Vulnerability Development mailing list archives
stealth executables
From: griffinb () HOTKEY NET AU (Brad Griffin)
Date: Wed, 27 Oct 1999 12:22:38 +1000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all. I was reading a mainstream newsletter a couple of days ago which had the following article. Forgive me if it is common knowledge (it was a new one for me). The Danger Of Stealth Executables "SHS" and other little-known or seemingly-benign file types (often completely ignored by antivirus apps) can disguise malicious executables and macro viruses! A reader from Canada, recently had an eye- opening experience that's instructive to us all: I recently came across something that concerned me VERY much - and could possibly be used to cause damage or execute viruses etc. on a user's machine. Recently, a friend sent me a harmless executable file (it was a sound bite), but it was embedded in an MS Word 97 document. To hear the sound bite was frustrating, requiring me to load MS Word and then double-clicking on the embedded file. So, in MS Word, I selected the executable that was embedded in the document, copied it and pasted it to my desktop. Not surprisingly, it showed up as an MS Word "Scrap," file. The file extension for scrap files is ".shs". For some reason, Windows hides this file extension. So, with a file named "Scrap" on the desktop, double-clicking it ran the executable without problem. In fact, I tried changing the name of the file to something else, with a different extension (i.e. ".bmp"). Renaming it "test.bmp", the icon remained the same and the new name appeared, once again with the ".shs" extension hidden. Now it appeared as a harmless image file - however, double-clicking it ran the executable as before. Call me paranoid, but could I not do the same thing with a more sinister executable and rename it as a ".txt" file? The "scrap" icon looks like a text file icon - and an unknowing user would open the 'text' file, but really run the executable. When attaching this type of file to an email message, the extension becomes visible - but an unsophisticated user would go ahead and save the attachment and voila - no more "shs" extension! Looks fine! Double-click and whammo. Windows normally hides the SHS extension (you have to select file/properties to see it) many users have never even heard of it. Thus, even though SHS files can contain directly executable content, users might well click on an SHS file (disguised or not) without a second thought. What's more, many commercial antivirus apps do not scan SHS files by default, and must be manually adjusted to include "Scraps" in their scans. And it's not just SHS files. Trojan-horse infectors can reside in a wide variety of files with little-known, or seemingly-benign file extensions. For example, if you follow antivirus activity, you may recall that a few months back some malicious souls started circulating the Melissa virus in RTF rather than the more common DOC files. Some enterprises and users who had religiously updated their virus definitions to include the Melissa signature got infected anyway because their antivirus apps, by default, didn't scan RTF files. (By the way, two new strains of Melissa were discovered just last week, so it's a safe bet that the RTF exploit will turn up again, and soon..) I checked the major antivirus vendor sites and found very little on SHS and similar vulnerabilities. The Symantec/Norton site did have some information buried pretty deep, but a search of the Computer Associates, Trend Micro and McAfee antivirus sites, for example, turned up exactly zero hits on "SHS." -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 -- QDPGP 2.60 Comment: http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x6FD78581 iQA/AwUBOBXVTQiK90dv14WBEQLwagCg4g5Z6Q4nyZXmBRGn3UR1KiB7O34AoM+0 I0rpWn1N0t3g0gmDBU0bwR8b =vVLT -----END PGP SIGNATURE----- Brad Griffin Infotech undergrad & e-mail addict CQU Rockhampton, Australia Useful links: http://www.pgpi.org/ http://spamcop.net/ http://www.avp.ru/
Current thread:
- Re: FreeBSD listen(), (continued)
- Re: FreeBSD listen() David Schwartz (Oct 28)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() David Schwartz (Oct 30)
- Re: FreeBSD listen() 3APA3A (Oct 31)
- Re: FreeBSD listen() Sebastian (Oct 28)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() Warren Young (Oct 28)
- Re: ICQ 2000 Bernie Cosell (Oct 27)
- Re: ICQ 2000 Ripple (Oct 26)
- Re: ICQ 2000 Sean Burford (Oct 26)
- stealth executables Brad Griffin (Oct 26)
- Re: stealth executables Adolfo Soto (Sep 30)
- [Fwd: ICQ 2000] Blue Boar (Oct 26)
- Re: [Fwd: ICQ 2000] Brad Griffin (Oct 27)
- Re: ICQ 2000 Blue Boar (Oct 30)
- Re: forged packets? Ron DuFresne (Oct 26)