Microsoft: piracy is getting virusy

[FromTheRafters]

Virus Guy pretended :
> FromTheRafters, while unnecessarily full-quoting, wrote:
>
>>>> Has there ever been a media file (mp3, avi, flac, etc) that could
>>>> accomplish that?
>
>>> Nope, not if a user has file types set.
>>>
>>> An exploit in widows can allow renaming a file extension from say
>>> .exe to .mov Or naming it with no extension at all.
>
>>> And windows was stupid enough to recognize it as an .exe despite
>>> the extension, and run it as such.
>>
>> Er, what is stupid is relying on the extension to mean anything.
>> Now, it is usually the actual format of the file that tells the
>> OS what it really is and how it should be handled.
>
> On my win-98 system, my default media player is VLC. Files that have
> extensions like mp3, avi, flac, (etc) show up in my file explorer as
> having VLC icons.
>
> I took calc.exe, copied it to somewhere else outside of c:\windows,
> renamed it to mp3, and it took on the VLC icon.

I took calc.exe and renamed it to the desktop as calc.mp3 and it kept
the calculator icon. It also invoked the calculator when
double-clicked. In properties it is listed as calc.mp3 as the
calculator executable. I *real* mp3 invokes media player and has the
media player icon.

I don't have any MP3's on this machine, so I used Hot-Text's offering
here (http://s-e.mynews.ath.cx:1361/test.mp3) to test with.

[...]

Another reason W98 sucks.

[Virus Guy]

FromTheRafters wrote:

> > I took calc.exe, copied it to somewhere else outside of c:\windows,
> > renamed it to mp3, and it took on the VLC icon.

(and it doesn't execute as an exe file when renamed to .mp3)

> I took calc.exe and renamed it to the desktop as calc.mp3 and it
> kept the calculator icon. It also invoked the calculator when
> double-clicked.

> Another reason W98 sucks.

So you think that from a vulnerability pov, that an OS can run an
executable even when it's given some other extension is a "good thing"
(tm) ?

Sorry - you're wrong.

This is another reason why the NT line of Windoze sucks.

When a malicious process or mechanism has deposited an executable file
onto a system, and given the file some innocuous extention (like .txt or
..jpg), I'll take win-98 any day over NT because win-98 will apparently
NOT be tricked into running the malicious file.

If you think it's a good idea that an OS can still know that a mis-named
file is an executable file, and ->run the file when instructed to handle
it<- - you should explain why you think that's a good idea from the pov
of either the OS or the user.

[FromTheRafters]

on 10/12/2012, Virus Guy supposed :
> FromTheRafters wrote:
>
>>> I took calc.exe, copied it to somewhere else outside of c:\windows,
>>> renamed it to mp3, and it took on the VLC icon.
>
> (and it doesn't execute as an exe file when renamed to .mp3)
>
>> I took calc.exe and renamed it to the desktop as calc.mp3 and it
>> kept the calculator icon. It also invoked the calculator when
>> double-clicked.
>
>> Another reason W98 sucks.
>
> So you think that from a vulnerability pov, that an OS can run an
> executable even when it's given some other extension is a "good thing"
> (tm) ?

Absolutely! People shouldn't be fooled by filenames. The old addage
"Don't judge a book by its cover" comes to mind.
>
> Sorry - you're wrong.

No, you are.
>
> This is another reason why the NT line of Windoze sucks.

You're clueless as usual.
>
> When a malicious process or mechanism has deposited an executable file
> onto a system, and given the file some innocuous extention (like .txt or
> .jpg), I'll take win-98 any day over NT because win-98 will apparently
> NOT be tricked into running the malicious file.

It's not the OS that is fooled, it is the user. To avoid this, the user
should be made to understand that names mean nothing - the actual file
content is what matters. It's quite alright with me that file
extensions for data files can be associated with the client chosen to
handle them, but they should provide a proper error message when such a
file is not what its extension leads one to believe.

Another thing that shouldn't be trusted is the icon. An exe can be
named benign.txt or benign.jpg and have a notepad or image
editor/viewer looking icon and be malicious. It is much more
straightforward to have the OS treat it as what it really is instead of
what some miscreant wants a user to believe it is.
>
> If you think it's a good idea that an OS can still know that a mis-named
> file is an executable file,

Names mean *nothing*.

> and ->run the file when instructed to handle
> it<- - you should explain why you think that's a good idea from the pov
> of either the OS or the user.

....and I have.

