multiple partitions are safer in virus infection?

[David H. Lipman]

From: "Shane" <[email protected]>


|
| I was in ME when I saw that. I didn't expect it to work on 9x (and it
| didn't) - but wasn't sure about XP. For instance, I renamed NT4's CMD.EXE to
| CMD.NT4 for running from a batch in XP. However, while neither a .bat file
| or the aforementioned CMD.EXE run in my XP if renamed as a .jpg, I don't get
| an error message, I get Windows Picture and Fax Viewer open to an empty
| window (In ME, Image Preview).
|
| Do you have image files associated with, say, Irfanview?
|
| Shane
|

I have image files associated with Paint Shop Pro.

It does show it follows the file extension associated program.

 

[Leythos]

From: "Leythos" <[email protected]>


|
| Wrong, JPG files can carry a payload that is executed by IE and some
| other Windows apps - take a BATCH file, rename it to mypicture.jpg,
| double click on it - it will run.
|

Leythos.

We went through this exercise only a week or so ago.

Take a BATCH file, rename it to mypicture.jpg and double click on it - and you'll get an
invalid JPEG error message.

In fact I tested this, again, for this thread.

Yea, I need to start remembering these things - until SP2 you could
rename batch/script files to mypic.jpg and IE would execute it - if it
doesn't work not, then it must have something to do with SP2.

 

[David H. Lipman]

From: "Leythos" <[email protected]>


|
| Yea, I need to start remembering these things - until SP2 you could
| rename batch/script files to mypic.jpg and IE would execute it - if it
| doesn't work not, then it must have something to do with SP2.
|
| --
|
| (e-mail address removed)
| remove 999 in order to email me

I tested on Win2K SP4 and on WinME.

I think you've been thinking too much about those sorority contracts and their assets. ;-)

 

[Leythos]

From: "Leythos" <[email protected]>


|
| Yea, I need to start remembering these things - until SP2 you could
| rename batch/script files to mypic.jpg and IE would execute it - if it
| doesn't work not, then it must have something to do with SP2.
|

I tested on Win2K SP4 and on WinME.

I think you've been thinking too much about those sorority contracts and their assets. ;-)

Nope, I've seen it work, myself, on XP up through SP1.

 

[Roger Wilco]

Wrong, JPG files can carry a payload that is executed by IE and some
other Windows apps - take a BATCH file, rename it to mypicture.jpg,
double click on it - it will run.

Not here it doesn't, but I heard somewhere that having IE as the default
viewer could cause an HTML file w/scripting to execute when renamed .jpg
some time in the past. Still, the file would be an HTML file not a jpg
file. Because an extension is not what defines a filetype. Also, I
didn't say jpg files couldn't be exploit trojans in the furtherance of
an exploit based worm (virus) - I said they are not infectable because
they are data files. Viruses infect programs, not data. - data diddling
is corruption not infection For jpgs to be injection vectors you will
need broken companion software to target and then jpgs can be trojans
(hidden functionality). The data would have to be corrupted in a special
way to exploit the broken software in the target.

 

[Roger Wilco]

Yea, I need to start remembering these things - until SP2 you could
rename batch/script files to mypic.jpg and IE would execute it - if it
doesn't work not, then it must have something to do with SP2.

Can anyone confirm this? This is the first I've heard of such a thing.

What it might be is if you have the .bat extension hidden and you
attempt to rename mypic(.hiddenbat) to mypic.jpg it appears as mypic.jpg
but still has the .bat hidden extension. Then of course double clicking
will send it to the interpreter.

 

[Roger Wilco]

Well that's not entirely true... ;-)

There have been demonstration viruses which can code a virus in a JPEG but it requires a
"helper" program to be pre-installed on the destination platform to remove the virus and run
it.

This reminds me of an earlier conversation about the "need" to scan
within CAB files because some malware uses them for storage of code as
data. If you need the "helper" program, then it is that "helper" that
needs to be detected as malware - and the data file is merely corrupted
data. A program (already running) that retrieves data from a CAB file
and makes it executable could just as easily have encrypted that data
before it is placed in the CAB file making scanning the cabinet useless
without the "helper" programs decryption routine.

It is just easier to have the "helper" application be the actual infector. Albeit,
maybe said application could receive a "plug-in" to add additional functionality to the
infector. I know that there have been viruses using UseNet to obtain plug-ins to add
functionality.

