Malware Triangle

[Roger Wilco]

and what about the GDI+ exploit?

Broken software does not make the data type it expects to deal with into a "program", it makes the exploit code it doesn't
expect to deal with into a program. Are you now suggesting that JPEG's are "programs" too because in the end execution
does happen? The exploit makes the JPEG into a container for the code not expected by the broken software program.

unless you consider the rendering of
images to be a value-added web browsing experience.

HTML does not render images either, it has containers for images that are rendered elsewhere, depending on the system,
and may be placed where the HTML suggests - and this GDI+ threat is an exploit not a designed function.

The web was created with graphics in mind, executable content was value-added later. Lets not confuse exploit code with
the fact that HTML is not a programming language. The value-added containers for executable content increase the risk,
not the HTML itself - and exploit code was not anticipated at all in their implementation.

folks, Kurt is the resident alt.comp-anti-virus troll (and village
idiot). just put him in the PLONK file and be done with it.

He is one of the most learned posters here, but you may as well plonk him 'cause you are incapable of understanding him.

 

[Roger Wilco]

it's just a semantical game. persons jump on this thread as if it means
something, but it's simply wasted bandwidth IMHO. there are multiple
definitions for program (look it up for proof) and it's nothing more
than a classic lumping / splitting taxonomical issue.

The subject isn't "programs" here, it is the difference between a "program file" and a file that happens to "contain" a program.
Programs can be "contained" anywhere, but when they are in a program file they are expected to be recognized by a loader
or recognized as not needing any of the further translation supplied by a loader. HTML files are not "program files" yet they
can contain programs. Launching a personal attack against Kurt only goes to show that you are out of ammunition and must
resort to ad hominem remarks. Why not just admit that he knows more about the subject than you do and be done with it.

 

[cquirke (MVP Win9x)]

On Sat, 4 Dec 2004 15:28:34 -0500, "Roger Wilco"

This is such a flamable topic, yet the underlying issue - the
program/data distinction - is crucial to safety. So here goes...

I know many programmers that don't know how stuff works.

Exhibit A: All those using C's string copy function as a generic bytes
mover, and thus all those buffer overruns.

The point being that computer complexity means there are few who have
the range of understanding that spans from "big picture" to wires,
volts and milliseconds. Most work in a narrow band, e.g. bind
together these black boxes to create a solution, or code this module
(designed by someone else) using that language's library functions.

The trend is inescapable, and I found it robbed programming of its
allure, so I dropped out back in the early '90s. I can see the
attraction of virus writing; solo work, raw code, not much re-use of
other ppl's functions other than to abuse them, and simple code-level
objectives that are self-defined.

A W32 executable may need some translation to be made into an
executable image, but it is a program file even though it is sort of
like a container. Sending it as inline content in an HTML w\scripting
email does not make the email a program any more than does
archiving it in a zip file make the zip file a program.

For our purposes (malware theory), what matters is:

a) Is program material within file "run" when file is "opened"?

b) If so, is what it can do limited to the scope of that file alone?

If Yes and No, the file should be considered "program".

If No and No, the file can be safely considered "data", in terms of
itself - but knowing that ant file can contain anything, and that
program files can use the contents of any file for any purpose
(including loading it into its own memory and running it as code),
such files may still have malware relevance.

If Yes and Yes, you may have a safe macro or "text markup" situation,
but experience shows that sooner or later, sandboxes leak, or devs are
tempted into facilitating wider effects e.g. by adding a generic
"shell arbitrary system call" feature etc.

For this reason, I would prefer *any* sort of macro/scripting to be
held within separate files that are identifiable as such, and/or to be
never automatically interpreted when a "data" file is "opened".


Another detail to avoid getting hung up on, is whether code is
"really" code, or is script, macro, etc. Usually this is determined
by whether it is "executed" or "interpreted".

All code is interpreted, whether it be in hardware such as CPU or
peripheral device, by software emulation of that hardware, by a
programming runtime engine, as interpreted as API calls, or by an
application that parses "document" files in poorly-limited ways.

Not only that, but interpretation of a file may unwittingly be as
powerful as a programing engine, i.e. when a genuine data format such
as JPEG gets to exploit a defective interpreter and thus runs as code.


If users are to retain control over their computers::

1) Users must know what they are doing

2) Computer must limit itself to doing only what it is asked to do

On (1), it goes about concerptualizing software in such a way the user
understands it, and the implications of what it does. If software
does this well, all the user may need to know something they already
know, e.g. "I want to read a message", "I want to see a list of file
names", "I want to read a data file", "I want to run a program".

