Can Malware infect your pc without Executing??

Discussion in 'other anti-malware software' started by arran, Oct 10, 2008.

Thread Status:
Not open for further replies.
  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    be it decompresion bomb or any malware,it doesnt matter any kind,sandboxie will help you achieve you goals at protecting your pc and remain clean after deleting the content that is contain in the sandbox,again sandboxie:thumb:
     
  2. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    AFAIK one of the few (if not the only one) protections against decompression bomb is properly coded/configured AV that does not try to extract too many sub archives.
     
  3. saberfox

    saberfox Former Poster

    Joined:
    Jul 23, 2008
    Posts:
    84
    Now you are just plugging your fingers into your ears and going "lalala~".

    As I've said, decompression bomb is as easily deleted as any other normal file with or without Sandboxie. Sandboxie makes no difference. Deliberate ignorance born from wishful thinking is not going to change that fact.
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    anyway i Never use a zip program, like Winzip, is an over-reaction and a pretty untenable position to take:thumb. Just be sensible about what you open.:thumb:
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    also Most modern anti-virus software has some defences against decompression bombs;)
     
  6. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    They should, after all that's been out for ages now :)
     
  7. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,154
    well in all fairness if you download a legit zip file from a legit website and it turned out to be the zip BOMB you wouldn't find out untill its too late would you.

    how do set yourself a restrictive disk quota? would this method work?

    as for sandboxie I doubt that would protect you, jmonge have you tested it in sandoxie?

    Anyway this is partly why I created this thread to find out about other threats that can damage your system without the need to excecute/ run etc
    preventing malware from Executing/installing and running is easy, most of us are protected from that by using sandboxie and HIPS etc

    anyone else know of any security product that can protect against zip bomb?
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    they even use it to open advertisement:rolleyes: thanks for adds blocker:thumb:
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    what about returnil will protect your system after reboot it:thumb: the bomb will de deactivated:D ;)plus no changes allow or system alteration after reboot.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Malicious code doesn't have to be an executable file per se. It can be in the form of a DLL and be executed by RUNDLL32.exe, a normal system process that performs many other legitimate functions. Malicious code can be added to legitimate system files so that when a specific function that's handled by that file is performed, it can be done differently or something else entirely also happens. At times, malicious code replaces whole system files with their own. Windows Scripting Host isn't malicious but the scripts it runs can be. Even a text file can be malicious under certain circumstances, depending on what opens it. A batch file is basically a plain text file that's opened by cmd.exe or command.com, depending on what system you're using. In this instance, changing the file extension can be a malicious act.

    I'm not sure what decides if an app is an anti-executable or a HIPS, too many marketing games with the terms. I'm assuming an anti-executable just allow/deny individual processes while HIPS can control their parent-child dependencies and other activities. Simply blocking malicious processes and allowing the known good ones will not protect you from malicious code that's executed by known good process. That's where classic HIPS can outperform an anti-executable, by giving you control over the activities of allowed processes.
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i also know even i never tried but i know it will contain it ofcourse inside the well configure sandbox.it will do the job,if you you configure to auto delete the sandbox on close of the apps,it will delete all.reboot and nothing damage will happen.:thumb
    i didnt tested with it but sandboxie was and it is tested againts worse stuff than a decompress bombs with sucess:thumb:
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    it is a very interesting conversation,how ever i will go for coffee,i need it,i will be back later on.

    Prevention is Better than the Cure:thumb:
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I really don't know what kind of unpacker are you using, but I personally never hit any that'd keep extracting stuff more than one level deep by default. Don't see how it could be late at any moment.

    Not really hard to Google for it? Of course it would work... it limits the disk space a user can use, preventing them from filing up the entire drive with junk (be it this compressed nonsense or pr0n or whatever). The partitions need to use NTFS, not FAT32 of course.

    There is no real permanent damage, all it does is wasting diskspace, potentially filing up the disk. (Yeah, unpacking the stuff will eat some CPU resources as well but who cares.)

    As already said, antivirus apps can be set up to limit the recursion level on nested archives in case you care about this (email scanning or whatever similar). As for manual unpacking, seriously go use your brain or restrict your disk usage via quotas if you can't. Absolutely no need for third-party products here.
     
  14. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    The problem is you can not know is something malware or not before this something does something suspiciouse. For example you download new picture viewer, start is, and then your HIPS tells you it tries to tamper other processes. This is definitley a point to stop a viewer until this behavior is clearly explained by a vendor. (this is just one example of many possible where simple antiexecutable cannot help).
     
  15. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    if only things were that simple...

    while it's true that a malicious 'thing' must have it's instructions followed in order to do something bad, what the average person thinks of as execution only accounts for a portion of the ways in which that can happen and as such things like anti-executable will only protect against a portion (though it may be a big portion) of malware...

    application whitelists like anti-executable can cover a whole lot, but they won't handle exotic execution, and if you think you don't need to worry about exotic execution then consider macro viruses - those were a high profile, mainstream threat that used an exotic form of execution (interpretation by a trusted app) which wouldn't be stopped by traditional application whitelisting and required special security enhancements be added to the interpreting app itself to be able to block them in a generic way...
     
  16. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Sandboxie offers the perfect protection against anything when configured to do so.

    Here I am trying to unzip a "42.zip" which is an archive bomb.
    Winrar.JPG
     
  17. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    hey franklyn thanks for the clear explanation,thats what i tried this guy to understand and i gues you were more directo so thanks for the screenshot:thumb:
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Only default drill down level of Avira on access guard and exclusions file size is very low compared to for instance A2 malware can handle.

    I always increase recusive scan depth (drill down level in archves) to five and remove file limit size (of Avira)
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Please describe how to configure this properly
     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Really depends on personal taste... If you download some, ermmm... questionable stuff, it's never more packed more than 3 or 4 nested levels - not because it'd be a decompression bomb, but because it makes it harder to find out the real content for obvious reasons. An average BFU won't even be able to unpack this deep enough, you see tons of stupid question about "unable to install this .r01 or .001 application" on various forums already.

    With this kind of stuff, you could sort of DoS some mailservers or virus-filtering proxies which are configured badly. For desktop users, the threat is something I wouldn't care about at all. Worst case, you'll waste some time to delete the junk manually.
     
  21. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Been discussed many times and I'll leave it up to Mitch's great post over at SB's forum for reference.
    Mitch's - Control Your Sandbox
     
  22. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,087
    Location:
    Europe, UE citizen
    Quote, very well described, noone_particular ! ;)
     
  23. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Yes, but from where comes malicious *.dll? I think from malicious *.exe which needs executing to load malicious *.dll.

    for 42.zip it is just AV/AS scanner problem nothing more...

    What with "autorun.inf"? :rolleyes:
     
    Last edited: Oct 12, 2008
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    It,s very interesting. I will like to test it.

    Can u tel what type of files these are? I mean file extensio.

    Can any one PM me such a sample?

    Thanks
     
    Last edited: Oct 12, 2008
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    As I know dlls are executable files.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.