If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(yuG emoS)   Warning: Exe. htiw gnidne era semanelif rieht edih ot edirrevo-thgir-ot-tfel s'edocinU esu nac srohtua erawlaM   (h-online.com) divider line 43
    More: Scary, unicode, e-mail clients, ubuntu, Mac OS, malware, Windows Explorer, virus  
•       •       •

4224 clicks; posted to Geek » on 13 May 2011 at 11:23 AM (3 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



43 Comments   (+0 »)
   

Archived thread
 
2011-05-13 10:39:39 AM
Headline brought to you by Zatanna.
 
2011-05-13 11:13:44 AM
However, the problem is by no means limited to Windows. Linux can generally also handle Unicode and was found to be vulnerable to the same spoofing trick when tested by The H's associates at heise Security.

Linux? Vulnerable? This must be a lie.
 
2011-05-13 11:32:23 AM
Now even Linux is vulnerable, not just Windows lusers??

EVERYBODY PANIC !!!!!



/sarcasm off
 
2011-05-13 11:33:15 AM
Warning: Malware authors can use Unicode's left-to-right-override to hide their filenames are ending with .exe
 
2011-05-13 11:35:05 AM
Farkin unicode, I KNEW it was a bad idea. ASCII and EBCDIC were good enough in our day.
 
2011-05-13 11:35:58 AM
This isn't a Unicode problem or a Windows. This is the age-old problem of people opening mysterious files from people they don't know and not keeping their AV software up to date.

Stupidity is platform-independent.
 
2011-05-13 11:37:07 AM

Fabric_Man: This isn't a Unicode problem or a Windows

problem. This is the age-old problem of people opening mysterious files from people they don't know and not keeping their AV software up to date.

Stupidity is platform-independent.


//Oops.
 
2011-05-13 11:37:20 AM

Fabric_Man: This isn't a Unicode problem or a Windows. This is the age-old problem of people opening mysterious files from people they don't know and not keeping their AV software up to date.

Stupidity is platform-independent.


And we're done here.
 
2011-05-13 11:37:47 AM
jaylectricity 2011-05-13 11:13:44 AM However, the problem is by no means limited to Windows. Linux can generally also handle Unicode and was found to be vulnerable to the same spoofing trick when tested by The H's associates at heise Security. Linux? Vulnerable? This must be a lie.
======================================================

A) Disguising a filename to .exe may WORK in linux, but .exe files are windows-only and won't launch in linux.

B) Linux is capable of having a proper administration account and it won't do anything.

Almost all the viruses I see on windows easily modify the thingy that allows it to load at boot time without needing administrative privledges. If windows (and users of it) would learn to set up a proper administrative account, almost all viruses would be worthless.
 
2011-05-13 11:44:44 AM

styckx: Fabric_Man: This isn't a Unicode problem or a Windows. This is the age-old problem of people opening mysterious files from people they don't know and not keeping their AV software up to date.

Stupidity is platform-independent.

And we're done here.


Yep.
 
2011-05-13 11:46:09 AM
Btw.: Fark uses a related approach to protect email addresses against spammers.

That (besides "@" and "." being images) is why the address is garbled up when you copy&paste it out of a user's profile - you only copy the visible text, but not the style attribute that reverses the text direction for the domain part of the mail address.


/that "n1c.executivesummary.doc" example in TFA is kinda cool; or evil; or both
 
2011-05-13 11:49:00 AM
Yeah, Subby, let's give the college student whose brain still hurts from finals an even bigger headache.

Jerk.
 
2011-05-13 11:52:18 AM
One thing Linux users are not vulnerable to is losing their virginity.
 
2011-05-13 11:55:12 AM
Ok so wait, if they take left to right and reverse the filename right to left the .exe is, umm exe.

I'm gonna go take a nap now.
 
2011-05-13 11:59:32 AM
jaylectricity
However, the problem is by no means limited to Windows. Linux can generally also handle Unicode and was found to be vulnerable to the same spoofing trick when tested by The H's associates at heise Security.

