Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 57

Thread: Microsoft: piracy is getting virusy

  1. #11
    FromTheRafters Guest

    Re: Microsoft: piracy is getting virusy

    Virus Guy pretended :
    > FromTheRafters, while unnecessarily full-quoting, wrote:
    >
    >>>> Has there ever been a media file (mp3, avi, flac, etc) that could
    >>>> accomplish that?

    >
    >>> Nope, not if a user has file types set.
    >>>
    >>> An exploit in widows can allow renaming a file extension from say
    >>> .exe to .mov Or naming it with no extension at all.

    >
    >>> And windows was stupid enough to recognize it as an .exe despite
    >>> the extension, and run it as such.

    >>
    >> Er, what is stupid is relying on the extension to mean anything.
    >> Now, it is usually the actual format of the file that tells the
    >> OS what it really is and how it should be handled.

    >
    > On my win-98 system, my default media player is VLC. Files that have
    > extensions like mp3, avi, flac, (etc) show up in my file explorer as
    > having VLC icons.
    >
    > I took calc.exe, copied it to somewhere else outside of c:\windows,
    > renamed it to mp3, and it took on the VLC icon.


    I took calc.exe and renamed it to the desktop as calc.mp3 and it kept
    the calculator icon. It also invoked the calculator when
    double-clicked. In properties it is listed as calc.mp3 as the
    calculator executable. I *real* mp3 invokes media player and has the
    media player icon.

    I don't have any MP3's on this machine, so I used Hot-Text's offering
    here (http://s-e.mynews.ath.cx:1361/test.mp3) to test with.

    [...]

    Another reason W98 sucks.



  2. #12
    Virus Guy Guest

    Re: Microsoft: piracy is getting virusy

    FromTheRafters wrote:

    > > I took calc.exe, copied it to somewhere else outside of c:\windows,
    > > renamed it to mp3, and it took on the VLC icon.


    (and it doesn't execute as an exe file when renamed to .mp3)

    > I took calc.exe and renamed it to the desktop as calc.mp3 and it
    > kept the calculator icon. It also invoked the calculator when
    > double-clicked.


    > Another reason W98 sucks.


    So you think that from a vulnerability pov, that an OS can run an
    executable even when it's given some other extension is a "good thing"
    (tm) ?

    Sorry - you're wrong.

    This is another reason why the NT line of Windoze sucks.

    When a malicious process or mechanism has deposited an executable file
    onto a system, and given the file some innocuous extention (like .txt or
    ..jpg), I'll take win-98 any day over NT because win-98 will apparently
    NOT be tricked into running the malicious file.

    If you think it's a good idea that an OS can still know that a mis-named
    file is an executable file, and ->run the file when instructed to handle
    it<- - you should explain why you think that's a good idea from the pov
    of either the OS or the user.

  3. #13
    FromTheRafters Guest

    Re: Microsoft: piracy is getting virusy

    on 10/12/2012, Virus Guy supposed :
    > FromTheRafters wrote:
    >
    >>> I took calc.exe, copied it to somewhere else outside of c:\windows,
    >>> renamed it to mp3, and it took on the VLC icon.

    >
    > (and it doesn't execute as an exe file when renamed to .mp3)
    >
    >> I took calc.exe and renamed it to the desktop as calc.mp3 and it
    >> kept the calculator icon. It also invoked the calculator when
    >> double-clicked.

    >
    >> Another reason W98 sucks.

    >
    > So you think that from a vulnerability pov, that an OS can run an
    > executable even when it's given some other extension is a "good thing"
    > (tm) ?


    Absolutely! People shouldn't be fooled by filenames. The old addage
    "Don't judge a book by its cover" comes to mind.
    >
    > Sorry - you're wrong.


    No, you are.
    >
    > This is another reason why the NT line of Windoze sucks.


    You're clueless as usual.
    >
    > When a malicious process or mechanism has deposited an executable file
    > onto a system, and given the file some innocuous extention (like .txt or
    > .jpg), I'll take win-98 any day over NT because win-98 will apparently
    > NOT be tricked into running the malicious file.