[Dustin]

Virus Guy <Virus@Guy.com> wrote in news:5078338A.DA47D3A9@Guy.com:

> FromTheRafters wrote:
>
>> > I took calc.exe, copied it to somewhere else outside of
>> > c:\windows, renamed it to mp3, and it took on the VLC icon.
>
> (and it doesn't execute as an exe file when renamed to .mp3)

on smarter OSes that know to check the file header and not assume by
extension alone, it runs. As it's an exe.

> So you think that from a vulnerability pov, that an OS can run an
> executable even when it's given some other extension is a "good
> thing" (tm) ?

The newer OSes are analyzing the internal file header and making
decisions based on that. That's not a vulnerability or an exploit in an
of itself. You can do the same with win98, just not as easily.

> This is another reason why the NT line of Windoze sucks.

For properly analyzing a file header? I'm sorry, you seem to be
confused here.

> When a malicious process or mechanism has deposited an executable
> file onto a system, and given the file some innocuous extention (like
> .txt or .jpg), I'll take win-98 any day over NT because win-98 will
> apparently NOT be tricked into running the malicious file.

Nope. You're wrong. Win98 won't run the "txt" exe, but the program that
dropped it can any time it likes. It can even include a start command
run line in your registry or a batch file and place it in one of several
locations. Then easily force you to reboot; your win98 box is crash
happy. I can force a blue screen in 6 lines of assembler.

All it really need do is call itself explorer.exe in root and it's
guaranteed! to run when you restart.

I haven't even touched on the hidden extensions trick. "calc.txt.exe"
then be sure to hide known file extensions is toggled in the registry.

Windows98 machines are so damn open, you can configure whatever you
want, and force the user to reboot when YOU want them to execute your
new additions and modifications. No user rights to deal with, no real
concept of file permissions.. Basically, nothing stopping a rogue
program from 0wning the place. Outright.

It'll appear to be calc.txt, but will execute if clicked.


> If you think it's a good idea that an OS can still know that a
> mis-named file is an executable file, and ->run the file when
> instructed to handle it<- - you should explain why you think that's a
> good idea from the pov of either the OS or the user.

I think the OS should treat the file as it's file header intended.
Proper file permissions and security policies in place can keep a
harmful file from doing much harm.




--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I
wish I could. Oh no there ain't no rest for the wicked, until we close
our eyes for good.

[Ant]

"Virus Guy" wrote:

> When a malicious process or mechanism has deposited an executable file
> onto a system, and given the file some innocuous extention (like .txt or
> .jpg), I'll take win-98 any day over NT because win-98 will apparently
> NOT be tricked into running the malicious file.

Neither will NT, at least not W2k or XP. I don't know what system FTR
is running but renaming an exe to txt or something else will not invoke
the executable image loader but will start the application associated
with the file extension; e.g. notepad. If an application can't handle
the format, e.g. a media player, then an error message is given.

If the behaviour of Windows since XP has changed, in that the format
is examined to decide how to open it, then this is a very bad idea.
When an advanced user sees a txt extension then he expects a doubl-
click to open the file in a text editor irrespective of its format.
I say "advanced" because I'm talking about those who don't hide the
file extensions. Obviously I'm not addressing the stupid situation
where extensions are hidden and a file named as test.txt.exe (an
executable) shows up as test.txt.

[FromTheRafters]

Ant submitted this idea :
> "Virus Guy" wrote:
>
>> When a malicious process or mechanism has deposited an executable file
>> onto a system, and given the file some innocuous extention (like .txt or
>> .jpg), I'll take win-98 any day over NT because win-98 will apparently
>> NOT be tricked into running the malicious file.
>
> Neither will NT, at least not W2k or XP. I don't know what system FTR
> is running but renaming an exe to txt or something else will not invoke
> the executable image loader but will start the application associated
> with the file extension; e.g. notepad. If an application can't handle
> the format, e.g. a media player, then an error message is given.

Yes, it is equivalent to opening the default program to handle that
filetype and selecting the file-open dialog *if* that extension is
associated with that program in the registry. I have hide extensions
for known filetypes checked in my folder options so I wasn't *really*
changing the extension or the association - only how it appears to the
average user.
>
> If the behaviour of Windows since XP has changed, in that the format
> is examined to decide how to open it, then this is a very bad idea.

As I recall, W98 did that with OLE2 files if extensionless. I think the
trouble comes from inconsistency between the two methods and not that
one method is wrong and the other right. Windows users are quite used
to the idea that a book can be judged by its cover, that is its
filename or its icon. What really counts is the actual type of content.