I can probably make entries in the registry that make .txt an executable
filetype extension, and with only a few ASCII characters (eicar.txt) it
is a program - that doesn't mean ASCII text files are infectable per se.
You have to look at the normal operation mode of the platform, and not
some subverted or broken variation (for almost any string, a platform
can be constructed to make that string a program - even a virus. The
symbols, the instruction set, and the machine states all contrive to
make a program what it is). Microsoft did however subvert the .doc data
filetype by making it extensible to contain "programs" that can be truly
infected, but these documents are actually containers not programs
themselves.

Might as well just toss out the idea of code and data being two
different things. All files are program files if a companion program
subverts the platform.

 

[Art]

Can anyone confirm this? This is the first I've heard of such a thing.

What it might be is if you have the .bat extension hidden and you
attempt to rename mypic(.hiddenbat) to mypic.jpg it appears as mypic.jpg
but still has the .bat hidden extension. Then of course double clicking
will send it to the interpreter.

There was a long thread on this subject (acv or ac-av) some time back
where Windows XP was ingnoring the file extension under certain
circumstances and behaving according to the file's structure instead.
You could take a batch file renamed to have a .JPG file extension and
the batch file would execute. Quite insane from a security POV. But
that's MS for you

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[David H. Lipman]

From: "Roger Wilco" <[email protected]>


|
| I can probably make entries in the registry that make .txt an executable
| filetype extension, and with only a few ASCII characters (eicar.txt) it
| is a program - that doesn't mean ASCII text files are infectable per se.
| You have to look at the normal operation mode of the platform, and not
| some subverted or broken variation (for almost any string, a platform
| can be constructed to make that string a program - even a virus. The
| symbols, the instruction set, and the machine states all contrive to
| make a program what it is). Microsoft did however subvert the .doc data
| filetype by making it extensible to contain "programs" that can be truly
| infected, but these documents are actually containers not programs
| themselves.
|
| Might as well just toss out the idea of code and data being two
| different things. All files are program files if a companion program
| subverts the platform.
|

That fact remains, and has been demonstrated, that viral code CAN be inserted in a JPEG.
A JPEG can be infected.

This is not unlike inserting a copyright signature via steganography. The JPEG stills
exists (albeit the quality is degraded) but specific code can be inserted and then extracted
from a JPEG.

As for macro viruses which can be inserted into an MS Office document I had once proposed
that they are really parasites and not viruses. However I was instructed that by definition
they are indeed true viruses even if they only live in the host of the MS Office program.
It should be noted that this is one type of virus that can be passed from Windows to MAC as
MS Office uses the same macro interpreter on both platforms.

 

[Roger Wilco]

There was a long thread on this subject (acv or ac-av) some time back
where Windows XP was ingnoring the file extension under certain
circumstances and behaving according to the file's structure instead.
You could take a batch file renamed to have a .JPG file extension and
the batch file would execute. Quite insane from a security POV. But
that's MS for you

Wasn't that only a command line issue?

 

[Art]

Wasn't that only a command line issue?

Possibly. I don't recall. Where's Norman DeForest when you need him?
He brought it up.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[David Candy]

It's a cmd thing. If it doesn't know what to do with a typed line it passes it to createprocess. CP will attempt to execute anything passed to it. As there are many different types of program platforms (Dos/Win16/OS2/Win16-95/Win32/NT Native/Posix) and different types of programs (exe and com).

 

[Shane]

Aha!

It's a cmd thing. If it doesn't know what to do with a typed line it
passes it to createprocess. CP will attempt to execute anything
passed to it. As there are many different types of program platforms
(Dos/Win16/OS2/Win16-95/Win32/NT Native/Posix) and different types of
programs (exe and com).

 

[Bob I]

Please read about current and future possibilities
http://www.google.com/search?hl=en&q=jpg+virus

 

[Roger Wilco]

That fact remains, and has been demonstrated, that viral code CAN be

inserted in a JPEG.

No agument there.

A JPEG can be infected.

Not by a virus, because viruses infect programs and JPEG is not a
program filetype nor has it been extended to routinely carry programs
within it.

This is not unlike inserting a copyright signature via steganography. The JPEG stills
exists (albeit the quality is degraded) but specific code can be inserted and then extracted
from a JPEG.

Yes, inserted and extracted - this goes for all filetypes of sufficent
length. If you are talking about indirect infection then the file
(usually a text file) is destined through normal means to be translated
into an executable image - this is also NOT true for the JPEG filetype
while it is true for source code files and batch (script) files.

Until the JPEG standard changes to include data destined to be
translated into executable code by design, they will remain
uninfectable.

As for macro viruses which can be inserted into an MS Office document I had once proposed
that they are really parasites and not viruses.

They are viruses needing the specific software environment which is
provided by the application software usually associated with them -
regardless of the platform that hosts the application.

