Re: Malware Triangle
From: Norman L. DeForest (af380_at_chebucto.ns.ca)
Date: Mon, 6 Dec 2004 03:26:42 -0400
[alt.privacy.spyware removed, not carried here]
On Sun, 5 Dec 2004, kurt wismer wrote:
> cquirke (MVP Win9x) wrote:
> > For our purposes (malware theory), what matters is:
> > a) Is program material within file "run" when file is "opened"?
> > b) If so, is what it can do limited to the scope of that file alone?
> it would be nice if these evaluated to the same results on all
> systems... unfortunately they don't, so users will have to make these
> determinations on a case by case basis depending not only on the 'data'
> in question, but also on the environment...
> > If Yes and No, the file should be considered "program".
> and this can be especially problematic as *all* data 'types' have a
> non-zero probability of triggering the execution of embedded
> (legitimately or otherwise) code when read by some reader or another...
> so the argument could be made to consider all files as programs...
> personally i find that a little extreme...
> > For this reason, I would prefer *any* sort of macro/scripting to be
> > held within separate files that are identifiable as such, and/or to be
> > never automatically interpreted when a "data" file is "opened".
> the age old (and very sensible) separation of code and data... if only
> we (the human race) had followed that doctrine...
To indicate the stupidity of Microsoft failing to follow that doctrine....
If an executable file is dragged and dropped into a document being edited
by Word and then the part of the document that contains the executable
and, perhaps, some surrounding text is selected and the selected area is
dragged to the Windows desktop and dropped there, you now have a scrap
file with an embedded executable.
If you do the same thing with a MIDI file as you did with the executable,
you now have another scrap file with an embedded MIDI file.
Now comes the stupidity.
If I double-click on the scrap file with the embedded MIDI file, it is
opened with Word. If I then double-click on the embedded MIDI file,
Windows pops up a warning dialogue box and asks me if I really want to
do something that could pose a danger to the system.
However, if I double-click on the scrap file with the embedded executable,
then Windows immediately runs the executable with no warning, prompt,
request for confirmation or any other safety check whatsoever.
What's wrong with this picture?
-- Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html firstname.lastname@example.org [=||=] (A Speech Friendly Site) "O'Reilly is to a system administrator as a shoulder length latex glove is to a veterinarian." -- Peter da Silva in the scary devil monastery