> When an advanced user sees a txt extension then he expects a doubl-
> click to open the file in a text editor irrespective of its format.

Yes, but mostly because he is used to it being that way.

> I say "advanced" because I'm talking about those who don't hide the
> file extensions. Obviously I'm not addressing the stupid situation
> where extensions are hidden and a file named as test.txt.exe (an
> executable) shows up as test.txt.

I often wondered why MS decided to do that as the default condition.
Yes, that is why my calc.exe appeared to be calc.mp3 on my desktop. The
OS wasn't fooled into thinking it was an mp3 but the user might well
have been - even the "properties" dialog lies to the user. As I recall,
even the loaders do not depend upon filename extensions but rather on
actual file content when deciding if they can or cannot handle the
loading of that file's executable image, and even this has caused some
confusion where an exe renamed to bat or com can still execute as if it
hadn't been renamed.

[Dustin]

FromTheRafters <erratic@nomail.afraid.org> wrote in
news:k5acms$d3p$1@dont-email.me:

> Ant submitted this idea :
>> "Virus Guy" wrote:
>>
>>> When a malicious process or mechanism has deposited an executable
>>> file onto a system, and given the file some innocuous extention
>>> (like .txt or .jpg), I'll take win-98 any day over NT because
>>> win-98 will apparently NOT be tricked into running the malicious
>>> file.
>>
>> Neither will NT, at least not W2k or XP. I don't know what system
>> FTR is running but renaming an exe to txt or something else will not
>> invoke the executable image loader but will start the application
>> associated with the file extension; e.g. notepad. If an application
>> can't handle the format, e.g. a media player, then an error message
>> is given.
>
> Yes, it is equivalent to opening the default program to handle that
> filetype and selecting the file-open dialog *if* that extension is
> associated with that program in the registry. I have hide extensions
> for known filetypes checked in my folder options so I wasn't *really*
> changing the extension or the association - only how it appears to
> the average user.
>>
>> If the behaviour of Windows since XP has changed, in that the format
>> is examined to decide how to open it, then this is a very bad idea.
>
> As I recall, W98 did that with OLE2 files if extensionless. I think
> the trouble comes from inconsistency between the two methods and not
> that one method is wrong and the other right. Windows users are quite
> used to the idea that a book can be judged by its cover, that is its
> filename or its icon. What really counts is the actual type of
> content.
>
>> When an advanced user sees a txt extension then he expects a doubl-
>> click to open the file in a text editor irrespective of its format.
>
> Yes, but mostly because he is used to it being that way.
>
>> I say "advanced" because I'm talking about those who don't hide the
>> file extensions. Obviously I'm not addressing the stupid situation
>> where extensions are hidden and a file named as test.txt.exe (an
>> executable) shows up as test.txt.
>
> I often wondered why MS decided to do that as the default condition.
> Yes, that is why my calc.exe appeared to be calc.mp3 on my desktop.
> The OS wasn't fooled into thinking it was an mp3 but the user might
> well have been - even the "properties" dialog lies to the user. As I
> recall, even the loaders do not depend upon filename extensions but
> rather on actual file content when deciding if they can or cannot
> handle the loading of that file's executable image, and even this has
> caused some confusion where an exe renamed to bat or com can still
> execute as if it hadn't been renamed.

Gets more interesting..

If you have calc.bat, calc.com and calc.exe

which do you think executes? [g]


--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.

[FromTheRafters]

