Author: Uzi
Paz
E-Mail: for
e-mail contact: user is uzi4wg and domain is uzipaz.com 
First version date: 20
July 2000
Recent version date: 20
May 2002
Legal Notice: While
as far as I know all the information here is exact and correct, as I'm
giving this information as a free service, I'm taking no responsibility.
Parent Page: Uzi
Paz home page on http://www.uzipaz.com
.
1. Introduction
Most of us know that we cannot get infected by viewing a simple text
file (with extension .txt)
or by viewing a JPEG or a GIF file (extensions .jpg or .gif).
Even if there is a code of a virus in a text file, by viewing it, the
code will not be executed,
and thus cannot do any harm.
For this reason, files with filename extensions such as .txt, .jpg,
.gif, and many others are safe for viewing, and there is no risk in
viewing
them.
While this is in practice correct, there are many complications due
to various tricks which viruses use in order to hide their real type
and
to cheat us to believe that they are in a format which is harmless
(such
as JPG, GIF, etc.) This document discusses those various tricks, and
possible
remedies.
2. What's Between Filename Extensions and Security
Windows uses the extension of a file in order to choose how to open
it and with which program.
If the extension of the file is .txt, Windows is likely to open it
with Notepad. If the extension is .doc, windows is likely to try to
open
it with MS-Word, etc.
The programs themselves usually open the file and deal with it,
according
to the body of the file.
If windows executes the file, or a program executes some instructions
in the file, these instructions may or may not be harmful. A JPEG file
includes only instructions on how to draw a picture, and the JPG
viewing
program that is launched to open it, is supposed to read the
instructions
in this file according to the rules related to this filetype, and
follow
them. Since there are no instructions in JPG besides instructions how
to
draw the picture, the viewing program will understand only those
instructions
and by that will not do any harm to the computer.
This is the reason why, for example .jpg files are safe.
3. Double Extensions, and Icons
Windows, and also programs such as older versions of Outlook and
Outlook
Express, by default show filenames without their extensions. If a virus
or a worm sends itself as e-mail attachment, with the filename:
picture.jpg.vbs (just an example), your e-mail program in many cases
(according to its setting) omit the extension (.vbs) and will show the
file as picture.jpg .
It might mislead you to think that this file is a harmless JPG file,
while in fact, opening it or doubleclicking it will cause it to run as
a .vbs file (.vbs is an extension of a visual basic script which is
executable
code that may include harmful instructions). Such tricks are very
popular
and are used by many viruses to cloak their true nature. Most of the
e-mail
viruses and worms in years 2000-2001 used similar tricks.
Two comments can be said about this.
a) If your Windows is set to hide extensions, then any appearance of an extension in a file should cause you to suspect it.
But what about a file that does not have an extension. How do we know its exact type? By identifying its icon? We shall see in the next few lines.
b) In many cases although the filename's extension might look like something legitimate, the icon will not fit the apparent nature of the file.
While most viruses can be identified as such by not having the
expected
icon, it should be pointed out that an executable file of type .exe
(and
maybe some other types) may set its own icon to a one that it holds
internally.
This allows a virus to set a misleading icon. For example, it may set
its icon to be the standard icon of a JPG file. An example of a virus
that
uses a similar trick is the Nimda
virus.
Thus, we cannot fully trust icons to reveal the true nature of a
file,
and we should look for a way to set windows to show us the file with
its
full extension. If we succeed to set it that way, we can see the true
extension
of the file, and thus know how it will be opened.
4. How to Show Filename Extensions for Known File Types
Many people have found the way to do it. Microsoft allows us to set windows so that it will show the extension of files. This will affect also programs such as the relevant versions of Microsoft Outlook, and Outlook Express.
How to do it: enter "My Computer", and from the menu open
"view"
and choose "Folder Options". Unless you set specific folders
differently
they will behave the way you set here. In the "Folder Options" window,
choose
"View" and uncheck the "hide file extensions for known file types".
Press "Apply" or "OK" and violla!!!
Suddenly you see "all" your files with their full filename extensions.