Linux? Vulnerable? This must be a lie.


I don't know, I have never tried it:
are mail clients under Linux usually that "helpful" that they execute .bin or .sh files for you when you click on them?
Because a difference between Windows and Linux is AFAIK that Linux doesn't use the file extension to determine whether a file is an executable, but its executable flag.

How that is handled with mail attachments might be a default umask or client thing, though.
 
2011-05-13 12:10:25 PM
Enormous-Schwanstucker
Ok so wait, if they take left to right and reverse the filename right to left the .exe is, umm exe.

Yeah, but to slightly change TFA's examples:
people probably won't recognize that "2011.05.13.executivesummary.doc" or "2011.05.13.screenshot.jpg" are actually ".exe" and ".scr" files.
 
2011-05-13 12:26:20 PM
.skcus taht lleW
 
2011-05-13 12:35:45 PM
Ok, for those of us who have no idea what the hell this means... if I keep my virus definitions up-to-date I'm fine, right?
 
2011-05-13 12:36:08 PM
Seems like something that will be fairly easy to detect and patch to ensure users know it is actually an exe or whatever, as Outlook or whatever can detect the filename has directional switches in them and warn the user what file type it really is.
 
2011-05-13 12:43:42 PM

The Voice of Doom: Enormous-Schwanstucker
Ok so wait, if they take left to right and reverse the filename right to left the .exe is, umm exe.

Yeah, but to slightly change TFA's examples:
people probably won't recognize that "2011.05.13.executivesummary.doc" or "2011.05.13.screenshot.jpg" are actually ".exe" and ".scr" files.


That's . . . pretty wicked, actually.
 
2011-05-13 12:46:06 PM

The Voice of Doom: Enormous-Schwanstucker
Ok so wait, if they take left to right and reverse the filename right to left the .exe is, umm exe.

Yeah, but to slightly change TFA's examples:
people probably won't recognize that "2011.05.13.executivesummary.doc" or "2011.05.13.screenshot.jpg" are actually ".exe" and ".scr" files.


Except that under most circumstances, legitimate filenames will be delineated using "_" or "-", not ".". Anyone seeing the name "totally.safe.file.doc" and not having their suspicions aroused is an idiot and would probably have opened the file "this_is_a_virus_click_to_open.exe" anyway just to see what it did.
 
2011-05-13 12:48:21 PM

Fabric_Man: This isn't a Unicode problem or a Windows. This is the age-old problem of people opening mysterious files from people they don't know and not keeping their AV software up to date.

Stupidity is platform-independent.


Yup.

i54.tinypic.com

Oh noes! A haxºr virus! In teh my computres? Let me open this mystery file and run it!
 
Ant
2011-05-13 12:52:06 PM

Doggiewoggie: Ok, for those of us who have no idea what the hell this means... if I keep my virus definitions up-to-date I'm fine, right?


Do you keep your brain up to date? This has little to do with anti-virus definitions, and more to do with deceiving people into opening strange files.
 
2011-05-13 12:59:30 PM

jaylectricity: However, the problem is by no means limited to Windows. Linux can generally also handle Unicode and was found to be vulnerable to the same spoofing trick when tested by The H's associates at heise Security.

Linux? Vulnerable? This must be a lie.


Considering that, on Linux, execution privileges are not based on file extension, I'm not really sure how exploiting this would benefit a malware writer.
 
2011-05-13 01:05:41 PM

HeartBurnKid: Considering that, on Linux, execution privileges are not based on file extension, I'm not really sure how exploiting this would benefit a malware writer.


Easy to exploit Linux. Just have someone socially engineer an unsuspecting user to type in /root: chmod -R 777 *

hahahaha owned! Ok, not really.
 