After serious thinking Dustin wrote :
> FromTheRafters <erratic@nomail.afraid.org> wrote in
> news:k5acms$d3p$1@dont-email.me:
>
>> Ant submitted this idea :
>>> "Virus Guy" wrote:
>>>
>>>> When a malicious process or mechanism has deposited an executable
>>>> file onto a system, and given the file some innocuous extention
>>>> (like .txt or .jpg), I'll take win-98 any day over NT because
>>>> win-98 will apparently NOT be tricked into running the malicious
>>>> file.
>>>
>>> Neither will NT, at least not W2k or XP. I don't know what system
>>> FTR is running but renaming an exe to txt or something else will not
>>> invoke the executable image loader but will start the application
>>> associated with the file extension; e.g. notepad. If an application
>>> can't handle the format, e.g. a media player, then an error message
>>> is given.
>>
>> Yes, it is equivalent to opening the default program to handle that
>> filetype and selecting the file-open dialog *if* that extension is
>> associated with that program in the registry. I have hide extensions
>> for known filetypes checked in my folder options so I wasn't *really*
>> changing the extension or the association - only how it appears to
>> the average user.
>>>
>>> If the behaviour of Windows since XP has changed, in that the format
>>> is examined to decide how to open it, then this is a very bad idea.
>>
>> As I recall, W98 did that with OLE2 files if extensionless. I think
>> the trouble comes from inconsistency between the two methods and not
>> that one method is wrong and the other right. Windows users are quite
>> used to the idea that a book can be judged by its cover, that is its
>> filename or its icon. What really counts is the actual type of
>> content.
>>
>>> When an advanced user sees a txt extension then he expects a doubl-
>>> click to open the file in a text editor irrespective of its format.
>>
>> Yes, but mostly because he is used to it being that way.
>>
>>> I say "advanced" because I'm talking about those who don't hide the
>>> file extensions. Obviously I'm not addressing the stupid situation
>>> where extensions are hidden and a file named as test.txt.exe (an
>>> executable) shows up as test.txt.
>>
>> I often wondered why MS decided to do that as the default condition.
>> Yes, that is why my calc.exe appeared to be calc.mp3 on my desktop.
>> The OS wasn't fooled into thinking it was an mp3 but the user might
>> well have been - even the "properties" dialog lies to the user. As I
>> recall, even the loaders do not depend upon filename extensions but
>> rather on actual file content when deciding if they can or cannot
>> handle the loading of that file's executable image, and even this has
>> caused some confusion where an exe renamed to bat or com can still
>> execute as if it hadn't been renamed.
>
> Gets more interesting..
>
> If you have calc.bat, calc.com and calc.exe
>
> which do you think executes? [g]

Since it is *really* an exefile, it is the exefile loader that actually
loads it and it is an exe that executes no matter what the name is.

The exe loader recognizes the exefile by its format and loads it. I'm
not sure which order the loaders are in, but all three extensions will
be associated with the chain. If the first loader doesn't recognize the
file as being something that it knows how to load, it passes it along
to the next loader and on down the line until one does recognize it.

This is the OS ultimately doing this, not the GUI shell. All I'm saying
is that filenames may or may not be indicative of what the file's
content actually is, and the actual content is what matters. If all
files had content in their headers that could be used in the same
manner as Windows uses filename extensions then there wouldn't be any
mismatches and icons and actions could be assigned based upon actual
filetype.

[Dustin]

FromTheRafters <erratic@nomail.afraid.org> wrote in news:k5bmn3$8h8$1
@dont-email.me:

> After serious thinking Dustin wrote :
>> FromTheRafters <erratic@nomail.afraid.org> wrote in
>> news:k5acms$d3p$1@dont-email.me:
>>
>>> Ant submitted this idea :
>>>> "Virus Guy" wrote:
>>>>
>>>>> When a malicious process or mechanism has deposited an executable
>>>>> file onto a system, and given the file some innocuous extention
>>>>> (like .txt or .jpg), I'll take win-98 any day over NT because
>>>>> win-98 will apparently NOT be tricked into running the malicious
>>>>> file.
>>>>
>>>> Neither will NT, at least not W2k or XP. I don't know what system
>>>> FTR is running but renaming an exe to txt or something else will
not
>>>> invoke the executable image loader but will start the application
>>>> associated with the file extension; e.g. notepad. If an application
>>>> can't handle the format, e.g. a media player, then an error message
>>>> is given.
>>>
>>> Yes, it is equivalent to opening the default program to handle that
>>> filetype and selecting the file-open dialog *if* that extension is
>>> associated with that program in the registry. I have hide extensions
>>> for known filetypes checked in my folder options so I wasn't
*really*
>>> changing the extension or the association - only how it appears to
>>> the average user.
>>>>
>>>> If the behaviour of Windows since XP has changed, in that the
format
>>>> is examined to decide how to open it, then this is a very bad idea.
>>>
>>> As I recall, W98 did that with OLE2 files if extensionless. I think
>>> the trouble comes from inconsistency between the two methods and not
>>> that one method is wrong and the other right. Windows users are
quite
>>> used to the idea that a book can be judged by its cover, that is its
>>> filename or its icon. What really counts is the actual type of
>>> content.
>>>
>>>> When an advanced user sees a txt extension then he expects a doubl-
>>>> click to open the file in a text editor irrespective of its format.
>>>
>>> Yes, but mostly because he is used to it being that way.
>>>
>>>> I say "advanced" because I'm talking about those who don't hide the
>>>> file extensions. Obviously I'm not addressing the stupid situation
>>>> where extensions are hidden and a file named as test.txt.exe (an
>>>> executable) shows up as test.txt.
>>>
>>> I often wondered why MS decided to do that as the default condition.
>>> Yes, that is why my calc.exe appeared to be calc.mp3 on my desktop.
>>> The OS wasn't fooled into thinking it was an mp3 but the user might
>>> well have been - even the "properties" dialog lies to the user. As I
>>> recall, even the loaders do not depend upon filename extensions but
>>> rather on actual file content when deciding if they can or cannot
>>> handle the loading of that file's executable image, and even this
has
>>> caused some confusion where an exe renamed to bat or com can still
>>> execute as if it hadn't been renamed.
>>
>> Gets more interesting..
>>
>> If you have calc.bat, calc.com and calc.exe
>>
>> which do you think executes? [g]
>
> Since it is *really* an exefile, it is the exefile loader that
actually
> loads it and it is an exe that executes no matter what the name is.

