Talk about text files and embedded malware...

[PantsOnFire]

Let's say I have a process which can check the entire content of a
file. This process can determine that the entire file is made up of
ASCII characters only.

So my questions are:

1. What can be written in ASCII that can be a threat (e.g. a Perl
script or VBS script)?

2. What needs happen to have this threat executed?

3. Can I limit the number of acceptable ASCII characters such that
threats cannot execute (e.g. do not allow characters like + < > _ \ /
& % $ @ # : ; " , etc....)

4. Do I need to worry about obfuscated malware even given my limiting
of the characters allowed.

 

[David H. Lipman]

From: "PantsOnFire" <[email protected]>

| Let's say I have a process which can check the entire content of a
| file. This process can determine that the entire file is made up of
| ASCII characters only.
|
| So my questions are:
|
| 1. What can be written in ASCII that can be a threat (e.g. a Perl
| script or VBS script)?


Yes if is eecutable or interpreted. For example VBSsyme or HTML:Trojan.Generic type
detections.


|
| 2. What needs happen to have this threat executed?


It could be on a web site or in email are set in the Registry to load the interpreter
automatically.


|
| 3. Can I limit the number of acceptable ASCII characters such that
| threats cannot execute (e.g. do not allow characters like + < > _ \ /
| & % $ @ # : ; " , etc....)


No. Won't help.


|
| 4. Do I need to worry about obfuscated malware even given my limiting
| of the characters allowed.

Yes. Many Javascripts are encoded to obfuscate their malicious intent.

 

[PantsOnFire]

From: "PantsOnFire" <[email protected]>

| Let's say I have a process which can check the entire content of a
| file.  This process can determine that the entire file is made up of
| ASCII characters only.
|
| So my questions are:
|
| 1.  What can be written in ASCII that can be a threat (e.g. a Perl
| script or VBS script)?

Yes if is eecutable or interpreted.  For example VBSsyme or HTML:Trojan.Generic type
detections.

|
| 2.  What needs happen to have this threat executed?

It could be on a web site or in email are set in the Registry to load the interpreter
automatically.

|
| 3.  Can I limit the number of acceptable ASCII characters such that
| threats cannot execute (e.g. do not allow characters like + < > _ \ /
| & % $ @ # : ; " , etc....)

No.  Won't help.

|
| 4.  Do I need to worry about obfuscated malware even given my limiting
| of the characters allowed.

Yes.  Many Javascripts are encoded to obfuscate their malicious intent.

Thanks Dave,

Just a quick followup.

Say a file called "bad.txt" contains some perl script. Assuming there
is no hidden extension, double-clicking on this should open notepad
(WindowsXP) and the contents will be viewed as text. Someone who
knows perl could recognize the structure. However, it is possible to
go into the file associations and change the program that
executes .txt files to perl.

So am right to assume that:

1. This is now bad that .txt is associated with perl and thus any
user double-clicking a bad file will execute some code?

2. Can a network policy be set such that users cannot change file
associations and thus administrators can offer some protection in that
manner?

3. Dragging and dropping this bad file into an open notepad window
will not execute the script?

 

[PantsOnFire]

Just one more if you don't mind. I visited your site and see you are
experienced in this field. What is your opinion of Grisoft AVG Free
Edition?

 

[Dave Budd]

1. This is now bad that .txt is associated with perl and thus any
user double-clicking a bad file will execute some code?
Yes

2. Can a network policy be set such that users cannot change file
associations and thus administrators can offer some protection in that
manner?

It's possible - we have clusters of hundreds of machines here where
users can't change _anything_, and in fact can only save files to one
particular folder.

3. Dragging and dropping this bad file into an open notepad window
will not execute the script?

No, it won't. Starting Notepad, and using its menus to go and open the
file is also safe.

 

[David H. Lipman]

From: "PantsOnFire" <[email protected]>


|
| Thanks Dave,
|
| Just a quick followup.
|
| Say a file called "bad.txt" contains some perl script. Assuming there
| is no hidden extension, double-clicking on this should open notepad
| (WindowsXP) and the contents will be viewed as text. Someone who
| knows perl could recognize the structure. However, it is possible to
| go into the file associations and change the program that
| executes .txt files to perl.
|
| So am right to assume that:
|
| 1. This is now bad that .txt is associated with perl and thus any
| user double-clicking a bad file will execute some code?


If the association is set that Perl will run the TXT files, yes.


|
| 2. Can a network policy be set such that users cannot change file
| associations and thus administrators can offer some protection in that
| manner?
|


There might be. There are many policies and I know there are policioes associated with file
associations but I don't know of the specifics.


| 3. Dragging and dropping this bad file into an open notepad window
| will not execute the script?

Right!

 

[David H. Lipman]

From: "PantsOnFire" <[email protected]>

| Just one more if you don't mind. I visited your site and see you are
| experienced in this field. What is your opinion of Grisoft AVG Free
| Edition?

Its better than MvAfee, Symantec and Microsft Live OneCare but not as good as Avira AntiVir,
Kaspersky or NOD32.

 

[Dave Cohen]

Let's say I have a process which can check the entire content of a
file. This process can determine that the entire file is made up of
ASCII characters only.

So my questions are:

1. What can be written in ASCII that can be a threat (e.g. a Perl
script or VBS script)?

2. What needs happen to have this threat executed?

3. Can I limit the number of acceptable ASCII characters such that
threats cannot execute (e.g. do not allow characters like + < > _ \ /
& % $ @ # : ; " , etc....)

4. Do I need to worry about obfuscated malware even given my limiting
of the characters allowed.

The safest way to view the contents of a text file is to either drop it
onto an icon or open with file open menu item in a text editor.
It should be easy to spot if the file contains code in any language.
Even a word file with an embedded virus would be readable. Word has a
bunch of funny stuff at beginning and possibly end of file but what is
in between is readable text.
Dave Cohen