This way you can immediately see what filetype has each of your files,
and this will reveal its true nature.
When you almost say that the problem is solved, you may still notice two things. One is that I enclosed "all" with quotes, and the other is that you are still in the middle of this document. It certainly hints that this is not the end of the story.
Many people thought that by unchecking the "hide extension" it means
that all extensions will now be revealed. But when it comes to
Microsoft,
nothing is so simple.
5. Extensions Which Are Set to Override "Show Filename Extension"
In the mid of year 2000, a running in the wild virus made a lot of
noise.
This virus is called the "LifeStages"
virus.
The full name of the virus file is Life_Stages.txt.shs
You may see the double extension which may suggest that it tries to
disguise itself as a plain text file.
The .shs extension is an extension of a Shell Scrap object. A file
with this extension may execute harmful instructions, and thus might be
a virus.
The surprising thing about this virus, was that its .shs extension
was hidden even if you set your Windows not to hide extensions of known
file types (the way we described above). It happens that .shs is not
the
only extension that is hidden even if you set your Windows to show all
file types. Other filename extensions such as .shb, .mad, .mam, .pif,
.url
and a few others, were also hidden. For some of them you may see a
small
arrow in their icon which is typical to shortcuts, but not in all of
them.
Some of those extensions are related to specific office applications
and
if you did not install those applications, those file types will not be
executed.
The Life_Stages virus was executed, and distributed very fast at that
time.
The next question is likely to be: "Can we set Windows so that it will show us also those filename extensions such as .shs?"
Happily the answer is "yes". It is much less easy though than
it was with the other extensions.
It has to do with tweaking the registry files, but it is possible,
and we shall explain how to do it shortly, but first, let us say a few
words about the registry and tweaking it, to those who do not know what
I'm talking about.
6. A few Words about the Registry (you may skip this if you have experience with regedit)
Windows uses basically two files to hold all its definitions and settings regarding software, hardware, user preferences, etc. Their names are user.dat, and system.dat (In some multiuser operating systems, the maintainer may define further optional "policy" registry files, but there is no need for us to enter this).
Those two files are hidden system files. The most common way to
change
the settings in them is by using a program called "regedit". We will
explain
what changes should be made in them in order to set Windows to show
also
extensions such as .shs.
In order to open regedit, you may press "Start" and then under "Run"
type "regedit" (without the quotes) and press "enter". This will open
the
registry editor called "regedit".
A few words of caution regarding the use of "regedit".
The registry files are huge files with a lot of information in them
regarding everything from hardware settings to software settings and
user
preferences. The information held in those files is logically spread
over
branches, each of them is made of sub branches, and in the end, there
are
many keys. Each key includes various "value names" each of them holds
some
"value data" (value data might be empty).
For example, The key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
(branch: HKEY_LOCAL_MACHINE, sub-branch: Software, etc.)
includes various values, each of them has a name and data. The value
with value name:
"ProductKey" will have as data, the authorization code of your Windows
(i.e. the password that you used when you installed Windows).
Since the most crucial settings are held in the registry, also a
mistake
such as changing or deleting the wrong key or value, may cause Windows
to develop quirks, or even not to load at all.
It is thus recommended that before you make any changes to the registry
by using regedit, read the help file very carefully, and especially
read
how to backup the registry, how to revert it to the backup in case you
made some wrong change, and how to restore from backup when Windows is
not loaded.
It is recommended, especially for people who are not experienced in
registry tweaking, to always backup before making any changes. There is
no confirmation prompt or pop up for changes that you make. Once you
typed
something, it is changed. Sometimes the change will apply immediately,
and sometimes only after restarting Windows.
7. Removing the "NeverShowExt" Registry Entry
In our case, in regedit, we should use the "Find" option (ctrl-F)
and
Find again (F3) to search for registry values with names
"NeverShowExt".
For specific filename extension (see where this value name exists)
The value name "NeverShowExt" means that for this filename extension,
Windows will not show the extension even if you set Windows to show all
extensions, and a Value name "AlwaysShowExt" means that the extension
will
be shown even if you set windows to hide extensions of known file
extensions.