2011-05-13 01:09:36 PM

The Voice of Doom: Yeah, but to slightly change TFA's examples:
people probably won't recognize that "2011.05.13.executivesummary.doc" or "2011.05.13.screenshot.jpg" are actually ".exe" and ".scr" files.


StrangeQ: The Voice of Doom:

Except that under most circumstances, legitimate filenames will be delineated using "_" or "-", not ".". Anyone seeing the name "totally.safe.file.doc" and not having their suspicions aroused is an idiot and would probably have opened the file "this_is_a_virus_click_to_open.exe" anyway just to see what it did.



Yeah yeah I know. It's Friday and i've been out moving and transplanting many plants. My comprehension skills are shot to hell right now :)

Thankfully there is no shortage of stupid people because that exploit could actually work. I'm sticking with Solaris 10.
 
2011-05-13 01:13:22 PM
I wouldn't try to execute a file that ends in ". htiw gnidne era semanelif rieht edih ot edirrevo-thgir-ot-tfel s'edocinU esu nac srohtua erawlaM" anyway.
 
2011-05-13 02:04:24 PM
WTF... So the malware authors are ending with .exe?

So, if I wanted to become a malware author, I could be A Leaf in Fall.exe?
 
2011-05-13 02:10:30 PM

A Leaf in Fall: WTF... So the malware authors are ending with .exe?

So, if I wanted to become a malware author, I could be A Leaf in Fall.exe?


Grammar is even harder backwards.
 
2011-05-13 02:21:36 PM

jaylectricity: Linux? Vulnerable? This must be a lie.


They said that Linux was vulnerable to that spoofing trick, not that it was vulnerable to the payload. In fact, later in the article the authors point out that this is not as big a deal for OSX or Linux.

That said, I'm not sure what they mean exactly: I'm thinking it's because those operating systems distinguish a file based on contents rather than extension and most executable files aren't marked as such explicitly in the filename? I don't know why that would make Linux less susceptible to this, unless they assume that means that Linux users will be generally more careful about what they run. In general operation it's totally possible to make an executable file called thisisaprogram.doc
 
2011-05-13 02:27:17 PM

jake3988: A) Disguising a filename to .exe may WORK in linux, but .exe files are windows-only and won't launch in linux.


Whether an executable file will work on a specific computer and operating system is totally dependent on how it was compiled. I've seen several Linux programs that compile with a .exe extension, probably because it's just so prevalent elsewhere.

If the file has a suitable ELF header and an instruction set that matches your machine, it'll run regardless.

http://en.wikipedia.org/wiki/Executable_and_Linkable_Format
 
2011-05-13 02:39:10 PM

HighZoolander: A Leaf in Fall: WTF... So the malware authors are ending with .exe?

So, if I wanted to become a malware author, I could be A Leaf in Fall.exe?

Grammar is even harder backwards.


(not for you, A Leaf in Fall, for someone writing backwards, meant I, did.)
 
2011-05-13 02:43:24 PM

xria: Seems like something that will be fairly easy to detect and patch to ensure users know it is actually an exe or whatever, as Outlook or whatever can detect the filename has directional switches in them and warn the user what file type it really is.


Windows already has something built in that should work

www.sysdigg.com
 
2011-05-13 02:54:38 PM
farm3.static.flickr.com
 
2011-05-13 03:31:38 PM

jaylectricity: However, the problem is by no means limited to Windows. Linux can generally also handle Unicode and was found to be vulnerable to the same spoofing trick when tested by The H's associates at heise Security.

Linux? Vulnerable? This must be a lie.


Except ... it is a lie. Yes the filename will hide the fact that it has a .exe extension but:

1. extensions are purely informational in Linux

2. It's Windows only code so it will try to execute in Wine *if* you even have wine installed (which it's not by default)

3. Even if it does execute in wine, the best it can hope for is to spread to other windows files, it won't be able to replicate or take over the machine. More than likely it will simply fail to execute.
 