    It's not the OS that is fooled, it is the user. To avoid this, the user
    should be made to understand that names mean nothing - the actual file
    content is what matters. It's quite alright with me that file
    extensions for data files can be associated with the client chosen to
    handle them, but they should provide a proper error message when such a
    file is not what its extension leads one to believe.

    Another thing that shouldn't be trusted is the icon. An exe can be
    named benign.txt or benign.jpg and have a notepad or image
    editor/viewer looking icon and be malicious. It is much more
    straightforward to have the OS treat it as what it really is instead of
    what some miscreant wants a user to believe it is.
    >
    > If you think it's a good idea that an OS can still know that a mis-named
    > file is an executable file,


    Names mean *nothing*.

    > and ->run the file when instructed to handle
    > it<- - you should explain why you think that's a good idea from the pov
    > of either the OS or the user.


    ....and I have.



  4. #14
    Dustin Guest

    Re: Microsoft: piracy is getting virusy

    Virus Guy <Virus@Guy.com> wrote in news:507778FD.E4140DE4@Guy.com:

    > "David H. Lipman" wrote:
    >
    >> >> It it even possible that when launched from a media-player (such
    >> >> as VLC) that there exists a class of avi, mp3, flac (etc) malware
    >> >> that can leverage a player vulnerability and cause it to run
    >> >> arbitrary code?
    >> >
    >> > Yes.
    >> >
    >> > Some specific players could be tricked into visiting a maliciously
    >> > formed website embedded in the id3tags.

    >
    >> > The Wimad trojan

    >
    > So basically these boil down to browser exploits. A URL launched from
    > Windoze Media Player is still a browser exploit.
    >
    > And they're not even exploits - they depend on user action in the
    > browser to allow what-ever operation they're trying to accomplish (ie

    -
    > social engineering).
    >
    > What I'm asking about is a media file that upon playing can cause any
    > media player to run arbitrary code WITHOUT NEEDING THE USER'S HELP,

    and
    > thereby cause the user's system to download secondary payloads, change
    > registry settings, etc. All without enlisting the system's web-

    browser.
    >
    > Has there ever been a media file (mp3, avi, flac, etc) that could
    > accomplish that?


    Due to some badly written players, one could corrupt the tag and cause a
    code execution via buffer overrun exploit, yes.

    AVis and mp3s did have this issue at one point. It wasn't just making
    your browser open a webpage all the time.




    --
    There ain't no rest for the wicked. Money don't grow on trees. I got
    bills to pay. I got mouths to feed. Ain't nothing in this world for
    free. Oh No. I can't slow down, I can't hold back though you know I wish
    I could. Oh no there ain't no rest for the wicked, until we close our
    eyes for good.




  5. #15
    Dustin Guest

    Re: Microsoft: piracy is getting virusy

    Virus Guy <Virus@Guy.com> wrote in news:50781B08.92055E70@Guy.com:

    > FromTheRafters, while unnecessarily full-quoting, wrote:
    >
    >> >> Has there ever been a media file (mp3, avi, flac, etc) that could
    >> >> accomplish that?

    >
    >> > Nope, not if a user has file types set.
    >> >
    >> > An exploit in widows can allow renaming a file extension from say
    >> > .exe to .mov Or naming it with no extension at all.

    >
    >> > And windows was stupid enough to recognize it as an .exe despite
    >> > the extension, and run it as such.

    >>
    >> Er, what is stupid is relying on the extension to mean anything.
    >> Now, it is usually the actual format of the file that tells the
    >> OS what it really is and how it should be handled.

    >
    > On my win-98 system, my default media player is VLC. Files that have
    > extensions like mp3, avi, flac, (etc) show up in my file explorer as
    > having VLC icons.
    >
    > I took calc.exe, copied it to somewhere else outside of c:\windows,
    > renamed it to mp3, and it took on the VLC icon.


    Yep..

    now...

    drop to an msdos prompt (as you really have DOS), and type "start
    calc.mp3" and press enter.

