PDA

View Full Version : Another dumb-ass question...


protein
01-06-2004, 23:50:07
I thought viri (viruses -whatever) could only get to you via email as an attachment and only if you open the attachment. I had an email today, looked at it and my anti virus guard immediately started asking me to sort it out. It's happened twice now and I thought the other time was for another reason.

Which means that not only am I ignorant about how you can get infected, I'm quite unprotected. I'm running outlook express 6. Is there any sort of plug in or upgrade or something that would help recognise these emails?

My AV Guard might let one slip through one day and I really can't afford to deal with the horrible after effects of a nasty virus again.

Darkstar
01-06-2004, 23:57:54
Anything that runs on your system can have a virus. From movies (Quick Time, Flash), documents (PDFs, Word, Flash, etc), components (Click Yes to Install this), applications, scripts, IM, zip files, jpegs, gifs, etc etc etc.

Anything that has macro capability has virus hosting capacity. Anything that can do anything has virus capability. Anything that can be over flowed or remotely accessed has virus capability.

So, it it isn't pure text, you should be cautious and scan it first. Viruses require you to do something (like open it's container so it can over-flow your netscape jpeg decoder/viewer and infect your machine). If they don't require you to do something to infect you, they are called a worm.

zmama
02-06-2004, 00:07:29
There have been MS updates to outlook express...go there and make sure you have them all for your version.

One other way of giving yourself protection is to not open html mail. Tools-->Options-->Read---> check read all messages in plain text and uncheck auto download of messages in preview pane

Sir Penguin
02-06-2004, 00:17:13
Well, you got the part about worms right anyway, Darkstar. :)

Data files like music (.mp3, .wma, etc.), movie (.mov, .wmv, .avi, .mpg, etc.), and picture (.jpg, .gif, .png, etc.) files are not executed on Windows systems, so they are safe from viruses. Any viral data within those kinds of files will be interpreted as whatever kind of data the interpreting program (media player or image editor or whatever) expects. Usually, the data type is defined in a magic number tag at the start of the file.

I rather suspect PDF files are safe from viruses, but I'm not sure about that. MS Word documents are dangerous, but only because they can have auto-executed macros that can hold viral code. There is no danger from RTF files, which are like Word .doc files but don't have macros.

For something to be a virus it has to be executed. Pure data files are not executed on Windows systems, with a few exceptions like MS Word document macros.

SP

Sir Penguin
02-06-2004, 00:22:13
Some anti-virus programs scan any file that is being written to disk. I think most of them do, but I never get any viruses, so I can't be sure.

Protein, if your anti-virus program caught the viral attachment when you looked at the email rather than when you ran the attachment, then you are protected. It's only when the program lets you execute the virus that you have to worry. Although your anti-virus program might not protect you from worms.

SP

Darkstar
02-06-2004, 01:42:31
Sorry, SP... but you are wrong.

There are now PDF viruses which is why Nortan and McAffee scan PDF files. (PDF supports macros, SP).

And there are WMV viruses, as well as MP3 viruses, etc etc etc. I wasn't kidding on those matters. Any program that READS data has the potentional of bad designer choices (no buffer checking often means buffer overruns). A virus needs the user to run it, either directly (clicking on that exe that says it's a scr or zip), or by being invoked/loaded by another program.

Netscape gets a lot of fun made of it in security circles because it is vulnerable to Jpeg and Gif viruses. Only a few other pic apps have similar buffer overrun capabilities... but IE had it several revs back. All you had to do for that was view a web page that included a "virused" jpeg. Whoopsie.

Care to try again SP? Even Linux has a few basic application overrun viruses.

It's best to scan everything that you don't know is safe. And to keep your software up to date.

Darkstar
02-06-2004, 01:45:44
RTF files aren't safe, because they may be 'mislabelled', SP. That's something that CERT sends out AV notices about every once in a while. The common AV programs will catch those infected files though... due to them scanning all "incoming" or accessed files.

Sir Penguin
02-06-2004, 03:48:40
I wasn't sure about PDF, but I can see how they would have executable portions.

Any media player that overruns its execution into a data file's bytes will have a clear, showstopping bug that wouldn't make it past alpha build. Would you care to document a Windows virus that sits in a media file and takes advantage of a player bug?

RTF files are safe. Like MP3s, RTFs are read and interpreted by an application. They are not, in any way, executed.

You're right that it's safest just to check everything. It's usually easier than just checking specific files, too.

SP

Darkstar
02-06-2004, 04:44:39
RTF files aren't safe in Windows, because the default viewer is Word or WordPad. Word doesn't pay attention to the file extension if the file says that it's something else. Like say, a Word Macro. At least, not prior to Word 2003. I don't know if they closed that out in Word 2003.