2011-05-13 04:14:02 PM
Fubini
because those operating systems distinguish a file based on contents rather than extension and most executable files aren't marked as such explicitly in the filename? I don't know why that would make Linux less susceptible to this, unless they assume that means that Linux users will be generally more careful about what they run

I guess it goes into the direction of what I mentioned earlier:
files on Linux have "executable" flags and if that doesn't get set for the user (group) trying to run the file, it won't be executed.
And whether that flag gets set for certain file extensions or MIME types will depend on the mail program that saves the attachment to your drive.
 
2011-05-13 05:20:34 PM

jaylectricity: However, the problem is by no means limited to Windows. Linux can generally also handle Unicode and was found to be vulnerable to the same spoofing trick when tested by The H's associates at heise Security.

Linux? Vulnerable? This must be a lie.


If only linux actually gave a shiat what the file was *named*. This is a windows problem, because only windows decides what to do with the file based on the last 3 characters of the name.
 
2011-05-13 05:59:41 PM

the_sidewinder: xria: Seems like something that will be fairly easy to detect and patch to ensure users know it is actually an exe or whatever, as Outlook or whatever can detect the filename has directional switches in them and warn the user what file type it really is.

Windows already has something built in that should work


i've been writing GPOs to prevent idiots from clicking "Open" so i'm getting a kick out of your reply.

farking idiots will always open it.. why the hell does IE even offer the "run" button

download window should be "save/cancel".

ehh, just block shiat from running from the Temporary Inet File dir... still annoying that you create policies because of user retardation.

still, fun to enable
 
2011-05-13 06:11:53 PM
StrangeQ

Except that under most circumstances, legitimate filenames will be delineated using "_" or "-", not ".". Anyone seeing the name "totally.safe.file.doc" and not having their suspicions aroused is an idiot and would probably have opened the file "this_is_a_virus_click_to_open.exe" anyway just to see what it did.

I would disagree, I see a lot of people using .'s as deliminators, windows itself even does internally in at least a few places. I'm not saying they should, but it's not uncommon and wouldn't alert many people.
 
2011-05-13 08:48:14 PM
I showed this thread to a Linux IS/IT guy I know, and he sez:

--------------------------------------------------------------------------
It's a brilliant exploit, and one that I'm sure will catch a few unwary Windows users -- as others have already pointed out, the same point-and-drool fools who are already predisposed to open file attachments of dubious provenance.

As far as Linux and UNIX (including Mac OS X and mobile computing platforms like Android and iOS), whether or not a file executes on your system has nothing to do with the last three letters of the filename.

Files have read, write and execute (rwx) permissions set for the current user (UID), users belonging to the same group (GID), and any other users on the system. If you use the "-l" (lowercase L) flag with the "ls" utility, you'll see these permissions listed alongside each file, formatted as a string of characters like:

rwxr-xr--

In this example, the user has read, write and execute bits set, granting all three permissions. The group may read and execute the file, but is not allowed to write to it (which includes modifying or deleting it). And the "other" users on the system, who share neither UID nor GID with the file owner, are permitted only to read the file, but denied permission to modify or execute the file. This is the case whether the filename ends with ".exe", ".sh", ".ass", or even no filename extension at all, like "wificheck".

In a properly administered UNIX or Linux system, users will have a "umask" (pronounced "YOU-mask", not "UM-ask") value set, which defines the default permissions for any new file created in their home directory, including files that are downloaded from the Internet via web browsers or email attachments. By default, such files should not be executable by anyone at all, and generally deny all permissions except read and write for the file owner:

rw-------

Of course, these permissions can be changed. The user can generally set her own umask to anything she likes, by setting an environment variable in one of the user configuration scripts that are automatically executed on login, such as her ~/.bashrc file.

The file owner can also alter these permissions manually from the command prompt by using the "chmod" utility. For example, the user may grant herself permission to execute "exe.malware.doc" in this manner:

chmod u+x exe.malware.doc

It's even possible for sloppy, reckless, or malicious programmers to write a mail user agent program, or MUA, which would override the default umask for attachments of certain MIME types in order to make certain files executable by default, as someone on Fark observed.

