OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Exploit-Dev Archives: stealth executables

stealth executables

Brad Griffin (griffinbHOTKEY.NET.AU)
Wed, 27 Oct 1999 12:22:38 +1000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all.
I was reading a mainstream newsletter a couple of days ago which had
the following article. Forgive me if it is common knowledge (it was a
new one for me).

The Danger Of Stealth Executables

"SHS" and other little-known or seemingly-benign file types
(often completely ignored by antivirus apps) can disguise
malicious executables and macro viruses!

A reader from Canada, recently had an eye-
opening experience that's instructive to us all:

     I recently came across something that
     concerned me VERY much - and could
     possibly be used to cause damage or
     execute viruses etc. on a user's
     machine.

     Recently, a friend sent me a harmless
     executable file (it was a sound bite),
     but it was embedded in an MS Word 97
     document. To hear the sound bite was
     frustrating, requiring me to load MS
     Word and then double-clicking on the
     embedded file. So, in MS Word, I
     selected the executable that was
     embedded in the document, copied it and
     pasted it to my desktop.

     Not surprisingly, it showed up as an MS
     Word "Scrap," file. The file extension
     for scrap files is ".shs". For some
     reason, Windows hides this file
     extension.

     So, with a file named "Scrap" on the
     desktop, double-clicking it ran the
     executable without problem. In fact, I
     tried changing the name of the file to
     something else, with a different
     extension (i.e. ".bmp"). Renaming it
     "test.bmp", the icon remained the same
     and the new name appeared, once again
     with the ".shs" extension hidden. Now it
     appeared as a harmless image file -
     however, double-clicking it ran the
     executable as before.

     Call me paranoid, but could I not do the
     same thing with a more sinister
     executable and rename it as a ".txt"
     file? The "scrap" icon looks like a text
     file icon - and an unknowing user would
     open the 'text' file, but really run the
     executable.

     When attaching this type of file to an
     email message, the extension becomes
     visible - but an unsophisticated user
     would go ahead and save the attachment
     and voila - no more "shs" extension!
     Looks fine! Double-click and whammo.

Windows normally hides the SHS
extension (you have to select file/properties to see it)
many users have never even heard of it. Thus, even though
SHS files can contain directly executable content, users
might well click on an SHS file (disguised or not) without a
second thought.

What's more, many commercial antivirus apps do not scan SHS
files by default, and must be manually adjusted to include
"Scraps" in their scans.

And it's not just SHS files. Trojan-horse infectors can
reside in a wide variety of files with little-known, or
seemingly-benign file extensions. For example, if you follow
antivirus activity, you may recall that a few months back
some malicious souls started circulating the Melissa virus
in RTF rather than the more common DOC files. Some
enterprises and users who had religiously updated their
virus definitions to include the Melissa signature got
infected anyway because their antivirus apps, by default,
didn't scan RTF files. (By the way, two new strains of
Melissa were discovered just last week, so it's a safe bet
that the RTF exploit will turn up again, and soon..)

I checked the major antivirus vendor sites and found very
little on SHS and similar vulnerabilities. The
Symantec/Norton site did have some information buried pretty
deep, but a search of the Computer Associates, Trend Micro
and McAfee antivirus sites, for example, turned up exactly
zero hits on "SHS."

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1 -- QDPGP 2.60
Comment: http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x6FD78581

iQA/AwUBOBXVTQiK90dv14WBEQLwagCg4g5Z6Q4nyZXmBRGn3UR1KiB7O34AoM+0
I0rpWn1N0t3g0gmDBU0bwR8b
=vVLT
-----END PGP SIGNATURE-----
Brad Griffin
Infotech undergrad & e-mail addict
CQU Rockhampton, Australia
Useful links:
http://www.pgpi.org/
http://spamcop.net/
http://www.avp.ru/

This archive was generated by hypermail 2.0b3 on Tue Oct 26 1999 - 23:52:22 CDT