I agree. However, if you have all three files with the same
aforementioned names and you don't specify the extension, the load order
is bat, com and finally *.exe. So.. if you mark .bat.com hidden!, the
user doesn't know he/she isn't running what they thought they were. [g]

> is that filenames may or may not be indicative of what the file's
> content actually is, and the actual content is what matters. If all
> files had content in their headers that could be used in the same
> manner as Windows uses filename extensions then there wouldn't be any
> mismatches and icons and actions could be assigned based upon actual
> filetype.

Yep.


--
There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.

[Bear]

Dustin <bughunter.dustin@gmail.com> wrote in
news:XnsA0EB19221E7CBHHI2948AJD832@no:

> FromTheRafters <erratic@nomail.afraid.org> wrote in
> news:k5acms$d3p$1@dont-email.me:
>
>> Ant submitted this idea :
>>> "Virus Guy" wrote:
>>>
>>>> When a malicious process or mechanism has deposited an executable
>>>> file onto a system, and given the file some innocuous extention
>>>> (like .txt or .jpg), I'll take win-98 any day over NT because
>>>> win-98 will apparently NOT be tricked into running the malicious
>>>> file.
>>>
>>> Neither will NT, at least not W2k or XP. I don't know what system
>>> FTR is running but renaming an exe to txt or something else will not
>>> invoke the executable image loader but will start the application
>>> associated with the file extension; e.g. notepad. If an application
>>> can't handle the format, e.g. a media player, then an error message
>>> is given.
>>
>> Yes, it is equivalent to opening the default program to handle that
>> filetype and selecting the file-open dialog *if* that extension is
>> associated with that program in the registry. I have hide extensions
>> for known filetypes checked in my folder options so I wasn't *really*
>> changing the extension or the association - only how it appears to the
>> average user.
>>>
>>> If the behaviour of Windows since XP has changed, in that the format
>>> is examined to decide how to open it, then this is a very bad idea.
>>
>> As I recall, W98 did that with OLE2 files if extensionless. I think
>> the trouble comes from inconsistency between the two methods and not
>> that one method is wrong and the other right. Windows users are quite
>> used to the idea that a book can be judged by its cover, that is its
>> filename or its icon. What really counts is the actual type of
>> content.
>>
>>> When an advanced user sees a txt extension then he expects a doubl-
>>> click to open the file in a text editor irrespective of its format.
>>
>> Yes, but mostly because he is used to it being that way.
>>
>>> I say "advanced" because I'm talking about those who don't hide the
>>> file extensions. Obviously I'm not addressing the stupid situation
>>> where extensions are hidden and a file named as test.txt.exe (an
>>> executable) shows up as test.txt.
>>
>> I often wondered why MS decided to do that as the default condition.
>> Yes, that is why my calc.exe appeared to be calc.mp3 on my desktop.
>> The OS wasn't fooled into thinking it was an mp3 but the user might
>> well have been - even the "properties" dialog lies to the user. As I
>> recall, even the loaders do not depend upon filename extensions but
>> rather on actual file content when deciding if they can or cannot
>> handle the loading of that file's executable image, and even this has
>> caused some confusion where an exe renamed to bat or com can still
>> execute as if it hadn't been renamed.
>
> Gets more interesting..
>
> If you have calc.bat, calc.com and calc.exe
>
> which do you think executes? [g]

Try Google and find the answer on this page...

http://support.microsoft.com/kb/35284

Jax
--
Bear Bottoms
http://bearware.info