Re: Malware Triangle

From: Norman L. DeForest (af380_at_chebucto.ns.ca)
Date: 12/06/04

  • Next message: Pete: "Re: Web Server Probe Confusion"
    Date: Mon, 6 Dec 2004 03:26:42 -0400
    
    

    [alt.privacy.spyware removed, not carried here]

    On Sun, 5 Dec 2004, kurt wismer wrote:

    > cquirke (MVP Win9x) wrote:
    > [snip]
    > > For our purposes (malware theory), what matters is:
    > >
    > > a) Is program material within file "run" when file is "opened"?
    > >
    > > b) If so, is what it can do limited to the scope of that file alone?
    >
    > it would be nice if these evaluated to the same results on all
    > systems... unfortunately they don't, so users will have to make these
    > determinations on a case by case basis depending not only on the 'data'
    > in question, but also on the environment...
    >
    > > If Yes and No, the file should be considered "program".
    >
    > and this can be especially problematic as *all* data 'types' have a
    > non-zero probability of triggering the execution of embedded
    > (legitimately or otherwise) code when read by some reader or another...
    >
    > so the argument could be made to consider all files as programs...
    >
    > personally i find that a little extreme...
    >
    > [snip]
    > > For this reason, I would prefer *any* sort of macro/scripting to be
    > > held within separate files that are identifiable as such, and/or to be
    > > never automatically interpreted when a "data" file is "opened".
    >
    > the age old (and very sensible) separation of code and data... if only
    > we (the human race) had followed that doctrine...

    To indicate the stupidity of Microsoft failing to follow that doctrine....

    If an executable file is dragged and dropped into a document being edited
    by Word and then the part of the document that contains the executable
    and, perhaps, some surrounding text is selected and the selected area is
    dragged to the Windows desktop and dropped there, you now have a scrap
    file with an embedded executable.

    If you do the same thing with a MIDI file as you did with the executable,
    you now have another scrap file with an embedded MIDI file.

    Now comes the stupidity.

    If I double-click on the scrap file with the embedded MIDI file, it is
    opened with Word. If I then double-click on the embedded MIDI file,
    Windows pops up a warning dialogue box and asks me if I really want to
    do something that could pose a danger to the system.

    However, if I double-click on the scrap file with the embedded executable,
    then Windows immediately runs the executable with no warning, prompt,
    request for confirmation or any other safety check whatsoever.

    What's wrong with this picture?

    -- 
    Norman De Forest          http://www.chebucto.ns.ca/~af380/Profile.html
    af380@chebucto.ns.ca           [=||=]          (A Speech Friendly Site)
    "O'Reilly is to a system administrator as a shoulder length latex glove
    is to a veterinarian."   -- Peter da Silva in the scary devil monastery
    

  • Next message: Pete: "Re: Web Server Probe Confusion"

    Relevant Pages

    • [NT] Windows VDM #UD Local Privilege Escalation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability to fully compromise a Windows NT 4.0, Windows 2000, Windows ... 32-bit VDM "host" code, and the invalid opcode fault handler within the ... process).The kernel does not validate the address to which execution is ...
      (Securiteam)
    • Re: Startup Order.
      ... Before Logon ... WIN.INI [Windows] Load ... As a Scheduled Task set to run at startup. ... predict the exact order of execution for individual startups. ...
      (microsoft.public.windowsxp.general)
    • Re: [Full-disclosure] Windows Vista/7 lpksetup dll hijack
      ... However, from my experience under Windows 7 Ultimate in VirtualBox, ... payload will still run as the lpksetup halts for execution somewhere after ... loadlibrary is pointing to a dll on a remote system (our ...
      (Full-Disclosure)
    • RE: File and directory permissions in windows
      ... No feel guilty because all of us have a lot of things to do and usualy we ... checkpoints failed the execution will be aborted. ... Those scripts will be executed on windows and linux. ... with python i found the same problem with the permissions:P Then i try ...
      (comp.lang.python)
    • Re: Startup Order.
      ... Before Logon ... WIN.INI [Windows] Load ... As a Scheduled Task set to run at startup. ... predict the exact order of execution for individual startups. ...
      (microsoft.public.windowsxp.general)