You may thus scan for appearances of "NeverShowExt" and for those file
types you wish to view their full filename extension, either delete the
value name "NeverShowExt" or change it to "AlwaysShowExt".
After making those changes and getting out of Regedit, In order for
this to apply you need to restart windows, and voilla. Also extensions
such as .shs, .pif, etc., are now visible.
Comments:
7a. I
use the term "Registry key" only for the part which is in the left pane
in "regedit" while the name of the entry in the right pane is called
"value
name" and the value of that entry is called "value data".
By using this terminology, I adopt the formal
terminology that is used in "regedit".
This terminology however confuses some people,
because many people use the term "registry key" for the combination of
"registry key" + "value name", and use the term "value of that registry
key" for the "value data".
7b. People who changed all appearances of "NeverShowExt" found that all shortcuts got an extension, usually ".lnk", and that without this extension the shortcuts are not identified as shortcuts. They usually find it rather annoying. I can make two comments regarding this.
The first comment is that people should be aware that extensions
such
as .lnk, and .pif should be treated as executable extensions, and that
viruses can hide inside files with these extensions, and be executed
once
you doubleclick such files.
The second comment should deserve a number of itself (comment 7c).
7c. For some of the
appearances
of "NeverShowExt" you may find another entry (value name) which is
called
"IsShortcut". This entry tells Windows to add a shortcut arrow to the
icon.
This icon can identify a file as an executable, saving us from the need
to remove the "NeverShowExt" from shortcut extensions. There is a way
to
set Windows that even if an "IsShortcut" entry exists for some
filetypes,
the shortcut signs will not appear. If however you see shortcut signs,
for those filetypes, then it means that you may use them also as
identifier
of filetypes that should be treated as potentially executable.
8. ClassIDs As Extensions
Is this the end of the story? No.... Not yet.
In March 2001 a new virus was found. The virus is called Postcard.
The virus is polymorphic (may change its forms) but one of its many
names in which it appears, is:
postcard.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
Notice that the extension does not look like a typical extension. It
is a code enclosed with curly brackets.
What is written in such a structure (as an extension of a filename),
is in fact a classid for some kind of object.
By having this classid, the filename tells windows what object it is.
It happens that when a file has its classid as an extension, Windows
will not show its true extension regardless of any of the settings
we've
learned thus far. At the moment of writing this document, I still don't
know how to tell Windows to show the extension of also this kind of
files.
It will thus appear as a .tif file (a graphical format which is known
to be harmless).
A harmless
example of this trick can be found and tested in the site of Georgi
Guninski.
The nature of the filename extension will still be visible when
rightclicking
the mouse when the file is marked, choosing "Properties", and looking
at
its MS-DOS name. The MS-DOS name will have the first three characters
of
the correct filename extension.
9. Right Truncations
Another trick which is used in various programs to hide the true
extension
of the file, is to give the file a name such as:
"picture.jpg
.vbs"
Notice that many blanks separate between the true file type (vbs) and
the faked one (jpg).
Some programs when showing a name of the file, they open a window of
a finite size, and everything beyond that size is truncated. Older
versions
of ICQ, and newer versions of Microsoft Outlook, and of Outlook Express
are vulnerable to this trick.
A file such as in the example above, will be seen as "picture.jpg"
and will thus be assumed to be safe.
A virus named Shoho,
uses this method to trick users to execute it.
10. Files that have the Wrong Extension
While Windows uses the extension to decide
with
which program to open each file, those programs themselves, in many
cases
use the header of the file itself (the first few data in the file)
rather
than the filename extension to identify its nature.
This might be used as a trick in the case of
programs that open both filetypes that might contain executables and
filetypes
that cannot.
There is a known issue regarding this. MS-Word
files, may contain (executable) macros and embedded executable objects.
WordPad is a standard program by Microsoft that can open and read Word
files.
