bug allows easy deception in folder view

Discussion in 'other security issues & news' started by trojan, Dec 30, 2005.

Thread Status:
Not open for further replies.
  1. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    in the picture you will see 4 files in defult folder view 3 of the files are real jpegs 1 of them is a jpeg binded to malware can you spot the differnce :eek:
     

    Attached Files:

  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    How about after Control Panel > Folder Options > View > uncheck "Hide extensions for known file types"

    Regards,

    CrazyM
     
  3. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    I can only spot the difference with a Hex editor =P
     
  4. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    lol what % of people would you asume have known file types activated outside the crazy paranoid world of wilders?

    The purpose of the exercise is simple deception! no hex editors required simply holding the mouse over the icons will show thier true extention however in the tests i have conducted not 1 single guinnea pig noticed anything unusal and all run the files without question proving the point people are easy to decive if you show them what they exspect to see they will not question the safety of jpeg files and run them without question
     
  5. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
  6. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    The files are not jpegs at all they are just exe files binded to jpegs that apper to look totaly like jpegs, when the user runs the file they will just see a jpeg image opened in thier defult viewer ,because the defult 32bit xp jpeg icon is used and the version info has been changed to display "file size" and the word "JPEG Image" making them appear exactly the same in folder view as a real jpeg file this is just exploiting the fact that most users blindly trust what apper to be jpeg images and run them without question!! also can be done with mp3 etc spot the servers here
     

    Attached Files:

    • 13.jpg
      13.jpg
      File size:
      32.3 KB
      Views:
      7
    Last edited: Dec 30, 2005
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Very sorry if this is off-topic, but mysec is a GUEST, so how can guests post images and have their posts look like those of a registered member? And it bears the hallmark of someone called rmus? :eek:o_O

    Does this forum have some special unknown function that allows guests to post like registered members do?
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It is Rmus - I posted incorrectly by mistake. I'm going to try and delete and repost.

    The images are linked from my server, and not uploaded to Wilders. Otherwise, they wouldn't have been accepted from a guest.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Dec 30, 2005
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    When I'm asked to help set up a home system, I set all file extensions to show, and take the opportunity to explain how file extensions work, how they are associated with different applications. I think this is basic to security.

    I also set the folder view to List. Windows comes by default to display large icons, and often filenames/extensions become truncated, depending on font size, etc. This could fool a user if the full name/extension doesn't show, as you have shown.

    A while back, an email circulated saying, here is your document, or something similar, along with an attachment that looked like a .rtf document. But it had a double extension that may or may not have shown, depending on how your zip program window displayed:


    http://www.rsjones.net/rtf/data-rtf.gif

    Resizing the zip window:

    http://www.rsjones.net/rtf/data-rtf1.gif

    Had it not been caught here and permitted to extract, it may have remained unoticed:

    http://www.rsjones.net/rtf/folder-large.gif

    But in List view, Windows adjusts the columns to allow for the longest filename w/extension(s):

    http://www.rsjones.net/rtf/folder-list.gif

    So, an alert user may have noticed this.

    Of course, an alert user would contact the sender (if known) to see if in fact an email attachment was sent,
    or delete if sender was not known

    The attached data.rtf.scr file was the Netsky worm.
    _____________________________________________

    http://www.rsjones.net/rtf/netsky.gif
    _____________________________________________

    http://www.rsjones.net/rtf/netsky_1.gif



    ________________
    ~~Be ALERT!!! ~~
     
Loading...
Thread Status:
Not open for further replies.