P
Philippe.
False positive "magnet:" URI handlers found in the
registry.
This is about the following registry location:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open]
command = "C:\Program Files\<Vendor>\<Application>\<some
program>.exe" "parameters"
The GIANT or Microsoft AntiSpyware tool incorrectly
identifies EVERY "magnet:" protocol URL handler as
malicious, belonging to Grokster (a known malicious
spyware bundler), simply because Grokster ALSO installs
such "magnet:" protocol handler.
Magnet URLs are used to link, on a web page, a file
downloadable through various P2P or clustered sources. By
itself it is not malicious as what it does is only to
contain some information that allows locating one or more
sources for a file to download, based on characteristics
file size, file content signature (SHA1 hash, GUID, or
other) or meta-data (including file name).
The "magnet:" URL handler is there to indicate to
Internet Explorer which *already installed* application
will be used to retreive the file(s) indicated by the
data indicated after the "magnet:" URI-scheme prefix.
This URI scheme is fully and publicly documented, and is
an alternative to URLs, because it works with multiple
sources (something that "http:" or "ftp:" URLs cannot
perform basically).
Of course there are other solutions, such as URN
resolvers (where an URL points to a well known "http:"
location that runs a script in charge to find and return
a set of possible locations for any given URN). The bad
thing about URN resolvers (notably the "N2Ls" resolver
scheme descibed in RFCs) is that such URL scheme is still
a single point of failure, as it expects that a single
resolver will be able to find every other locations of
some content.
On the opposite, "magnet:" URIs are embedding, most
often, a URN, but leave the client use any application
and any resolver to retrive the file data with the
specified URN. It is certainly a better solution than URN
resolvers (because the scheme allows an infinte number of
resolvers to be used simultaneously and independantly,
possible also communicating each other about what
locations they know).
Yes this is a P2P concept. Yes it could be used to convey
malicious contents or could be a threat. But this is true
also for the "http:" or "ftp:" URI schemes, which are not
by themselves considered as malwares.
What is really important is *which* application or
component will be used to handle these URIs.
Unfortunately, the *target* application indicated in the
Windows registry is *completely ignored* by Microsoft or
Giant AntiSpyware. Those two products simply detect that
such a URI scheme handler is installed, and associate it
incorrectly to "Grokster" even if the target is
explicitly NOT Grokster.
Please check first the target of URI schemes, not only
the presence of the URI scheme setting in the registry.
Then check whever the target is a malware. Only in this
case, you can remove the URI scheme handler.
I note that the effective target is also scanned
separately, and NOT found guilty of being spyware or
spyware bundler. So why having part of its standard
installation broken?
There's NO reason to block all "magnet:" URI handlers,
exactly like there's no reason to block all "http:" URI
handlers.
registry.
This is about the following registry location:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open]
command = "C:\Program Files\<Vendor>\<Application>\<some
program>.exe" "parameters"
The GIANT or Microsoft AntiSpyware tool incorrectly
identifies EVERY "magnet:" protocol URL handler as
malicious, belonging to Grokster (a known malicious
spyware bundler), simply because Grokster ALSO installs
such "magnet:" protocol handler.
Magnet URLs are used to link, on a web page, a file
downloadable through various P2P or clustered sources. By
itself it is not malicious as what it does is only to
contain some information that allows locating one or more
sources for a file to download, based on characteristics
file size, file content signature (SHA1 hash, GUID, or
other) or meta-data (including file name).
The "magnet:" URL handler is there to indicate to
Internet Explorer which *already installed* application
will be used to retreive the file(s) indicated by the
data indicated after the "magnet:" URI-scheme prefix.
This URI scheme is fully and publicly documented, and is
an alternative to URLs, because it works with multiple
sources (something that "http:" or "ftp:" URLs cannot
perform basically).
Of course there are other solutions, such as URN
resolvers (where an URL points to a well known "http:"
location that runs a script in charge to find and return
a set of possible locations for any given URN). The bad
thing about URN resolvers (notably the "N2Ls" resolver
scheme descibed in RFCs) is that such URL scheme is still
a single point of failure, as it expects that a single
resolver will be able to find every other locations of
some content.
On the opposite, "magnet:" URIs are embedding, most
often, a URN, but leave the client use any application
and any resolver to retrive the file data with the
specified URN. It is certainly a better solution than URN
resolvers (because the scheme allows an infinte number of
resolvers to be used simultaneously and independantly,
possible also communicating each other about what
locations they know).
Yes this is a P2P concept. Yes it could be used to convey
malicious contents or could be a threat. But this is true
also for the "http:" or "ftp:" URI schemes, which are not
by themselves considered as malwares.
What is really important is *which* application or
component will be used to handle these URIs.
Unfortunately, the *target* application indicated in the
Windows registry is *completely ignored* by Microsoft or
Giant AntiSpyware. Those two products simply detect that
such a URI scheme handler is installed, and associate it
incorrectly to "Grokster" even if the target is
explicitly NOT Grokster.
Please check first the target of URI schemes, not only
the presence of the URI scheme setting in the registry.
Then check whever the target is a malware. Only in this
case, you can remove the URI scheme handler.
I note that the effective target is also scanned
separately, and NOT found guilty of being spyware or
spyware bundler. So why having part of its standard
installation broken?
There's NO reason to block all "magnet:" URI handlers,
exactly like there's no reason to block all "http:" URI
handlers.