Luckily, at the moment, unlike MS-Word,
it does not handle internal macros, and it does not open automatically
the embedded objects.
Wordpad is also the standard text editor for
those
.txt files that are too big for Notepad to open them.
If a file with an extension .txt is too big for
Notepad to open it, the user will be prompted to open this .txt file
with
Wordpad. Now, let us assume that someone sends you a Word document that
contains executable parts, but instead of giving it the extension .doc,
he chooses to give it the extension .txt .
Windows will assume that it is a text file and
will try to open it with Notepad. Notepad will identify that this .txt
file is too big for it, and will refer you to open it with Wordpad. But
wordpad when trying to open it, will identify it according to the
internal
header of that file, which says that this is a Word document, and will
open it as a Word document. At the moment, there is no direct risk
here,
because Wordpad cannot handle internal macros, and because embedded
executable
objects will not run automatically by Wordpad. See, however, comment
10a
below.
But there is a general moral here. If some
program
supports executable formats, all filename extensions that are set to
open
by it, should be treated as executable filetypes.
For example, if at any time Microsoft adds to
its Windows Media Player the support of a new media file that allows
the
execution of commands that might be harmful. The implication will be
that
all file types that are set to be opened and viewed by Windows Media
Player,
would have to be treated as executables, so that if at the moment an
MPEG
(.mpg) file can be opened without risk, if in the future Media Player
adds
support for some other filetype with some other extension that allows
executable
commands, MPEG file would no longer be safe for opening, because if a
file
with the filetype of this new format, will be given the incorrect
extension
.mpg,
You might think that it is safe, but Windows
Media Player will open it not as MPEG file but rather as the file that
can execute harmful commands.
There is also an issue regarding Windows Media Player, which under some environments may allow any media file which is opened by Windows Media Player to execute some local files (depending on their extensions, but including some executable extensions) as long as the name and path of the file are given in that media file. The issue, has to do with the ability of .wmv files to refer to an Internet address (the accurate term should be URL rather than "Internet address"). This address can also be a location of a local file in the computer. In such a case, the wmv file can instruct Windows Media Player to execute a local executable file, as long as the location and name of the file are given in the .wmv file. As you should already know, the WMV file may have any extension as long as it is opened by Windows Media Player. There is a way to block an exploitation of this security hole, and it involves tweaking the registry keys. The instruction is relevant to Internet Explorer versions 4 and above. It has to do with disabling the "Download unsigned ActiveX controls", in the "My Computer" security zone.
We shall not give here full explanation, but
only
comment that this activity is done with the help of components from
Internet
Explorer. The needed tweaking is to use a registry editor, and in the
following
registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0
to change the value of the "1004" entry to contain a DWORD value of
3.
("HKCU" stands for HKEY_CURRENT_USER).
Comments:
10a. Inside a Word file
or
an RTF file there might be executable files that will be executed if
doubleclicked.
In the case of a Shell Scrap object, it is possible to change its icon
and its label, and worse, the label can be set to be empty and the icon
can be set to be totally transparent. This means that if you
doubleclick
anywhere inside a file opened with Wordpad or with MS-Word, you should
first check that this doubleclicking will not execute an unwanted
executable,
even if it doesn't look like that, and even if the file has a .txt
extension
and is opened in wordpad only because it is too big for Notepad. Before
doubleclicking on an area inside those programs, you can rightclick on
that area and choose to edit the object (it is sometimes called "edit
package").
By doing this, you will see the details about the packaged
object.
There is also a claim that many antivirus programs fail to identify
viruses
when they are packed this way inside an Office document.
11. MIME Types
In e-mail and other applications a file or object can identify its nature either by its filename extensions, or by something which is called MIME type.
MIME originally was planned as an e-mail
extension
to allow sending of non-text objects via e-mail.
For each object, a description of the type of
the object is also defined in the MIME header.
