Unmask Exploitable Files

Executable file types

You can find descriptions of most file types/extensions at one of the sites listed below.

There are dozens of executable file types. Each executable file type is accessed in a specific way, and each type has it's own way of doing things. There's one thing they have in common: they take some kind of action in your PC. That action can be hostile to one degree or another.

It's never wise to access an executable file unless you are 99.99% sure it does not contain hostile code. You need be able to recognize executable files if you're going to avoid them. There's far too many to do that practically though.

It's easier to recognize non-executable file types, and assume that anything else is an executable file. Attackers know thats how potential victims think though. They use dirty tricks to to disguise executable files as non-executable files. We're going to unmask them.

Exploitable file types.

Many "non-executable" file types -- including music, video and image -- can contain hostile code too. That adds up to a lot more file types to worry about. So many in fact, that it's highly impractical to approach the problem from that angle. But there's another approach. If we examine the file for dirty tricks and find one, we know the file is probably hostile. If we don't find one, we can continue with the process to validate the file.

Dirty Tricks

The problem: Windows hides file extensions by default. If you can't see extensions, all you have is the icon to go by. For example, the icon for a *.txt file, can be used as the icon for a malicious, exploitable file. It's not fair but it's easy. Without the extension, the file looks safe.

Example: An attachment is named Cancun. It must be a digital picture because you see the familiar icon for a picture. Being the curious type, you open the attachment to take a look. A picture file should be safe, eh? Trouble is, it's actually a malicious *.pif file. The file runs and does it's dirty trick.

It gets worse: Windows insists on hiding a few "special" extensions, even after you disable the "Hide extensions..." option in Windows. Microsoft has a reason. It's another example of dumbing down Windows for the masses. Those special extensions include *.pif, *.shs, *.lnk, and "CLIDs". All of those are exploitable too!

I recommend that you make file extensions visible in your computer. At least the ones it's easy for. It's a great aid for almost any task you do with your computer. But even if you don't, there's still a way to deal with dubious files without grief.

Make extensions visible

The first part is easy: Open Windows Explorer. Click Tools > Folder options... in the menu. (Start with View > Folder options... in earlier versions of Windows.) Select the "View" tab in the dialog box. Remove the check mark in front of the "Hide extensions for known file types..." option. Click OK.

Windows also hides the true extension for *.pif, *.shs, *.lnk, and other file types. Link files (*.lnk) can take you to an evil website with malicious active content. The others can contain hostile content which is activated when you open the file.

It's not so easy to make these "special" extensions visible. "Special" file extensions are hidden with a registry value "NeverShowExt" (no data). Unless you have experience editing the registry, you probably don't want to try. But here's how to do it:

Open RegEdit [use Start > Run > type "regedit" > click OK] Search your registry "Data" fields for "NeverShowExt" [use Edit > find... in the RegEdit menu]. That will reveal all file types that are forced to remain invisible. Delete all the "NeverShowExt" registry value entries that you find. Close RegEdit. You're done.

Unmasking exploitable files

Rationale for the process

1. Our strategy is not to find exploitable files, per se, but to discover if someone has tried to hide or fake the file type in order to deceive victims. If we expose a subterfuge, we can be almost certain that the file contains malicious code.
2. If the file in question has more than one extension, e.g., rabbit.gif.exe, it's probably a dirty trick.
3. If we decide to try opening the file, we won't let Windows do it. We'll open it from a "safe program". If the safe program we pick refuses to open the file, it's probably a dirty trick.

Process: look for double extensions

Update: There's an online service that can be a quick way to identify bogus file extensions. You simply visit the site, upload the file, and they'll scan it for you.

Examples: message.html.exe; readme.txt.lnk; cancun.jpg.pif; beach.gif.vbe; and finally the puzzling pamela.jpeg.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} Files with double filename extensions like these are usually exploitable files.

Process

Before you actually open any file, go back to the page on handling files safely and finish validating the file.

1. Windows hides extensions by default so the first step is to make them visible if you haven't done so already.
2. Open the message that has the attachment. (Be sure you have consciously decided it's safe to do so.)
3. Examine the file name(s) in the "Attachment" line of your message window.
4. If the file name, or any file name if there's more than one, has a double extension be very afraid. It's very likely you're looking at a dirty trick. That means the file is probably malicious.
5. You'll probably want to delete the message immediately. If you've saved the file to your hard drive, go delete it too. But if you want to play with fire, go on to Process 2. below. Be very careful not to double-click the file name or icon at any time.

Last modified 02/16/08