It is unlikely, however, that any MUA which deliberately introduced security vulnerabilities on the user's system would gain widespread acceptance and popularity -- with the obvious exception of the Windows/Outlook-dominated business community.

Some existing MUAs (e.g., mutt) are so user-configurable that they'll allow the user to bind practically any event to any trigger. That's how I configured the script that generated an email signature containing the moon phase: it calls a script (and yes, I had to explicitly grant it permission to execute.)

This mechanism could be abused to do some pretty stupid things. You could, for example, configure mutt to delete all the files in your home directory every time you started to compose a new email -- mutt assumes you know what you're doing with this shotgun and won't do anything special to prevent you from aiming it at your foot and pulling the trigger.

By the same token, there's nothing stopping you from configuring mutt to chmod +x every file of MIME type "application/exe" if that's what you want to do.

As one particularly sharp Farker mentioned, if this file is a Windows executable you could take a shot at executing it in the WINE environment. I believe you've already had enough experience with WINE to understand that running anything more complex than notepad.exe can be a real challenge. Even if the malware runs within WINE, it can't do much more than mess with your WINE installation.

Such a program certainly couldn't mess with any essential system files -- not only because it's most likely designed to deliver a Windows-only payload (and therefore would not be able to navigate out of WINE, and out of the user's home directory, in order to find the juicy targets in directories like /boot and /bin), but also because those files will be owned by root and the malware will be running with the permissions of the file owner. (Presumably this is a standard, non-admin user.)

Any exploits beyond that would require almost unimaginable carelessness or stupidity on the part of the user. For example, your user account could have the ability to issue "sudo" commands without a password, or you could be in the habit of starting a full GUI desktop session, (for the purpose of browsing the web, opening suspicious email attachments and similar activities) directly from a root shell.

Thankfully, reckless self-endangerment of this sort is comparatively rare among Linux users.
--------------------------------------------------------------------------
 
2011-05-14 03:22:34 AM
Update: My friend corrects one detail:

-------------------------------------
While studying for my upcoming IT certification exams, I recently learned (and subsequently forgot) that it is not possible to set the executable bit to +x by default using the umask.

In other words, if you specify rwx permissions in the umask -- for user, group, or other -- the x bit will be silently discarded, leaving permissions for newly-created files set to rw- by default.

See? The whole system is designed to prevent the execution of arbitrary code.

-------------------------------------
 
2011-05-15 04:53:36 PM

Sylvia_Bandersnatch:

As one particularly sharp Farker mentioned, if this file is a Windows executable you could take a shot at executing it in the WINE environment. I believe you've already had enough experience with WINE to understand that running anything more complex than notepad.exe can be a real challenge.



Huh? Most of the stuff I've thrown at WINE (strategy games, IDEs, Flash, etc.) have run without a hitch. (I do remember there being some occasional freeze/crash problems triggered by dragging color sliders in the Flash 5 editor, but Flash 8's editor ran smoothly.) I even ran a couple of console emulators under WINE, just to see how they'd do; they ran fine, albeit a little slowly.



Sylvia_Bandersnatch: Even if the malware runs within WINE, it can't do much more than mess with your WINE installation.


That's not correct. Under a normal WINE installation, it can write files to anywhere the user has permissions for. e.g.:

i.imgur.com

Thus, for example, a startup file in a user's window manager settings directory (e.g. /home/user/.icewm/startup) could be modified to include a "wine etcetcetc" command, if the person hasn't made sure in advance to assign write permission for that file only to root. Or the program could wipe the user's documents folder.
 
2011-05-16 09:45:02 AM
In Linux, things don't become executable just by tacking .exe onto the end. I don't see why this would matter to Linux.
 
Displayed 43 of 43 comments



This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report