    Close calc when you pick your jaw back up.

    > When I double-clicked on the file, VLC started up - and just sat

    there.

    File association was dumber! on windows98. start.exe can be invoked
    to override whatever "association" is set.

    > What would happen if I repeated this under XP or win-7?
    >
    > Would they know the file is really an exe - and launch it as such?


    Depends on user configuration settings for XP. Win7 likely the same.




    --
    There ain't no rest for the wicked. Money don't grow on trees. I got
    bills to pay. I got mouths to feed. Ain't nothing in this world for
    free. Oh No. I can't slow down, I can't hold back though you know I wish
    I could. Oh no there ain't no rest for the wicked, until we close our
    eyes for good.




  6. #16
    Dustin Guest

    Re: Microsoft: piracy is getting virusy

    FromTheRafters <erratic@nomail.afraid.org> wrote in news:k599b7$bfa$1
    @dont-email.me:

    > Virus Guy pretended :
    >> FromTheRafters, while unnecessarily full-quoting, wrote:
    >>
    >>>>> Has there ever been a media file (mp3, avi, flac, etc) that could
    >>>>> accomplish that?

    >>
    >>>> Nope, not if a user has file types set.
    >>>>
    >>>> An exploit in widows can allow renaming a file extension from say
    >>>> .exe to .mov Or naming it with no extension at all.

    >>
    >>>> And windows was stupid enough to recognize it as an .exe despite
    >>>> the extension, and run it as such.
    >>>
    >>> Er, what is stupid is relying on the extension to mean anything.
    >>> Now, it is usually the actual format of the file that tells the
    >>> OS what it really is and how it should be handled.

    >>
    >> On my win-98 system, my default media player is VLC. Files that have
    >> extensions like mp3, avi, flac, (etc) show up in my file explorer as
    >> having VLC icons.
    >>
    >> I took calc.exe, copied it to somewhere else outside of c:\windows,
    >> renamed it to mp3, and it took on the VLC icon.

    >
    > I took calc.exe and renamed it to the desktop as calc.mp3 and it kept
    > the calculator icon. It also invoked the calculator when
    > double-clicked. In properties it is listed as calc.mp3 as the
    > calculator executable. I *real* mp3 invokes media player and has the
    > media player icon.
    >
    > I don't have any MP3's on this machine, so I used Hot-Text's offering
    > here (http://s-e.mynews.ath.cx:1361/test.mp3) to test with.
    >
    > [...]
    >
    > Another reason W98 sucks.
    >
    >
    >


    Yep


    --
    There ain't no rest for the wicked. Money don't grow on trees. I got
    bills to pay. I got mouths to feed. Ain't nothing in this world for
    free. Oh No. I can't slow down, I can't hold back though you know I wish
    I could. Oh no there ain't no rest for the wicked, until we close our
    eyes for good.




  7. #17
    Dustin Guest

    Re: Microsoft: piracy is getting virusy

    Virus Guy <Virus@Guy.com> wrote in news:5078338A.DA47D3A9@Guy.com:

    > FromTheRafters wrote:
    >
    >> > I took calc.exe, copied it to somewhere else outside of
    >> > c:\windows, renamed it to mp3, and it took on the VLC icon.

    >
    > (and it doesn't execute as an exe file when renamed to .mp3)


    on smarter OSes that know to check the file header and not assume by
    extension alone, it runs. As it's an exe.

    > So you think that from a vulnerability pov, that an OS can run an
    > executable even when it's given some other extension is a "good
    > thing" (tm) ?


    The newer OSes are analyzing the internal file header and making
    decisions based on that. That's not a vulnerability or an exploit in an
    of itself. You can do the same with win98, just not as easily.

    > This is another reason why the NT line of Windoze sucks.


    For properly analyzing a file header? I'm sorry, you seem to be
    confused here.

    > When a malicious process or mechanism has deposited an executable
    > file onto a system, and given the file some innocuous extention (like
    > .txt or .jpg), I'll take win-98 any day over NT because win-98 will
    > apparently NOT be tricked into running the malicious file.


