Talk about text files and embedded malware...

Talk about text files and embedded malware...
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Talk about text files and embedded malware... PantsOnFire 05-27-2008
Posted by PantsOnFire on May 27, 2008, 11:24 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Let's say I have a process which can check the entire content of a
file. This process can determine that the entire file is made up of
ASCII characters only.

So my questions are:

1. What can be written in ASCII that can be a threat (e.g. a Perl
script or VBS script)?

2. What needs happen to have this threat executed?

3. Can I limit the number of acceptable ASCII characters such that
threats cannot execute (e.g. do not allow characters like + < > _ \ /
& % $ @ # : ; " , etc....)

4. Do I need to worry about obfuscated malware even given my limiting
of the characters allowed.

Posted by David H. Lipman on May 27, 2008, 4:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Let's say I have a process which can check the entire content of a
| file. This process can determine that the entire file is made up of
| ASCII characters only.
|
| So my questions are:
|
| 1. What can be written in ASCII that can be a threat (e.g. a Perl
| script or VBS script)?


Yes if is eecutable or interpreted. For example VBS:Psyme or
HTML:Trojan.Generic type
detections.


|
| 2. What needs happen to have this threat executed?


It could be on a web site or in email are set in the Registry to load the
interpreter
automatically.


|
| 3. Can I limit the number of acceptable ASCII characters such that
| threats cannot execute (e.g. do not allow characters like + < > _ \ /
| & % $ @ # : ; " , etc....)


No. Won't help.


|
| 4. Do I need to worry about obfuscated malware even given my limiting
| of the characters allowed.

Yes. Many Javascripts are encoded to obfuscate their malicious intent.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by PantsOnFire on May 28, 2008, 10:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:
>
> | Let's say I have a process which can check the entire content of a
> | file. =A0This process can determine that the entire file is made up of
> | ASCII characters only.
> |
> | So my questions are:
> |
> | 1. =A0What can be written in ASCII that can be a threat (e.g. a Perl
> | script or VBS script)?
>
> Yes if is eecutable or interpreted. =A0For example VBS:Psyme or HTML:Troja=
n.Generic type
> detections.
>
> |
> | 2. =A0What needs happen to have this threat executed?
>
> It could be on a web site or in email are set in the Registry to load the =
interpreter
> automatically.
>
> |
> | 3. =A0Can I limit the number of acceptable ASCII characters such that
> | threats cannot execute (e.g. do not allow characters like + < > _ \ /
> | & % $ @ # : ; " , etc....)
>
> No. =A0Won't help.
>
> |
> | 4. =A0Do I need to worry about obfuscated malware even given my limiting=

> | of the characters allowed.
>
> Yes. =A0Many Javascripts are encoded to obfuscate their malicious intent.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

Thanks Dave,

Just a quick followup.

Say a file called "bad.txt" contains some perl script. Assuming there
is no hidden extension, double-clicking on this should open notepad
(WindowsXP) and the contents will be viewed as text. Someone who
knows perl could recognize the structure. However, it is possible to
go into the file associations and change the program that
executes .txt files to perl.

So am right to assume that:

1. This is now bad that .txt is associated with perl and thus any
user double-clicking a bad file will execute some code?

2. Can a network policy be set such that users cannot change file
associations and thus administrators can offer some protection in that
manner?

3. Dragging and dropping this bad file into an open notepad window
will not execute the script?

Posted by Dave Budd on May 28, 2008, 11:32 am
If you were  Registered and logged in, you could reply and use other advanced thread options
In article <ae8f68d3-afb3-4236-ab60-
8523f01ba13a@l42g2000hsc.googlegroups.com>, mtc7@sympatico.ca says...
> 1. This is now bad that .txt is associated with perl and thus any
> user double-clicking a bad file will execute some code?

Yes
>
> 2. Can a network policy be set such that users cannot change file
> associations and thus administrators can offer some protection in that
> manner?

It's possible - we have clusters of hundreds of machines here where
users can't change _anything_, and in fact can only save files to one
particular folder.
>
> 3. Dragging and dropping this bad file into an open notepad window
> will not execute the script?

No, it won't. Starting Notepad, and using its menus to go and open the
file is also safe.

--
Snob? Were I a snob, I wouldn't be talking to you.

Posted by David H. Lipman on May 28, 2008, 4:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


|
| Thanks Dave,
|
| Just a quick followup.
|
| Say a file called "bad.txt" contains some perl script. Assuming there
| is no hidden extension, double-clicking on this should open notepad
| (WindowsXP) and the contents will be viewed as text. Someone who
| knows perl could recognize the structure. However, it is possible to
| go into the file associations and change the program that
| executes .txt files to perl.
|
| So am right to assume that:
|
| 1. This is now bad that .txt is associated with perl and thus any
| user double-clicking a bad file will execute some code?


If the association is set that Perl will run the TXT files, yes.


|
| 2. Can a network policy be set such that users cannot change file
| associations and thus administrators can offer some protection in that
| manner?
|


There might be. There are many policies and I know there are policioes
associated with file
associations but I don't know of the specifics.


| 3. Dragging and dropping this bad file into an open notepad window
| will not execute the script?

Right!


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Similar ThreadsPosted
Any real case of picture files embedded with trojan? September 23, 2005, 1:17 am
Slacker Virus in PowerPoint files (embedded Excel objects) July 20, 2008, 1:39 pm
Google Talk has a trojan in it! February 7, 2006, 3:47 pm
AVG stripping out images and HTML text April 9, 2006, 6:52 am
Blackberry pishing text message. July 14, 2006, 12:46 am
AVG 8 attaches text file to email June 3, 2008, 9:47 pm
Does Internet Explorer 7 REALLY have a VBS:zulu virus embedded in it? October 20, 2006, 12:10 am
Is it a good sign that we dont talk alot about Avast ?? August 11, 2006, 7:41 pm
Scanning inside multi-part rar and zip files, unpack files January 29, 2008, 1:23 am
Re: Viruses now in jpg files? Gif files? - It's ok, keep using XP - it's still supported after all. January 4, 2006, 11:12 am

The site map in XML format XML site map

Contact Us | Privacy Policy