[pmmail-list] newlines in filters? -- Sircam virus/worm - execute vs. view
xavier caballe
pmmail-list@blueprintsoftwareworks.com
Mon, 30 Jul 2001 21:24:52 +0200
> First, I _do_ want to view an executable file first before I
>actually execute it.
This sounds a litlle bit odd for me... On Windows (and also OS/2) there's
almost nothing human readable on executable files. Or am I missing
something?
> I like this feature of UNIX (and, I believe, Novell, too) to make
>a distinction between execution rights and opening rights to a file
>or directory.
Well, you can use a file browser to view their contents... but I think is
something useless. If you get a file you aren't expecting, better to ask
the sender what's going on and of course, you must have an updated
antivirus.
I work on a security consulting company and quite often I have to manage a
lot of "suspicious" files. I've found the better way to work is to use
VMWare to have an completely issolated virtual machine. Until now I've
been unable to find anything able to infect outside VMWare.
> Especially with Microsoft Office Documents, there are a lot of data
>files which contain executable code, some being executed OnOpen of
>the file. This behaviour should be disabled when I decide to only
There're some viewers that are able to browse a Microsoft Office that are
not able to run any macro. But...remember, this is not a Microsoft
Office-only fault: you can do the same with a Lotus SmartSuite document or
a StarOffice document (even on OS/2... just create a .LWP file with an
autoexecutable macro, send it to anyone and ask him to open the file)
If we haven't seen any Lotus SmartSuite macro-virus is not because Lotus
has a better protection mechanism (in fact, I believe that currently
Microsoft Office has a more robust virus protection mechanism than Lotus;
unfortunately most of Microsoft mechanisms are disabled by default and
some are quite difficult to find it).
> Third, the standard way to show a file name in 32bit MS Windows
>systems is to strip the name extension, and to show only the base
>name.
I agree with you. This feature should not exist... in fact, the first
thing I do after install any Windows version is to disable it.
> Now look, the one Sircam infected file I have received had an
>attachment with the name "Betriebsausflug.xls.pif". Windows would
>probably not show the "PIF" extension, probably not even the XLS, but
>the Excel icon. To the regular windows user, this file would look
No, it will not show the Excel icon... it will show the default .EXE icon
(an empty window by default) except if there's a Sircam mutation out there
that uses a different icon (it won't be difficult to add this "feature",
since you can embed an icon into any .EXE file). Currently I'm not aware
of any mutation that does this.
>like a normal data file or office document; the virus writer counts
>on the curiousness of the recipient, who is led to believe that he
>has gotten a document from someone who has inadvertedly sent it to a
>wrong address, and is incited to look into the possibly confidential
>information, and bang! the virus takes its place.
There are a couple of things here. First, we should blame Microsoft to
hide the real extension (since file extensions are important on Windows).
I agree with this.
But the most important thing is not a Microsoft fault... it's an user
education fault. Any user must know that there're virus out there and they
shouldn't open any file there're not expecting.
> So I repeat my initial point, where I have very strong opinions
>on, that an OS should make a sharp distinction between viewing a
>file, and executing it.
For most users, this will mean nothing... at least, I don't see any
advantage to browse the content of an executable file. What I expect from
the system is to really identify an executable file and not to hide it.
That's the only Microsoft fault on this topic: they choose to let a file
to hide it's personality and they choose to enable this feature by
default.
Xavi
---
http://www.quands.com
Portal de seguretat informātica en catalā
- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com