You can say "they won't get past alpha", because they do, and frequently. In Windows, Mac, and all flavors of UNIX. That's why there's literally dozens, if not hundreds, or buffer overflow code checkers. And why OS makers talk about building in buffer overflow protection into the OS. But it hasn't stopped the buffer oveflows.

Darkstar
02-06-2004, 04:59:58
And it looks that with your definition, SP, all files are safe regardless of their extension, because it's always some application on the user's machine that runs them. Even if the app is just Kernal.

Or do you mean to say that basic data files (text, bmps, jpegs, pdf, word, etc) are safe, but not executable files? Even directories are just files in most file systems. So we need to draw a common line over what is a *basic* file. Shall we say that anything that has macro capability isn't a basic file? That they are something else? Those are all very prone to being virus vectors.

And as basic files are *extended* to feature more and more meta-deta, they cross that same line. That's one of the vectors of infection via JPegs. You just add in the virus code with an exploit in front of it in the comments. And the viewers that are being standard, but not *secure* got pop... buffer over flow. And execute the virus code. And since there are viewer plugins that are used by many contain that problem, suddenly just browsing a web site can get you a virus via images. And it might get by your virus scanner, if it isn't set to scan every file, or doesn't have that virus in it's db.

Asher
02-06-2004, 05:04:22
I'm with SP.

Files with parsed metadata, like JPG and MP3, can contain viruses. Files lacking them, like BMP, cannot.

It is incorrect to say all files can have viruses.

Sir Penguin
02-06-2004, 05:28:06
RTF files aren't safe in Windows, because the default viewer is Word or WordPad. Word doesn't pay attention to the file extension if the file says that it's something else. Like say, a Word Macro. At least, not prior to Word 2003. I don't know if they closed that out in Word 2003.
Yes, but they don't contain any executable code. They don't contain macros.

You can say "they won't get past alpha", because they do, and frequently. In Windows, Mac, and all flavors of UNIX. That's why there's literally dozens, if not hundreds, or buffer overflow code checkers. And why OS makers talk about building in buffer overflow protection into the OS. But it hasn't stopped the buffer oveflows.
No they don't. If a player starts executing an arbitrary MP3's data, something completely undefined happens and unless there's actual code that makes sense, the debugger is going to go crazy (even if the coders do something idiotic, like have catch-all exceptions).

As for the definition of virus, I'm talking just in Windows. It's easier that way. :)

SP

Darkstar
02-06-2004, 06:02:25
What catch all exceptions? That's a large part of the problem... writing code that does it's thing in the narrow band of expected behavior, with plans for adding in things like error handling, documentation, and security later.

Ok. Just (Micro$oft) Windows then. In Windows, there's lots of things that can happen to a file you click on before it actually gets opened. Like, it's read to see what it says in the file it is, and a redirect to open that application instead of what should open for files with extension .xyz. Something to remember. :)

Sir Penguin
02-06-2004, 06:13:59
I mean catching all exceptions in a code block, instead of selecting a few known exceptions that don't matter. Even with catch-all exceptions, the program will still blatently reset itself to a base state instead of just crashing out.

I thought Windows based its file opening entirely on the file extension. When you rename a virus file virus.com to virus.com.jpg, it will open in the image viewer and the image viewer will say that the file is not a valid JPEG image.

SP

Darkstar
02-06-2004, 06:29:17
It depends on what process opens the file, SP. Some things hijack or, more politely, add themselves in. By design or crook. And it depends on what the resolver is.

And if the virus was designed to exploit your image viewer, then it would get you.

XML files, for instance, are interpretted. Windows (like most OSes) had a major problem where you could script out a virus, and rename it .xml, and with just one line at the front of the file, you could instruct Windows that the XML file was really a vbscript file, and to invoke that, and run that script in the vbscript engine. So it depends on what is reading in that data file, and what it will do about such "redirection" instructions. PFE, for instance, is safe environment/container to use... if you directly open such a redirecting file in PFE, it will ignore it because it's just a basic Word Processing Application (like NotePad, with a few extra features). But since Windows is such a "user friendly" environment, there's a lot of opportunity to exploit that "eager to help" services and behavior.

As users, we are all safer in a straight command line world. But that isn't user friendly... it isn't visually pretty. So we layer up things to make it more "consumer/user" friendly. And each layer adds to the places that can be exploited.

Asher
03-06-2004, 22:07:56
RPN prevents all of this, which is why it's safer versus CLI or GUI. Sometimes not, but we ignore them times.