On (2), it goes about safety WYSIWYG. If the user expects the limited
risk of listing files, the system should not "run" material within
those files. If a user expects the low risk of "reading" a file, the
system should not take the greater risk of running these as programs.

When (1) fails, e.g. meaningless generic concepts such as "open"
require additional and quite in-depth knowledge, or when a consumer PC
is a fully-fledged "network client" requiring sysadmin knowledge, then
you can expect users to "do dumb things" on a regular basis.

When (2) fails, it becomes impossible for users to practice "safe
hex", and effectively, control of their PC is hijacked by anyone with
the failrly simple tech smarts needed to press a few buttons.

We currently live with the consequences of (1) and (2) failure.

 

[kurt wismer]

ah, shut up.

why should i?

you can tell the programmers from the non-programmers in
this thread.

yes, especially when some of us have already established earlier in
this thread that we are professional programmers...

Kurt is an idiot (as usual).

michael

micheal is employing an ad hominem attack... he doesn't like the
message so he attacks the messenger...

 

[kurt wismer]

it's just a semantical game.

you say that like 'semantic' is a bad word or something... semantics is
the study of meaning... ultimately all interesting debates are about
'meaning'...

as for it being a game, that's just your guess about the motivation
behind what's going on here... i guess the idea that people will debate
until one side gives up or consensus is reached is foreign to you..

persons jump on this thread as if it means
something, but it's simply wasted bandwidth IMHO. there are multiple
definitions for program (look it up for proof) and it's nothing more
than a classic lumping / splitting taxonomical issue.

just because there are multiple definitions for program doesn't mean
everything can be called a program...

at it's most fundamental level a program is a collection of one or more
instructions meant to be carried out by the computer... since html has
tags (labels) instead of instructions, html is not a language for
making programs - ergo, not a programming language...

 

[kurt wismer]

and what about the GDI+ exploit? unless you consider the rendering of
images to be a value-added web browsing experience.

as a matter of fact...

i take it you never used lynx... or turned image display off to get
better performance...

folks, Kurt is the resident alt.comp-anti-virus troll (and village
idiot). just put him in the PLONK file and be done with it.

strange that there aren't more people calling me a troll... i mean, if
that really were the case you'd think there'd be a lot more people
saying it...

if i'm a troll i must be the luckiest troll alive, because somehow i
manage to avoid the kind of <sarcasm>warm reception</sarcasm> that
'tracker' (among others) receives...

 

[kurt wismer]

cquirke (MVP Win9x) wrote:
[snip]

For our purposes (malware theory), what matters is:

a) Is program material within file "run" when file is "opened"?

b) If so, is what it can do limited to the scope of that file alone?

it would be nice if these evaluated to the same results on all
systems... unfortunately they don't, so users will have to make these
determinations on a case by case basis depending not only on the 'data'
in question, but also on the environment...

If Yes and No, the file should be considered "program".

and this can be especially problematic as *all* data 'types' have a
non-zero probability of triggering the execution of embedded
(legitimately or otherwise) code when read by some reader or another...

so the argument could be made to consider all files as programs...

personally i find that a little extreme...

[snip]

For this reason, I would prefer *any* sort of macro/scripting to be
held within separate files that are identifiable as such, and/or to be
never automatically interpreted when a "data" file is "opened".

the age old (and very sensible) separation of code and data... if only
we (the human race) had followed that doctrine...

 

[Norman L. DeForest]

[alt.privacy.spyware removed, not carried here]

'Twas Wed, 1 Dec 2004 14:49:43 -0500 when all alt.privacy.spyware stood in


I volunteer to help carry out the horse when y'all are through beating it.

Speaking of dead horses....

Dakota Tribal Wisdom:
http://groups.google.com/[email protected]&output=gplain

Familiar Corporate Strategies [followup to Dakota Tribal Wisdom]
http://groups.google.com/[email protected]&output=gplain

 

[Norman L. DeForest]

[alt.privacy.spyware removed, not carried here]

cquirke (MVP Win9x) wrote:
[snip]

For our purposes (malware theory), what matters is:

a) Is program material within file "run" when file is "opened"?

b) If so, is what it can do limited to the scope of that file alone?

it would be nice if these evaluated to the same results on all
systems... unfortunately they don't, so users will have to make these
determinations on a case by case basis depending not only on the 'data'
in question, but also on the environment...