    Nope. You're wrong. Win98 won't run the "txt" exe, but the program that
    dropped it can any time it likes. It can even include a start command
    run line in your registry or a batch file and place it in one of several
    locations. Then easily force you to reboot; your win98 box is crash
    happy. I can force a blue screen in 6 lines of assembler.

    All it really need do is call itself explorer.exe in root and it's
    guaranteed! to run when you restart.

    I haven't even touched on the hidden extensions trick. "calc.txt.exe"
    then be sure to hide known file extensions is toggled in the registry.

    Windows98 machines are so damn open, you can configure whatever you
    want, and force the user to reboot when YOU want them to execute your
    new additions and modifications. No user rights to deal with, no real
    concept of file permissions.. Basically, nothing stopping a rogue
    program from 0wning the place. Outright.

    It'll appear to be calc.txt, but will execute if clicked.


    > If you think it's a good idea that an OS can still know that a
    > mis-named file is an executable file, and ->run the file when
    > instructed to handle it<- - you should explain why you think that's a
    > good idea from the pov of either the OS or the user.


    I think the OS should treat the file as it's file header intended.
    Proper file permissions and security policies in place can keep a
    harmful file from doing much harm.




    --
    There ain't no rest for the wicked. Money don't grow on trees. I got
    bills to pay. I got mouths to feed. Ain't nothing in this world for
    free. Oh No. I can't slow down, I can't hold back though you know I
    wish I could. Oh no there ain't no rest for the wicked, until we close
    our eyes for good.




  8. #18
    Ant Guest

    Re: Microsoft: piracy is getting virusy

    "Virus Guy" wrote:

    > When a malicious process or mechanism has deposited an executable file
    > onto a system, and given the file some innocuous extention (like .txt or
    > .jpg), I'll take win-98 any day over NT because win-98 will apparently
    > NOT be tricked into running the malicious file.


    Neither will NT, at least not W2k or XP. I don't know what system FTR
    is running but renaming an exe to txt or something else will not invoke
    the executable image loader but will start the application associated
    with the file extension; e.g. notepad. If an application can't handle
    the format, e.g. a media player, then an error message is given.

    If the behaviour of Windows since XP has changed, in that the format
    is examined to decide how to open it, then this is a very bad idea.
    When an advanced user sees a txt extension then he expects a doubl-
    click to open the file in a text editor irrespective of its format.
    I say "advanced" because I'm talking about those who don't hide the
    file extensions. Obviously I'm not addressing the stupid situation
    where extensions are hidden and a file named as test.txt.exe (an
    executable) shows up as test.txt.



  9. #19
    FromTheRafters Guest

    Re: Microsoft: piracy is getting virusy

    Ant submitted this idea :
    > "Virus Guy" wrote:
    >
    >> When a malicious process or mechanism has deposited an executable file
    >> onto a system, and given the file some innocuous extention (like .txt or
    >> .jpg), I'll take win-98 any day over NT because win-98 will apparently
    >> NOT be tricked into running the malicious file.

    >
    > Neither will NT, at least not W2k or XP. I don't know what system FTR
    > is running but renaming an exe to txt or something else will not invoke
    > the executable image loader but will start the application associated
    > with the file extension; e.g. notepad. If an application can't handle
    > the format, e.g. a media player, then an error message is given.


    Yes, it is equivalent to opening the default program to handle that
    filetype and selecting the file-open dialog *if* that extension is
    associated with that program in the registry. I have hide extensions
    for known filetypes checked in my folder options so I wasn't *really*
    changing the extension or the association - only how it appears to the
    average user.
    >
    > If the behaviour of Windows since XP has changed, in that the format
    > is examined to decide how to open it, then this is a very bad idea.


    As I recall, W98 did that with OLE2 files if extensionless. I think the
    trouble comes from inconsistency between the two methods and not that
    one method is wrong and the other right. Windows users are quite used
    to the idea that a book can be judged by its cover, that is its
    filename or its icon. What really counts is the actual type of content.