What happens if an object has an extension which
is related to one file type, and a MIME content type which defines it
as
having a different file type? Will it be interpreted according to its
extension,
or according to its MIME header? In Windows, the extension has priority
over the MIME content type (although some exceptions were found,
treated
as security holes, and a patch to fix them has been released). This is
safer, because it prevents us from being misleaded by an incorrect file
name extension. We still have to be aware about cases where there is no
extension or the extension is not known to Windows. A file with
extension
JEPG, might confuse us to believe it to be JPEG file, but its extension
will not be known to Windows. If it will sent via e-mail with the MIME
type of an executable it might be executed, when we open it believing
it
to be a harmless JPEG file. A situation where a file is identified in
some
stage by its MIME type and in another stage by its filename extension
may
lead to serious security holes. For example, some versions of Internet
Explorer identified whether a file linked to a web page should be
opened
automatically or not, by its MIME type. Hence if the MIME type was of
an
audio file, then Internet Explorer might open the file automatically
regardless
of its filename extension. This was not a problem if the file was also
opened according to its MIME type. Yet, once the file is opened, it is
opened according to its filename extension. So by putting a file with a
MIME type of an audio file (harmless format), but with a filename
extension
of an executable format, it is possible for an HTML file (e.g. web
page)
to cause Internet Explorer to automatically execute a file when opening
the web page. This trick was used by the Nimda
worm. Microsoft has already offered the patch to fix this security hole
(see the link to the Nimda worm for further information).
12. Unregistered Extensions
It is very important to understand that rather than maintaining some
finite list of extensions (let us call it a black list of extensions)
which
are unsafe, i.e. file with those extensions might contain harmful code
that will be executed if you open the file, it is better to treat
filename
extensions which are safe, as filename extrensions which are registered
in Windows to be opened by programs that will not execute harful code
if
there is such inside it (let us call it a white list of extensions).
The reason for making this point lies in the case of unregistered
extensions.
a filename without a registered extension (i.e. Windows does not
associate
its extension with a program that opens it or a way to open it), might
still be opened according to the header of the file (the first few
bytes
in the body of the file).
You may try to take some office document and to change its extension
to some extension which is not recognized by your program. You might be
surprised that by doubleclicking it, it will still be opened by the
appripriate
office application.
13. Confusion between URLs and Filenames
Sometimes even if you know everything, it might be possible to trick
you.
What does the following name tells you: www.myparty.yahoo.com ?
If you got the MyParty
virus via e-mail from a friend, you might have seen such a "link" and
doubleclicked
it in order to enter that site.
Yet, this was not a link but rather an attached file with the name
"www.myparty.yahoo.com". This name has, the extension ".com" which is
an
executable extension.
14. Buffer Overflow
Even if some filetype does not contain executable commands, and thus the program will not know to interpret parts of it as executable instructions and act upon them, programs might still have bugs (programming mistakes) that will cause problems if some situations arise. The most common situation is when the file has some structure (will usually be illegal according to the rules of building files with its filetype) that is not expected by the program that opens it, and that will cause the program that opens the file to crash or to behave in a manner which it shouldn't. For example, if a picture file provides coordinates for some viewable objects which are beyond the physical coordinates of the picture, it is in theory possible that the program will try to put the object outside the area of the picture. The right thing, is that the program has to first check that the coordinates are within the are of the picture, but if by mistake the program does not check it, it might be that it will put the data of this object in a location in memory where the picture does not exist. If this is the case, then it might be that the place where the program put the object is an area which is used by the program code itself, If this data is not really a drawable object (although it claimed to be so) but rather an executable code, the fact that it was put (because of the illegal coordinates) outside the region which belongs to data, and in a region which belongs to the program, might cause this code to be executed.
It is more likely that if an object has some
nonlegitimate
values (such as incorrect coordinates) it will either cause the program
to identify that something is wrong, or will mess up the program and
will
cause the program to crash. The developer of the data file must know
more
about the viewing program in order to identify how to make this code
execute
its malicious contents. Besides, different versions of the viewing
program
may treat illegal code differently, and while such may cause all of
them
to crash, it may not cause them all to execute the commands that the
person
who designed that file wanted them to execute.