If Yes and No, the file should be considered "program".

and this can be especially problematic as *all* data 'types' have a
non-zero probability of triggering the execution of embedded
(legitimately or otherwise) code when read by some reader or another...

so the argument could be made to consider all files as programs...

personally i find that a little extreme...

[snip]

For this reason, I would prefer *any* sort of macro/scripting to be
held within separate files that are identifiable as such, and/or to be
never automatically interpreted when a "data" file is "opened".

the age old (and very sensible) separation of code and data... if only
we (the human race) had followed that doctrine...

To indicate the stupidity of Microsoft failing to follow that doctrine....

If an executable file is dragged and dropped into a document being edited
by Word and then the part of the document that contains the executable
and, perhaps, some surrounding text is selected and the selected area is
dragged to the Windows desktop and dropped there, you now have a scrap
file with an embedded executable.

If you do the same thing with a MIDI file as you did with the executable,
you now have another scrap file with an embedded MIDI file.

Now comes the stupidity.

If I double-click on the scrap file with the embedded MIDI file, it is
opened with Word. If I then double-click on the embedded MIDI file,
Windows pops up a warning dialogue box and asks me if I really want to
do something that could pose a danger to the system.

However, if I double-click on the scrap file with the embedded executable,
then Windows immediately runs the executable with no warning, prompt,
request for confirmation or any other safety check whatsoever.

What's wrong with this picture?

 

[null]

[alt.privacy.spyware removed, not carried here]

cquirke (MVP Win9x) wrote:
[snip]

For our purposes (malware theory), what matters is:

a) Is program material within file "run" when file is "opened"?

b) If so, is what it can do limited to the scope of that file alone?

it would be nice if these evaluated to the same results on all
systems... unfortunately they don't, so users will have to make these
determinations on a case by case basis depending not only on the 'data'
in question, but also on the environment...

If Yes and No, the file should be considered "program".

and this can be especially problematic as *all* data 'types' have a
non-zero probability of triggering the execution of embedded
(legitimately or otherwise) code when read by some reader or another...

so the argument could be made to consider all files as programs...

personally i find that a little extreme...

[snip]

For this reason, I would prefer *any* sort of macro/scripting to be
held within separate files that are identifiable as such, and/or to be
never automatically interpreted when a "data" file is "opened".

the age old (and very sensible) separation of code and data... if only
we (the human race) had followed that doctrine...

To indicate the stupidity of Microsoft failing to follow that doctrine....

If an executable file is dragged and dropped into a document being edited
by Word and then the part of the document that contains the executable
and, perhaps, some surrounding text is selected and the selected area is
dragged to the Windows desktop and dropped there, you now have a scrap
file with an embedded executable.

If you do the same thing with a MIDI file as you did with the executable,
you now have another scrap file with an embedded MIDI file.

Now comes the stupidity.

If I double-click on the scrap file with the embedded MIDI file, it is
opened with Word. If I then double-click on the embedded MIDI file,
Windows pops up a warning dialogue box and asks me if I really want to
do something that could pose a danger to the system.

However, if I double-click on the scrap file with the embedded executable,
then Windows immediately runs the executable with no warning, prompt,
request for confirmation or any other safety check whatsoever.

What's wrong with this picture?

Have you ever read this?:

http://www.pc-help.org/security/scrap.htm

It's quite old now but I was interested to try the Browser Test again.
Sure enough, IE6 still runs the executeable when you choose Open. Sane
browsers such as Moz don't offer the option and won't allow Running
the executeable .... no how, no way

A few years back, I had a lot of fun making embedded object Trojans in
Word docs (but not releasing them, of course). I even created a
scanner that would detect such embedded Trojans and had it up at my
web site. A bit later, KAV started detecting some of these objects,
and one or two more av vendors gradually followed suit. In particular,
KAV started by alerting on the format a: /autotest object discussed at
the above web site. But I had a helluva time trying to convince a
researcher at Sophos that these objects should be detected by av
scanners. The attitude, as so often seen in those steeped in the
archaic virus-only mentality, was that such Trojans might serve a good
purpose. LOL! Some av vendors have literally been dragged kicking and
screaming into Trojan detection, it seems.


Art
http://www.epix.net/~artnpeg

 

[Richard S. Westmoreland]

Some av vendors have literally been dragged kicking and

screaming into Trojan detection, it seems.

And now the same can be said about Spyware.