10 replies to this topic

[RhetoricalRuvim]

I sent a couple text files (.txt) to myself at school, so that I can continue working on them at home. When I was downloading the second text file, it said "Running security scan" , or something like that. I just sort of thought "Really? On a text file?"

Well it would make sense if the file actually an executable in disguise (with the .txt extension) - those can still run from the command line, so long as they have the 'MZ' file signature in the first two bytes.

So what do you guys think about this security scan thing?

[fread]

To be honest, I don't mind if they scan every thing foreign, jpeg, gif. txt etc, as long as it doesn't slow down other activity.

[RhetoricalRuvim]

I wonder how they scan text files, though. If the file doesn't have an 'MZ' header, I'm wondering what they do.

It kind of doesn't make sense for a text file to be a virus, unless it has the following text:

Hello. I am a virus, but I am very stupid, so I can't do anything. 


Please copy me, and send me to all your friends' computers. 


Please? 

:)

Even then, what would the virus scanner do if it finds that text? :)

[Vaielab]

In the old days, when I wanted to send a .exe file via msn, msn didn't let me.
So I change the extension of the file for a .txt and I could send the file.

It may be for people like me that they have this kind of security

[fread]

Avast does nothing with your text. But it pops up an alert with:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

An if you omit the word virus. Is says safe.

[Vaielab]

Worst case senario
The txt file is a binary file with the extension renamed
And there is a other file that auto-load the txt file when the usb key is plug in.

So the anti-virus think the auto-load program is a legit program since he don't do anything wrong
And if he don't scan the txt file you will get infected.

[WingedPanther]

RhetoricalRuvim said:

I sent a couple text files (.txt) to myself at school, so that I can continue working on them at home. When I was downloading the second text file, it said "Running security scan" , or something like that. I just sort of thought "Really? On a text file?"

Well it would make sense if the file actually an executable in disguise (with the .txt extension) - those can still run from the command line, so long as they have the 'MZ' file signature in the first two bytes.

So what do you guys think about this security scan thing?

Real world scenario: a firewall is configured to block encrypted zip files, because they can't be scanned. It also blocks all jpg files. How do people react? They change the extension to get past the firewall. That doesn't mean they can't still carry viruses, they just got past the first level of defense.

[RhetoricalRuvim]

JPG files? I thought JPG was the most common image format on the web.

How can a JPG file have a virus if it's rendered, and nothing more, by the hosting application?

[Vaielab]

jpg can contain executable code.
And when people discovered that, it was a big deal, since the jpg was loaded in the temp file and in memory long before any anti-virus could do anything.
So visiting a website with a infected jpg could infect you, and you could not do anything about it (except going into linux/unix)

But now, they change how they display picture, and the anti-virus can catch the infected jpg

[Alexander]

A boring answer: It does not care what file type it is, it does it anyway.

A more interesting answer: A trojan horse is a simple example of why it should be done, you download a zip with readme.txt (a clever name, no one reads those) and game.exe, which is a clean executable passing the scan.

Game.exe displays a fancy graphic, and unbeknownst to the user renames readme.txt in to readme.exe and runs it - without ever downloading a malicious .exe.

Many systems use fingerprints based on the first contents of a file (i.e. magic identification bytes) and ignore extensions entirely, an extension is often even misleading (is that .dat a data file, or a video? how will we know without looking at it?)

[RhetoricalRuvim]

Alexander said:

Game.exe displays a fancy graphic, and unbeknownst to the user renames readme.txt in to readme.exe and runs it - without ever downloading a malicious .exe.

Why rename it to *.exe? Can't it just run the *.txt, like command prompt does? I mean, does CreateProcess () require the *.exe extension?


Note: If you want to try this at home, save a text file, with the *.txt extension, and make sure the first two bytes are 'MZ' . Then open command prompt, chdir to the folder where you have the text file, and enter the filename of the text file. You should get some sort of error (eg "Unsupported 16-bit Application" ; not sure what 16-bit has to do with all this).