As a result, when it comes to files such as .mpg,
.jpg, .txt, .gif, etc., this risk of executing arbitrary commands by
letting
the file to have some contents which will not be expected by the
program
that opens them, is not high. There is a bigger chance to cause that
program
to crash. Yet it would not surprise me if sometimes in the future some
viruses will use such security holes.
15. Security Zones
We are used
to open HTML files when viewing web pages. We think that it is not
risky, but Microsoft walked on the edge when they decided that
depending on the source of the information, it will set different
authorizations for it ###
16. Zip Files As a Way to Bypass Security
Measures.
One of the few filename extensions that will be opened without
problems also in newer versions of Outlook Express, is the ZIP
filename extension. This filename extension which generally serves for
holding compressed files or archives of files. Let us put aside a few
security holes that were found and fixed in some programs for opening
ZIP files, a zip file by itself is not an executable file. Yet, it
might contain in its archive, files which are executable. Due to the
above mentioned protection measures that Microsoft has employed,
virus authors moved to writing viruses that spread themselves as
ZIP-compressed executable files. Now they only need to convince the
user to open the ZIP file and execute the executable within. Lot's
of "social engineering" tricks are used to convince the user to
open those executables within the ZIP files, and people who are novice
enough to try to open executable attachments directly, were also found
to be likely to open them from within ZIP files.
But while virus authors started to write viruses that spread in ZIP
format, they realized that it is possible to trick organizational
antivirus programs using the features of the ZIP format.
We are speaking about the fact that ZIP files can be encrypted.
Viruses such as some variants of the Bagle virus, put the
infected executable, inside a password protected ZIP file, while giving
the password, in the body of the message. The disadvantage, is that it
might make it harder to convince users to open passworded zip file than
opening a non-passworded zip file. The advantage of it for virus
authors, is that organizational antivirus programs might have problems
in identifying how to open the passworded zip file in order to check
it. For the most common viruses, antivirus programs have found the way
to identify the viruses, but it definitly makes it harder for
them. Some organizations use antivirus programs only on the Internet
gateways, believing that if everything was found to be clean in the
gates, then everything is safe. This false assumption made those
companies more vulnerable to viruses that use such tricks.
When you
save a file from the Internet, using practically any Internet
application that I have tested, it is saved in a manner that will make
the file visible for the typical user.
But not al files are visible to the typical user (the one who uses the
default Windows settings). It is possible for a program to save a file
and to set it as a hidden file, in such a case, under Windows' default
settings, the file will not be shown. The good news is that it also
means that you cannot open it by simply doubleclicking on its icon.
It can still be opened (executed) by other means, such as by other
programs, or by running it from the Start/Run menu. saving them by the
aid of another program is one way. Many atchive formats such as ZIP
hold for each of the archived files whether it should be set as a
hidden or as a system file. Under some configuration of decompression
programs, these attributes are respected. This means that when you open
or extract archive files (such as ZIP files) it might be that not all
the files that were extracted from the archive are visible under the
default Windows settings. The should, still be visible when you just
open the archive, before extracting its content.
The way to
unhide, ###
18. NTFS Alternate Data Streams
19. Special Filenames
20. Summary
While using the extensions to identify whether
the file we wish to open can safely be opened, is a common method, most
people are not aware of all complications that this method has.
Tricks to use double extensions are more known,
and in fact, help some antivirus programs to identify suspicious files,
but more sophisticated tricks exist, and other are still a potential
risk.
In this article we tried to summarize the different methods in which
viruses
try to hide their executable nature, and the various ways to reveal it.
Those tricks and the fact that in the ever changing Computers' world,
the
white list and black list of filename extensions is changing with the
emerge
of newer and more sophisticated applications, made some security
experts
to disregard filename extensions as a method for identifying
potentially
risky files. But security is not a black and white issue, and in many
cases
it is not practical to ignore filename extension in our decission how
to
treat a file that we receive.
Anyway, as another lesson from this article,
we
should realize that we don't know all the tricks. I, for one, expect
this
document, just as my own knowledge, to be updated from time to time.