[19973] in bugtraq
Re: Invisible file extensions on Windows
daemon@ATHENA.MIT.EDU (Matt Scarborough)
Sat Mar 31 21:18:50 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-ID: <20010330233639.2477.qmail@aw163.netaddress.usa.net>
Date: Fri, 30 Mar 2001 18:36:39 EST
Reply-To: Matt Scarborough <vexversa@USA.NET>
From: Matt Scarborough <vexversa@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
On Wed, 28 Mar 2001 18:31:20 -0500, Floydman <floydian_99@YAHOO.COM> wrote:
>Once these extensions were generated, I examined all 169 455 combinations
>through Windows Explorer, in order to determine the system behavior towards
>these files. The biggest majority of these files turned out to be generic
>file extensions, meaning that no application is associated with them, and
>as such represents no harm in the aspect of this research.
Doing research is cool. Were you surprised by the number of file types
assigned NeverShowExt in the Registry? Searching on that string value is
eye-opening.
As pointed out here
<http://msdn.microsoft.com/library/psdk/shellcc/shell/Shell_basics/FileAssoc.htm>
and here
<http://msdn.microsoft.com/library/books/inole/S119C.htm>
relying on filename, filename extension, or displayed icon, to guard against
malware is suicide. Please see those Microsoft URLs for detailed explanation.
The binary structure of the file matters most. Identifying strings of bytes
(content) within a file (at known offsets) are inspected when the shell
wonders what to do with a file (data stream.)
For quick and dirty reference, remember as far back as Word 97 on Windows 95
and beyond, when double clicking a valid Word8 document, even one re-named to
a filename containing no extension at all, MS-Word can launch and display the
file (and thus can execute embedded macro content.)
With the myriad of CLSIDs and File Types associated with closed source DLLs
and executables, it is suicidal to rely on a list of file extensions alone for
malware checking.
Every file introduced onto a system, whether via floppy, E-mail, CD-ROM, or
Web Browser, should be checked at that point of introduction for malicious
code *before* it gets to the desktop. The tricky part is how to do that;
trust-based, signature based, sandboxing, whatever.
A company's IT staff enacting some front-line defensive policy based on GUI
clues to the end-user (displayed icon or filename extension) shifts
responsibility for protection away from where it belongs (in IT) to end users:
asking those users to play high stakes Minesweeper and Whack-A-Mole.
I don't like letting Bob down in Marketing bet the corporate farm on the
long-shot of seeing somebody's "Naked Wife."
"Ready staff, remember this is timed and performance based, OK... GO"
Double-click... double-click... double-click... double-click...
double-click... double-click... double-click... double-click...
double-click...double-click...double-click... KA-KA-KA-BOOOOM!!!
"No Sally, that was the virus. You just lost the company a million dollars. Go
back and re-memorize the list of 169 filename extensions and Icons and try
again in a few minutes."
Matt 2001-03-30
____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1