    > When an advanced user sees a txt extension then he expects a doubl-
    > click to open the file in a text editor irrespective of its format.


    Yes, but mostly because he is used to it being that way.

    > I say "advanced" because I'm talking about those who don't hide the
    > file extensions. Obviously I'm not addressing the stupid situation
    > where extensions are hidden and a file named as test.txt.exe (an
    > executable) shows up as test.txt.


    I often wondered why MS decided to do that as the default condition.
    Yes, that is why my calc.exe appeared to be calc.mp3 on my desktop. The
    OS wasn't fooled into thinking it was an mp3 but the user might well
    have been - even the "properties" dialog lies to the user. As I recall,
    even the loaders do not depend upon filename extensions but rather on
    actual file content when deciding if they can or cannot handle the
    loading of that file's executable image, and even this has caused some
    confusion where an exe renamed to bat or com can still execute as if it
    hadn't been renamed.



  10. #20
    Dustin Guest

    Re: Microsoft: piracy is getting virusy

    FromTheRafters <erratic@nomail.afraid.org> wrote in
    news:k5acms$d3p$1@dont-email.me:

    > Ant submitted this idea :
    >> "Virus Guy" wrote:
    >>
    >>> When a malicious process or mechanism has deposited an executable
    >>> file onto a system, and given the file some innocuous extention
    >>> (like .txt or .jpg), I'll take win-98 any day over NT because
    >>> win-98 will apparently NOT be tricked into running the malicious
    >>> file.

    >>
    >> Neither will NT, at least not W2k or XP. I don't know what system
    >> FTR is running but renaming an exe to txt or something else will not
    >> invoke the executable image loader but will start the application
    >> associated with the file extension; e.g. notepad. If an application
    >> can't handle the format, e.g. a media player, then an error message
    >> is given.

    >
    > Yes, it is equivalent to opening the default program to handle that
    > filetype and selecting the file-open dialog *if* that extension is
    > associated with that program in the registry. I have hide extensions
    > for known filetypes checked in my folder options so I wasn't *really*
    > changing the extension or the association - only how it appears to
    > the average user.
    >>
    >> If the behaviour of Windows since XP has changed, in that the format
    >> is examined to decide how to open it, then this is a very bad idea.

    >
    > As I recall, W98 did that with OLE2 files if extensionless. I think
    > the trouble comes from inconsistency between the two methods and not
    > that one method is wrong and the other right. Windows users are quite
    > used to the idea that a book can be judged by its cover, that is its
    > filename or its icon. What really counts is the actual type of
    > content.
    >
    >> When an advanced user sees a txt extension then he expects a doubl-
    >> click to open the file in a text editor irrespective of its format.

    >
    > Yes, but mostly because he is used to it being that way.
    >
    >> I say "advanced" because I'm talking about those who don't hide the
    >> file extensions. Obviously I'm not addressing the stupid situation
    >> where extensions are hidden and a file named as test.txt.exe (an
    >> executable) shows up as test.txt.

    >
    > I often wondered why MS decided to do that as the default condition.
    > Yes, that is why my calc.exe appeared to be calc.mp3 on my desktop.
    > The OS wasn't fooled into thinking it was an mp3 but the user might
    > well have been - even the "properties" dialog lies to the user. As I
    > recall, even the loaders do not depend upon filename extensions but
    > rather on actual file content when deciding if they can or cannot
    > handle the loading of that file's executable image, and even this has
    > caused some confusion where an exe renamed to bat or com can still
    > execute as if it hadn't been renamed.


    Gets more interesting..

    If you have calc.bat, calc.com and calc.exe

    which do you think executes? [g]


    --
    There ain't no rest for the wicked. Money don't grow on trees. I got
    bills to pay. I got mouths to feed. Ain't nothing in this world for
    free. Oh No. I can't slow down, I can't hold back though you know I wish
    I could. Oh no there ain't no rest for the wicked, until we close our
    eyes for good.




Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •