[19956] in bugtraq
Re: Invisible file extensions on Windows
daemon@ATHENA.MIT.EDU (Tony)
Fri Mar 30 11:40:49 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-ID: <NDBBKGFCPBEJFMCNPOLJKEIMELAA.bugtraq-list@attron.com>
Date: Fri, 30 Mar 2001 03:31:39 -0600
Reply-To: Tony <bugtraq-list@ATTRON.COM>
From: Tony <bugtraq-list@ATTRON.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.0.20010328183022.022316f0@pop1.sympatico.ca>
For an excellent overview of Shell Scraps, see:
http://www.pc-help.org/security/scrap.htm
These can be scary little buggers because they have the functionality of
both batch files and executables (see the example in the link above.) It
appears to be an artifact of Win3.1 OLE that never seemed to disappear.
I have never seen them used in a useful capacity, but there is most
likely some enterprise application depending upon them for its
functionality.
An additional concern is that the icon used by .shs files looks
deceptively like one that would be used for a text file. This could
easily be confused with a Note/Wordpad document. It appears that the
latest patches for Outlook show the .shs file extension in an email, but
the icon looks like a text document and double-clicking it presents the
standard warning dialog. Choosing to open the attachment executes its
payload. I would ASSuME that most other email clients would treat it in
a similar fashion, YMMV.
I think that the best fix for this would be to add it to the
executable/scriptable content filters in AV products, strip it or
'de-fang' it from email, and treat it as an executable attachment in file
transport clients like email, IRC, NetNews, etc. This only further
reveals the necessity for a method of strong authentication and
verification of ALL executable content within the OS regardless of its
origin -- an idea more clearly presented by Nick FitzGerald.
Regarding the hiding of file extensions in Windows, you can find
extensions on a machine that are hidden by searching for "NeverShowExt"
in the HKEY_CLASSES_ROOT registry hive. There is probably more legacy
functionality in Windows that allows hiding of extensions, but this is
the only method that I am aware of.
Combine this with tools like dsniff, ubiquitous, high-speed
nearly-anonymous Internet access and stealth, remote-control trojans...
we could have a serious problem (or do we already?)
Best,
Tony
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of
Floydman
Sent: Wednesday, March 28, 2001 5:31 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Invisible file extensions on Windows
A little while ago, I was having a conversation with some of my
colleagues
about computer viruses. The "Life Stages" virus was mentionned during
the
conversation. This virus disguises itself via a file with extension
.SHS,
while pretending to be a .TXT file. This was possible because the .SHS
extension is hidden by Windows, even if it is configured to display all
files, all extensions (even for known file types). .SHS stands for
"shell
scrap", which means that it is possible to use these files to execute
commands on a computer (which is what the virus did). Following this
discussion, I thought to myself "I wonder if there are any other file
extensions with these attributes that could potentially be used in a
virus
design?". To do this research, someone suggested me that I plunder the
registry, since all file extensions are (supposed) to be listed there.
But
the registry gives little if no information at all about what is the
purpose of a certain file extension in the system, neither about what
visual behavior they present to the user (which in turn can use the user
gullibility to activate a virus). What was interesting me if how Windows
presents the file via the GUI, not just the list of extensions recognized
by Windows. Also, I didn't really trust the registry to hold all and
every
file extension it uses all in the same place (after all, we trusted it to
display all file information, didn't we?).
[...]