However I was instructed that by definition
they are indeed true viruses even if they only live in the host of the

MS Office program.

Right, just as viruses for the Commodore 64 are still viruses even
though they only work on the C64 or on an emulated C64 environment.

It should be noted that this is one type of virus that can be passed from Windows to MAC as
MS Office uses the same macro interpreter on both platforms.

Right, it is platform independent aside from the software environment
platform provided by the application.

In this case the filetype is used as designed and has execution of
program data on its "to do" list. Not so for the JPEG filetype. Yes, you
could craft an environment where JPEG filetypes were misused, and they
could be viruses in that special environment - - but that can be said of
any filetype.

 

[Roger Wilco]

Please read about current and future possibilities
http://www.google.com/search?hl=en&q=jpg+virus

I see nothing new there - just the same old stuff.

I didn't say that virus program code couldn't be stuffed into a jpg
file. I didn't say that a jpg couldn't be crafted to exploit a
vulnerability as an injection vector for code (an exploit trojan). I
didn't say that such a trojan's payload couldn't be used in the
furtherance of a worm. I didn't say that an environment couldn't be
subverted so that jpg files acted like executable files.

What I am saying is that viruses infect programs and jpg files do not
represent program code to be translated into executable images by design
(they are not program files). Yes, they can be part of a worm's
transport mechanism, but they can't be infected by a virus because they
are not programs. Text files are not infectable (they're not programs)
but when they are by design associated with an interpreter or compiler
for translation (the .bat or .c extension association for instance) they
are infectable (indirect infection).

Please understand that shouts of jpg and mp3 viruses raises FUD and
bolsters sales of security related wares. People whom once thought they
were safe because they only dealt p2p with these two filetypes now have
worries.

They are right in deciding to scan jpg files, but what they are looking
for in a jpg is an exploit trojan or the stored program data of a
companion malware program (corruption).

Viruses don't infect data files any more than Bugbear infected reams of
paper.

 

[kurt wismer]

Wrong, JPG files can carry a payload that is executed by IE and some
other Windows apps - take a BATCH file, rename it to mypicture.jpg,
double click on it - it will run.

renaming a batch file to mypicture.jpg doesn't make it a JPG file, it
makes it a *.jpg file... one denotes a file format while the other
denotes a file extention - there's a big difference...

the JPEG format does not supply the basic requirements for being an
infectable host - it does not contain instruction for the computer to
carry out...

 

[kurt wismer]

David H. Lipman wrote:
[snip]

That fact remains, and has been demonstrated, that viral code CAN be inserted in a JPEG.
A JPEG can be infected.

file infection is a state where attempts to execute the infectee result
in the execution of the infector... since jpegs don't get executed, they
cannot be infected (at least not on sane environments that haven't
already been compromized by something specifically designed to execute
jpegs or parts thereof)...

 

[David H. Lipman]

From: "kurt wismer" <[email protected]>

| David H. Lipman wrote:
| [snip]|
| file infection is a state where attempts to execute the infectee result
| in the execution of the infector... since jpegs don't get executed, they
| cannot be infected (at least not on sane environments that haven't
| already been compromized by something specifically designed to execute
| jpegs or parts thereof)...
|
| --
| "they threw a rope around yer neck to watch you dance the jig of death
| then left ya for the starvin' crows, hoverin' like hungry whores
| one flew down plucked out yer eye, the other he had in his sights
| ya snarled at him, said leave me be - i need the bugger so i can see"

I think you extend the infection to just being a carrier. A typhoid Mary in a computer file
sense.

 

[Leythos]

renaming a batch file to mypicture.jpg doesn't make it a JPG file, it
makes it a *.jpg file... one denotes a file format while the other
denotes a file extention - there's a big difference...

Yes, to you and I, as programmers and network designers there is, but,
to IE, not long ago, there was no difference. You could rename the
script file to .JPG or .GIF and open it in IE and it would execute the
script. If you had a virus that deleted the contents of a valid jpg/gif
and copied itself into the file, it would run also.

I've tested this in the past and was amazed the IE would do this, since
service packs (I think around SP2) it has not done this, but I recall
thinking it would never execute and sure as heck it did.

the JPEG format does not supply the basic requirements for being an
infectable host - it does not contain instruction for the computer to
carry out...

But to the Windows OS, a file extension is often the determining factor
in what opens/executes the file - and that means that if IE was set to
open JPG files, then looked inside the JPG file (which it use to do) and
determined it was executable code, it would execute it. So, it didn't
really matter what the file type (based on extension) was/is, it was a
threat.