firewall, update the virus database in a timely manner, and regularly scan and kill viruses. If necessary, use the mail security gateway.
(3) set up a security checklist and conduct regular security checks according to security policies.
(4) strictly restrict IP address access. In addition to the mail service provided by the mail server, if IP Security restrictions can be imposed, the maintenance IP address and other trusted network settings will be made.
(5) Any installed software must undergo security tests to ensure that no plug-ins are available and that the installed software is "clean.
No matter what type of mail server is configured for the mail server, When configuring the server, you must go online to find out whether the current mail server software version has vulnerabilities and some related security configuration articles, make relevant security risk assessment and risk response measures.
3.2 email client Security Protection Technology
In addition to the security of the mail server, the mail client is the main target of email Trojan attacks. Therefore, it is vital to prevent the security of the mail client from being protected. The mail client computer should be installed with firewalls and anti-virus software, and the virus database and operating system security patches should be updated in a timely manner. We recommend that you use anti-virus software with email monitoring. For common users in China, you can use "rising free firewall + avast! Combination of anti-virus software, avast! It has strong email and webpage Trojan monitoring capabilities and is free of charge. We recommend that you use the following four methods to prevent email Trojans:
(1) A "check" mainly refers to saving the attachment to a local device when watching the email and then killing it with anti-virus software. If it is an executable file, you must use the physical communication method to ask the sender to ensure that the source of the email is reliable. We recommend that you modify the folder option and cancel the "Hide File suffix" option so that you can view the actual suffix name of the file to prevent intruders from modifying the file suffix to trick the recipient into executing the trojan program.
(2) "View" mainly refers to the title of the email and the address of the sender. If the email contains attachments, you must first check the attachment attributes and check whether the suffix of the attachment file is hidden. If the email client